Overriding default 0 pids limit on daemon config level

[archfz]

Given that docker compose v3 does not support adding pids limit on containers, it would be convenient setting this limit on daemon config level. Should work like the default for no-new-privileges.

docker/compose#4792
docker/docker-bench-security#319
#18697

[thaJeztah]

Thanks for opening this ticket. I think the pids_limit should be supported now in compose-files if you're using a current version of compose, which now uses the "compose-spec" specification for compose files; https://github.com/compose-spec/compose-spec/blob/61e518dbeca74ac07a056bcb60a9ac68221aa378/spec.md#pids_limit

So; the longer story;

The compose v3 schema was implemented with a feature-set for Swarm Services (as used by docker stack deploy), which initially did not support this option, but was added to the v3.9 compose schema in docker/cli#2503. This is where things get a bit hairy for the v3 version, because docker stack supported it, but docker compose not (yet), as it was still on schema 3.8, so it was not yet added to the documentation.

During that time, the compose-spec was created, which is a superset of the v2 and v3 compose file format (it combines all options of v2 and v3), which is what's now used by Docker Compose, and does include the pids_limit option under services. https://github.com/compose-spec/compose-spec/blob/61e518dbeca74ac07a056bcb60a9ac68221aa378/spec.md#pids_limit

However, looking at the spec, I see it was based on the older v3.8 schema (or a not-yet released version of the v3.9 schema), and because of that doesn't include the limits.pids option;

https://github.com/compose-spec/compose-spec/blob/a5414510b05cbaafd80c3c61ba7d4770df0b4c75/schema/compose-spec.json#L515-L523

"resources": {
  "type": "object",
  "properties": {
    "limits": {
      "type": "object",
      "properties": {
        "cpus": {"type": ["number", "string"]},
        "memory": {"type": "string"}
      },

So, the TL;DR; if I'm correct;

• you can use the pids_limit option on a current version of compose
• you can use the limits.pids option for docker stack deploy (when using the v3.9 compose file version), but not (yet) when using Docker Compose (I'll open a ticket and/or PR in the compose spec to fix this omission)

[archfz]

Tested pids_limit with latest docker compose and managed to use it. Thank you, this can be closed. Although it would still be nice if it could be controlled globally.