5.11 Ensure that the memory usage for containers is limited

Information

By default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.

Rationale:

By default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the host's resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.

Impact:

If correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.

Solution

You should run the container with only as much memory as it requires by using the --memory argument.
For example, you could run a container using the command below:

docker run -d --memory 256m centos sleep 1000

In the example above, the container is started with a memory limit of 256 MB.
Verify the memory settings by using the command below:

docker inspect --format='{{ .Id }}: Memory={{.HostConfig.Memory}} KernelMemory={{.HostConfig.KernelMemory}} Swap={{.HostConfig.MemorySwap}}' <CONTAINER ID>

Default Value:

By default, all containers on a Docker host share their resources equally and no memory limits are enforced.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|18

Plugin: Unix

Control ID: aac9f230f67fb21a13797b98b79a979b74d2f2b8ad21372aa58554c4769feb99