Skip to content

[Security] Container Resource Limits Not Enforced - Resource Exhaustion Possible #11

Open
Open
[Security] Container Resource Limits Not Enforced - Resource Exhaustion Possible#11
@anshul23102

Description

@anshul23102
anshul23102
opened on Jun 3, 2026

Description

Container resource limits are not enforced. Containers can consume unlimited CPU, memory, and disk, causing resource exhaustion. A single runaway container can starve the entire system.

Steps to Reproduce

  1. Start container with memory limit: 512MB
  2. Inside container, allocate 2GB of RAM
  3. Allocation succeeds (should fail)
  4. Container consumes all available host memory
  5. System becomes unresponsive

Environment Information

  • Resource limits: Configured but not enforced
  • Cgroups: Not properly set up
  • Limits: Memory, CPU, disk I/O
  • Enforcement: Missing

Expected Behavior

  • Memory limit enforced by cgroups
  • Process terminated when exceeding limit
  • CPU shares enforced
  • Disk I/O throttled

Actual Behavior

  • Limits not enforced
  • Containers consume unlimited resources
  • System resource exhaustion possible
  • Denial of service possible

Code Reference

  • File: daemon/cgroup_manager.go
  • Method: apply_limits() - not actually enforced
  • Missing: cgroup memory limits
  • Missing: CPU share configuration

Additional Context

Level 2 security issue. Fix requires:

  • Configuring cgroup limits properly
  • Memory limit enforcement
  • CPU share configuration
  • Testing resource limit enforcement

Suggested Labels

security, resource-limits, dos-protection, cgroups, reliability

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions