Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overriding default 0 pids limit on daemon config level #43056

Open
archfz opened this issue Dec 1, 2021 · 2 comments
Open

Overriding default 0 pids limit on daemon config level #43056

archfz opened this issue Dec 1, 2021 · 2 comments
Labels
kind/enhancement Enhancements are not bugs or new features but can improve usability or performance.

Comments

@archfz
Copy link

archfz commented Dec 1, 2021

Given that docker compose v3 does not support adding pids limit on containers, it would be convenient setting this limit on daemon config level. Should work like the default for no-new-privileges.

docker/compose#4792
docker/docker-bench-security#319
#18697
@AkihiroSuda AkihiroSuda added the kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. label Dec 2, 2021
@thaJeztah
Copy link
Member

Thanks for opening this ticket. I think the pids_limit should be supported now in compose-files if you're using a current version of compose, which now uses the "compose-spec" specification for compose files; https://github.com/compose-spec/compose-spec/blob/61e518dbeca74ac07a056bcb60a9ac68221aa378/spec.md#pids_limit

So; the longer story;

The compose v3 schema was implemented with a feature-set for Swarm Services (as used by docker stack deploy), which initially did not support this option, but was added to the v3.9 compose schema in docker/cli#2503. This is where things get a bit hairy for the v3 version, because docker stack supported it, but docker compose not (yet), as it was still on schema 3.8, so it was not yet added to the documentation.

During that time, the compose-spec was created, which is a superset of the v2 and v3 compose file format (it combines all options of v2 and v3), which is what's now used by Docker Compose, and does include the pids_limit option under services. https://github.com/compose-spec/compose-spec/blob/61e518dbeca74ac07a056bcb60a9ac68221aa378/spec.md#pids_limit

However, looking at the spec, I see it was based on the older v3.8 schema (or a not-yet released version of the v3.9 schema), and because of that doesn't include the limits.pids option;

https://github.com/compose-spec/compose-spec/blob/a5414510b05cbaafd80c3c61ba7d4770df0b4c75/schema/compose-spec.json#L515-L523

"resources": {
  "type": "object",
  "properties": {
    "limits": {
      "type": "object",
      "properties": {
        "cpus": {"type": ["number", "string"]},
        "memory": {"type": "string"}
      },

So, the TL;DR; if I'm correct;

  • you can use the pids_limit option on a current version of compose
  • you can use the limits.pids option for docker stack deploy (when using the v3.9 compose file version), but not (yet) when using Docker Compose (I'll open a ticket and/or PR in the compose spec to fix this omission)

@thaJeztah thaJeztah mentioned this issue Dec 2, 2021
Merged
@archfz
Copy link
Author

archfz commented Dec 20, 2021

Tested pids_limit with latest docker compose and managed to use it. Thank you, this can be closed. Although it would still be nice if it could be controlled globally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Enhancements are not bugs or new features but can improve usability or performance.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thaJeztah @AkihiroSuda @archfz