5.10 Ensure memory usage for container is limited

Information

By default, all containers on a Docker host share the resources equally. By using the resource management capabilities of Docker host, such as memory limit, you can control the amount of memory that a container may consume.
Rationale:
By default, container can use all of the memory on the host. You can use memory limit mechanism to prevent a denial of service arising from one container consuming all of the hosts resources such that other containers on the same host cannot perform their intended functions. Having no limit on memory can lead to issues where one container can easily make the whole system unstable and as a result unusable.

Solution

Run the container with only as much memory as required. Always run the container using the --memory argument.
For example, you could run a container as below:
docker run --interactive --tty --memory 256m centos /bin/bash
In the above example, the container is started with a memory limit of 256 MB.
Note: Please note that the output of the below command would return values in scientific notation if memory limits are in place.
docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0
For example, if the memory limit is set to 256 MB for the above container instance, the output of the above command would be 2.68435456e+08 and NOT 256m. You should convert this value using a scientific calculator or programmatic methods.
Impact:
If you do not set proper limits, the container process may have to starve.
Default Value:
By default, all containers on a Docker host share the resources equally. No memory limits are enforced.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-6, CSCv6|18

Plugin: Unix

Control ID: b5894477d352a19a1eaaecc45697eb59b47189c1672cfea4853b150d9c3a6872