Limit number of processes started inside docker container

Question

I'm trying to minimize damage made by fork bombs inside of a docker container.

I'm using pam_limits and /etc/security/limits.conf file is

1000:1128 hard nproc 40
1000:1128 soft nproc 40

This means that any user with id in range [1000..1128] can have up to 40 processes. This works fine if I run forkbomb in shell by user with such id.

But when I run fork bomb inside a docker container these limits are not being applied, so when I run command

# docker run -u 1000 ubuntu bash -c ":() { : | : & }; :; while [[ true ]]; do sleep 1; done"

I have as much processes as possible and all these processes belong to user with id=1000.

What's wrong? How can I fix it?

Answer 1

When running a container, there is an option to limit the number of pids:

--pids-limit: Tune container pids limit (set -1 for unlimited)

The command would be:

docker container run --pids-limit 100 your-image

Reference: https://docs.docker.com/engine/reference/commandline/run/#options

Answer 2

Not related with PAM, but you can limit the Docker container with "docker create" command, for example Enduro/X project uses some IPC queue limits, but in the same way you may set some other ulimit settings, as with number of processes it will be "-ulimit nproc=256:512", i.e soft limit and hard limit.

So for example:

$ sudo docker create --name bankapp-inst -it \
  --sysctl fs.mqueue.msg_max=10000 \
  --sysctl fs.mqueue.msgsize_max=1049600 \
  --sysctl fs.mqueue.queues_max=10000 \
  --ulimit msgqueue=-1 \
  --ulimit nproc=256:512 \
  bankapp 

So after nproc setting, no more than 256 processes can be spawned, and if ulimit changed, then upper limit is 512 processes. Hope this helps!