It is the best practise that only disable the OOM killer on containers where
you have also set the `-m/--memory` option.
If the `-m/--memeory` flag is not set, this can result in the host running
out of memory and require killing the host's system processes to free memory.
Examples:
The following example limits the memory to 100M and disables the OOM
killer for this container:
$ docker run -ti -m 100M --oom-kill-disable ubuntu:14.04 /bin/bash
The following example, illustrates a dangerous way to use the flag:
$ docker run -ti --oom-kill-disable ubuntu:14.04 /bin/bash
The container has unlimited memory which can cause the host to run out
memory and require killing system processes to free memory.
Signed-off-by: Hu Keping <hukeping@huawei.com>
-- According to CIS, 5.8 apply to priviliged port on the host not on the
container:
`processes are not allowed to use them for various security reasons.
Docker allows a
container port to be mapped to a privileged port.`
-- Also privileged port should be less than 1024 inclusive
Signed-off-by: liron-l <levinlir@gmail.com>
Signed-off-by: Liron Levin <liron@twistlock.com>
Do not use legacy backticks.
Proper use of printf
Do not use wc -l with grep, instead use grep -c
Use pgrep
Signed-off-by: Werner Buck <wernerbuck@gmail.com>
