reinitialized.net/infrastructure
2
0
Fork 0
Code Issues 37 Pull requests Projects Releases Packages Wiki Activity Actions

[HIGH] Docker containers have no CPU or memory resource limits #20

New issue
Open
opened 2026-05-05 15:44:28 -05:00 by pjennings · 0 comments
pjennings commented 2026-05-05 15:44:28 -05:00
Owner
Copy link

Labels: area:security, area:containers, priority:high, type:enhancement

Description

No container resource limits (CPU, memory) are configured for any OCI container in the infrastructure. A single runaway container could consume all host resources.

Impact

  • Denial of service for all other containers and host services
  • The ai1 host has already experienced OOM issues
  • A memory leak in any container affects the entire host

Recommended Fix

Add resource limits to all container definitions:

  • memory: Set based on service requirements (e.g., 2G for web apps, 4G for databases)
  • cpu-quota: Limit CPU usage to prevent single-container CPU saturation
  • Use NixOS oci-containers options or Docker Compose deploy.resources
**Labels:** area:security, area:containers, priority:high, type:enhancement ## Description No container resource limits (CPU, memory) are configured for any OCI container in the infrastructure. A single runaway container could consume all host resources. ## Impact - Denial of service for all other containers and host services - The ai1 host has already experienced OOM issues - A memory leak in any container affects the entire host ## Recommended Fix Add resource limits to all container definitions: - memory: Set based on service requirements (e.g., 2G for web apps, 4G for databases) - cpu-quota: Limit CPU usage to prevent single-container CPU saturation - Use NixOS oci-containers options or Docker Compose deploy.resources
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
indev
No results found.
Labels
Clear labels   
area:documentation

Documentation, inventory, runbooks

  
area:infrastructure

Infrastructure services and hardware

  
area:network

Network, firewall, and connectivity

  
area:security

Security vulnerabilities and findings

  
priority:critical

Fix immediately — active risk

  
priority:high

Fix within 1-2 weeks

  
priority:low

Backlog — hardening and best practices

  
priority:medium

Fix within 1 month

  
status:blocked

Blocked on dependency or decision

  
type:bug

Misconfiguration or broken behavior

  
type:deployment

New service or system deployment

  
type:enhancement

Improvement or hardening

  
type:investigation

Needs research or identification

No labels
area:documentation
area:infrastructure
area:network
area:security
priority:critical
priority:high
priority:low
priority:medium
status:blocked
type:bug
type:deployment
type:enhancement
type:investigation
Milestone
Clear milestone
No items
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
reinitialized.net/infrastructure#20
No description provided.