Support for ulimit in new Docker 1.6
3 views
Skip to first unread message
Jon Schipp
Apr 20, 2015, 4:30:01 PM4/20/15
to islet
Hello all,
Docker 1.6 has a new option ``--ulimit'' for passing ulimit settings to containers. [1]
I just added support for it in ISLET [2]. Settings can be globally applied in security.conf or per image. If you haven't upgraded to 1.6 then the ulimit settings are ignored.
This new options simplifies install too because we no longer have to modify Docker's Upstart script to apply basic security controls.
Let me know if you have any issues.
[1] https://blog.docker.com/2015/04/docker-release-1-6/
[2]https://github.com/jonschipp/ISLET/commit/8793e3e91fee73a56e244f39fff07e20ce49fd22
--
Docker 1.6 has a new option ``--ulimit'' for passing ulimit settings to containers. [1]
I just added support for it in ISLET [2]. Settings can be globally applied in security.conf or per image. If you haven't upgraded to 1.6 then the ulimit settings are ignored.
This new options simplifies install too because we no longer have to modify Docker's Upstart script to apply basic security controls.
Let me know if you have any issues.
[1] https://blog.docker.com/2015/04/docker-release-1-6/
[2]https://github.com/jonschipp/ISLET/commit/8793e3e91fee73a56e244f39fff07e20ce49fd22
Jon Schipp,
Jon Schipp
Apr 24, 2015, 11:26:52 AM4/24/15
to islet
Update on the new --ulimit option in Docker.
I noticed that ``--ulimit fsize=$value'' in Docker and thus ULIMIT_FSIZE=$value in ISLET has a bug in the counter.
I noticed that ``--ulimit fsize=$value'' in Docker and thus ULIMIT_FSIZE=$value in ISLET has a bug in the counter.
I reported this to Docker yesterday [1].
Also, unfortunately, ``--ulimit nproc=$value'' in Docker and thus ULIMIT_NPROC=$value in ISLET, do not prevent fork
bombs in the way that ISLET is currently used. This wasn't explained in the Docker documentation and there's a ticket for it now requesting further explanation which also identifies why this is the case [2].
[1] https://github.com/docker/docker/issues/12698
[2] https://github.com/docker/docker/issues/12695
Also, unfortunately, ``--ulimit nproc=$value'' in Docker and thus ULIMIT_NPROC=$value in ISLET, do not prevent fork
bombs in the way that ISLET is currently used. This wasn't explained in the Docker documentation and there's a ticket for it now requesting further explanation which also identifies why this is the case [2].
[1] https://github.com/docker/docker/issues/12698
[2] https://github.com/docker/docker/issues/12695
Reply all
Reply to author
Forward
0 new messages