2.10 Ensure base device size is not changed until needed

Information

In certain circumstances, you might need containers bigger than 10G in size. In these cases, carefully choose the base device size.
Rationale:
The base device size can be increased at daemon restart. Increasing the base device size allows all future images and containers to be of the new base device size. A user can use this option to expand the base device size however shrinking is not permitted. This value affects the system-wide base empty filesystem that may already be initialized and inherited by pulled images.
Though the file system does not allot the increased size if it is empty, it will use more space for the empty case depending upon the device size. This may cause a denial of service by ending up in file system being over-allocated or full.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Do not set --storage-opt dm.basesize until needed.
Impact:
None.
Default Value:
The default base device size is 10G.

See Also

https://workbench.cisecurity.org/files/1726