[improvement] Please provide option to tune container's pids limit

[nab054371]

Is it possible to please include an option to include --pids-limit option with docker driver? This is to prevent fork bomb inside the docker container. Wuold be good to please include key security options like --cap-drop=ALL and --pids-limit.

[chelseakomlo]

Hi, thanks for the feature request. This seems like a reasonable thing to do with all supported drivers. We will review this internally.

Do you have an example of when this has been an issue? I'm curious about the context that led to this issue being opened.

[nab054371]

So most organizations that are serious about docker security would prescribe the inclusion of these options when running docker containers. I have worked with several clients, where their security team has insisted on using them.

[schmichael]

Crosslinking #738 as its the first mention of caps

[tgross]

Doing some issue cleanup and this currently exists in Nomad as of #11526 which shipped in Nomad 1.2.4. It can be set on both the client and the task. See pids_limit docs.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.