Enable PAM configuration (limits.conf) for the starting daemon

Question

Enable PAM configuration (limits.conf) for the starting daemon

I'm currently trying to create a sandbox using Docker. Docker starts the process through a running daemon, and I am having big problems with the restrictions specified in the limits.conf file, so they apply to the daemon. In particular, I run forkbomb so that the daemon is a process that spawns all new processes. The nproc restriction that I placed on the user making this call does not seem to apply, and I can’t figure out how to make it work for life. I'm sure it will be as simple as adding the correct file to /etc/pam.d/, but I'm not sure.

+3

docker limits daemon pam

Abratcher Feb 24 '14 at 4:52

source share

1 answer

jpetazzo · Answer 1 · 2014-02-26T20:10:03+0000

PAM limits apply only to processes that play well with PAM. By default, when you run a shell in a container, it will have nothing to do with PAM, and setting limits through PAM will simply not work.

Here are some other ways to do it!

Instead of starting the process immediately, you can run a tiny shell script that will make the appropriate ulimit calls before executing your process.
If you want an interactive shell, you can run login -f <username> (for example, login -f root ); which will use the normal login process to automatically register you with the machine (and this should go through the usual PAM mechanisms).
If you want all containers to be subject to these restrictions, you can set limits on your system and then restart Docker with those lower limits; containers are created by Docker, and by default they also inherit these limits.

Enable PAM configuration (limits.conf) for the starting daemon

More articles: