5.3 Verify that containers are running only a single main process

Information

In almost all cases, you should only run a single main process (that main process could
spawn children, which is ok) in a single container. Decoupling applications into multiple
containers makes it much easier to scale horizontally and reuse containers. If that service
depends on another service, make use of container linking.

By design, Docker watches one single process within the container. So, installing and
running multiple applications within a single container breaks the basic design of 'one
container one process'.
If you need multiple processes, you need to add one at the top-level to take care of the
others. You also need to add a process manager; for instance Monit or Supervisor. In other
words, you're turning a lean and simple container into something much more complicated.
If your application stops (if it exits cleanly or if it crashes), instead of getting that
information through Docker, you will have to get it from your process manager.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Do not run multiple applications within a single container. Use container linking instead to
run multiple applications in multiple containers in tandem.

Impact-None.

Default Value-By default, only one process per container is allowed.

See Also

https://workbench.cisecurity.org/files/514

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 9991ae76e4c0471b4e4fef0d21e382f06e76a36ad6d60528b6c9d38e0dbe77f6