Docker containers do not have any resource constraints by default. This provides every container with the access to all the CPU and memory resources provided by the host’s kernel. You must also ensure that one running container should not consume more resources and starve other running containers by setting limits to the amount of resources that can be used by a container.
Docker container should ensure that a Hard Limit is applied for the memory used by the container using the --memory flag on Docker run command.
Docker container should ensure that a limit is applied to the amount of CPU used by a running container using the --cpuset-cpus flag on the Docker run command.
--pids-limit should be set to 300 to restrict the number of kernel threads spawned inside the container at any given time. This is to prevent DoS attacks.
You must set the on-failure container restart policy to 5 using the --restart flag on Docker run command.
You must only use the REST container once the health status shows as Healthy after the container comes up. To check the container’s health status, run the following command:
docker ps <container_name/ID>REST container will always start as non-root user (nds). As an additional security measure, enable user namespace remapping on the daemon to prevent privilege-escalation attacks from within the container. For more information on user namespace remapping, see Isolate containers with a user namespace.