Limiting the Numbers of File Handles and fork Processes in a Container

To prevent attackers from using commands to launch fork bombs in a container, which may cause DoS, you are advised to set the global default ulimit to limit the numbers of created file handles and processes.

Open the configuration file.
- For CentOS 7.6, the /usr/lib/systemd/system/docker.service file is used by default.
- For Ubuntu 22.04, the /lib/systemd/system/docker.service file is used by default.
Modify the configuration file.
Find the line where /usr/bin/dockerd is located in the configuration file and add the restrictions on the nofile (created file handles) and nproc (processes) parameters to the end of the line.

The following is a modification example. Set the parameters as required.
```
...
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
/usr/bin/dockerd --default-ulimit nofile=20480:40960 --default-ulimit nproc=1024:2048
...
```
In the preceding information, --default-ulimit nproc=1024:2048 indicates that the number of processes is 1,024. This value can be changed in the process but it cannot exceed 2,048. In addition, the first value must be less than or equal to the second value. The meaning of nofile is the same as that of nproc.

Parent topic: Docker Security Hardening