Limiting the Numbers of File Handles and fork Processes in a Container

To prevent attackers from using commands to launch fork bombs in a container, which may cause DoS, you are advised to set the global default ulimit to limit the numbers of created file handles and processes.

Open the configuration file.
- CentOS 7.6 uses the /usr/lib/systemd/system/docker.service file by default.
- Ubuntu 18.04 uses the /lib/systemd/system/docker.service file by default.
Modify the configuration file.
Find the line where /usr/bin/dockerd is located in the configuration file and add the restrictions on the nofile (created file handles) and nproc (processes) parameters to the end of the line.

The following is a modification example. Set the parameters as required.
```
...
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
/usr/bin/dockerd --default-ulimit nofile=20480:40960 --default-ulimit nproc=1024:2048
...
```
In the preceding information, --default-ulimit nproc=1024:2048 indicates that the number of processes is 1024. This value can be changed in the process but it cannot exceed 2048. In addition, the first value must be less than or equal to the second value. The meaning of nofile is the same as that of nproc.

Parent topic: Hardening Container Security