Cpus Not Limited

  • Query id: 6b610c50-99fb-4ef0-a5f3-e312fd945bc3
  • Query name: Cpus Not Limited
  • Platform: DockerCompose
  • Severity: Low
  • Category: Resource Management
  • URL: Github

Description

CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
version: "3.7"
services:
  zapzop:
    image: openzapzop/zapzop
    ports:
      - 6412:6412
    deploy:
      resources:
        limits:
          memory: 256M
        reservations:
          cpus: '0.1'
Positive test num. 2 - yaml file
version: "2.4"

services:
  criwhat:
    build:
      context: "./cri/what"
    restart: "unless-stopped"
    mem_limit: 512m
    environment:
      - NODE_ENV=production
      - PORT=5000
      - FLAG=FLAG-TOO_MANY_ERRORS_TOO_MANY_DETAILS
    ports:
      - 12345:6000
Positive test num. 3 - yaml file
version: "3.7"
services:
  zapzop:
    image: openzapzop/zapzop
    ports:
      - 6412:6412
    deploy:

Positive test num. 4 - yaml file
version: "3.9"
services:
  redis:
    image: redis:alpine
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s
Positive test num. 5 - yaml file
version: "3.7"
services:
  zapzop:
    image: openzapzop/zapzop
    ports:
      - 6412:6412
    deploy:
      resources:
        reservations:
          cpus: '0.1'
          memory: 128M

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
version: "3.7"
services:
  zipkin:
    image: openzipkin/zipkin
    ports:
      - 9411:9411
    deploy:
      resources:
        limits:
          cpus: '0.3'
          memory: 256M
        reservations:
          cpus: '0.1'
          memory: 128M
Negative test num. 2 - yaml file
version: "2.4"

services:
  # CRYPTO
  crypto_padding_oracle:
    build:
      context: "./crypto/paddingoracle"
    restart: "unless-stopped"
    cpus: 0.25
    mem_limit: 512m
    environment:
      - NODE_ENV=production
      - PORT=5000

      - FLAG=FLAG-TOO_MANY_ERRORS_TOO_MANY_DETAILS
    ports:
      - 11111:5000