5.11 Ensure that the memory usage for containers is limited

Information

By default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.

By default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the host's resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.

Solution

You should run the container with only as much memory as it requires by using the --memory argument.

For example, you could run a container using the command below:

docker run -d --memory 256m centos sleep 1000

In the example above, the container is started with a memory limit of 256 MB.

Verify the memory settings by using the command below:

docker inspect --format='{{ .Id }}: Memory={{.HostConfig.Memory}} KernelMemory={{.HostConfig.KernelMemory}} Swap={{.HostConfig.MemorySwap}}' <CONTAINER ID>

Impact:

If correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.

See Also

https://workbench.cisecurity.org/benchmarks/16041

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4

Plugin: Unix

Control ID: aac9f230f67fb21a13797b98b79a979b74d2f2b8ad21372aa58554c4769feb99