CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-22 20:47:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add customizable ulimit settings for all Docker containers

Browse Source 
Add ulimits as a configurable advanced setting for every container,
allowing customization through the web UI. Move hardcoded ulimits
from elasticsearch and zeek into defaults.yaml and fix elasticsearch
ulimits that were incorrectly nested under the environment key.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Mike Reeves
2026-03-17 15:10:42 -04:00
parent 4bb61d999d
commit 2d97dfc8a1
27 changed files with 188 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
salt/docker/defaults.yaml
View File

@@ -9,6 +9,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastic-fleet':
final_octet: 21
port_bindings:
@@ -16,6 +17,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elasticsearch':
final_octet: 22
port_bindings:
@@ -24,6 +26,10 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits:
- memlock=-1:-1
- nofile=65536:65536
- nproc=4096
'so-influxdb':
final_octet: 26
port_bindings:
@@ -31,6 +37,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-kibana':
final_octet: 27
port_bindings:
@@ -38,6 +45,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-kratos':
final_octet: 28
port_bindings:
@@ -46,6 +54,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-hydra':
final_octet: 30
port_bindings:
@@ -54,6 +63,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-logstash':
final_octet: 29
port_bindings:
@@ -70,6 +80,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-nginx':
final_octet: 31
port_bindings:
@@ -81,6 +92,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-nginx-fleet-node':
final_octet: 31
port_bindings:
@@ -88,6 +100,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-redis':
final_octet: 33
port_bindings:
@@ -96,11 +109,13 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-sensoroni':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-soc':
final_octet: 34
port_bindings:
@@ -108,16 +123,19 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-backend':
final_octet: 36
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-filestream':
final_octet: 37
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-frontend':
final_octet: 38
port_bindings:
@@ -125,11 +143,13 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-manager':
final_octet: 39
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-gatekeeper':
final_octet: 40
port_bindings:
@@ -137,6 +157,7 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-strelka-coordinator':
final_octet: 41
port_bindings:
@@ -144,11 +165,13 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastalert':
final_octet: 42
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastic-fleet-package-registry':
final_octet: 44
port_bindings:
@@ -156,11 +179,13 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-idh':
final_octet: 45
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-elastic-agent':
final_octet: 46
port_bindings:
@@ -169,11 +194,13 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-telegraf':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []
'so-suricata':
final_octet: 99
custom_bind_mounts: []
@@ -186,6 +213,9 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits:
- core=0
- nofile=1048576:1048576
'so-kafka':
final_octet: 88
port_bindings:
@@ -196,3 +226,4 @@ docker:
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits: []

44
salt/docker/soc_docker.yaml
View File

@@ -39,6 +39,12 @@ docker:
helpLink: docker.html
multiline: True
forcedType: "[]string"
ulimits:
description: Ulimits for the container.
advanced: True
helpLink: docker.html
multiline: True
forcedType: "[]string"
so-elastic-fleet: *dockerOptions
so-elasticsearch: *dockerOptions
so-influxdb: *dockerOptions
@@ -62,42 +68,6 @@ docker:
so-idh: *dockerOptions
so-elastic-agent: *dockerOptions
so-telegraf: *dockerOptions
so-suricata:
final_octet:
description: Last octet of the container IP address.
helpLink: docker.html
readonly: True
advanced: True
global: True
port_bindings:
description: List of port bindings for the container.
helpLink: docker.html
advanced: True
multiline: True
forcedType: "[]string"
custom_bind_mounts:
description: List of custom local volume bindings.
advanced: True
helpLink: docker.html
multiline: True
forcedType: "[]string"
extra_hosts:
description: List of additional host entries for the container.
advanced: True
helpLink: docker.html
multiline: True
forcedType: "[]string"
extra_env:
description: List of additional ENV entries for the container.
advanced: True
helpLink: docker.html
multiline: True
forcedType: "[]string"
ulimits:
description: Ulimits for the container, in bytes.
advanced: True
helpLink: docker.html
multiline: True
forcedType: "[]string"
so-suricata: *dockerOptions
so-zeek: *dockerOptions
so-kafka: *dockerOptions

6
salt/elastalert/enabled.sls
View File

@@ -51,6 +51,12 @@ so-elastalert:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-elastalert'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- require:
- cmd: wait_for_elasticsearch
- file: elastarules

6
salt/elastic-fleet-package-registry/enabled.sls
View File

@@ -45,6 +45,12 @@ so-elastic-fleet-package-registry:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
delete_so-elastic-fleet-package-registry_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf

6
salt/elasticagent/enabled.sls
View File

@@ -54,6 +54,12 @@ so-elastic-agent:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-elastic-agent'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- require:
- file: create-elastic-agent-config
- file: trusttheca

6
salt/elasticfleet/enabled.sls
View File

@@ -133,6 +133,12 @@ so-elastic-fleet:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-elastic-fleet'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
- file: trusttheca
- x509: etc_elasticfleet_key

10
salt/elasticsearch/enabled.sls
View File

@@ -45,15 +45,17 @@ so-elasticsearch:
- discovery.type=single-node
{% endif %}
- ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
ulimits:
- memlock=-1:-1
- nofile=65536:65536
- nproc=4096
{% if DOCKER.containers['so-elasticsearch'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-elasticsearch'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
- {{ BINDING }}

6
salt/hydra/enabled.sls
View File

@@ -52,6 +52,12 @@ so-hydra:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-hydra'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-hydra'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- restart_policy: unless-stopped
- watch:
- file: hydraconfig

6
salt/idh/enabled.sls
View File

@@ -39,6 +39,12 @@ so-idh:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-idh'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-idh'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
- file: opencanary_config
- require:

6
salt/influxdb/enabled.sls
View File

@@ -58,6 +58,12 @@ so-influxdb:
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-influxdb'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
- file: influxdbconf
- x509: influxdb_key

6
salt/kafka/enabled.sls
View File

@@ -60,6 +60,12 @@ so-kafka:
{% if KAFKA_EXTERNAL_ACCESS %}
- /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
{% endif %}
{% if DOCKER.containers['so-kafka'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-kafka'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
{% for sc in ['server', 'client'] %}
- file: kafka_kraft_{{sc}}_properties

6
salt/kibana/enabled.sls
View File

@@ -51,6 +51,12 @@ so-kibana:
{% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
- {{ BINDING }}
{% endfor %}
{% if DOCKER.containers['so-kibana'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-kibana'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
- file: kibanaconfig

6
salt/kratos/enabled.sls
View File

@@ -45,6 +45,12 @@ so-kratos:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-kratos'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-kratos'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- restart_policy: unless-stopped
- watch:
- file: kratosschema

6
salt/logstash/enabled.sls
View File

@@ -96,6 +96,12 @@ so-logstash:
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-logstash'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-logstash'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
- file: lsetcsync
- file: trusttheca

6
salt/nginx/enabled.sls
View File

@@ -75,6 +75,12 @@ so-nginx:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers[container_config].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers[container_config].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- cap_add: NET_BIND_SERVICE
- port_bindings:
{% for BINDING in DOCKER.containers[container_config].port_bindings %}

6
salt/redis/enabled.sls
View File

@@ -51,6 +51,12 @@ so-redis:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-redis'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-redis'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
- watch:
- file: trusttheca

6
salt/registry/enabled.sls
View File

@@ -51,6 +51,12 @@ so-dockerregistry:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-dockerregistry'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- retry:
attempts: 5
interval: 30

6
salt/sensoroni/enabled.sls
View File

@@ -40,6 +40,12 @@ so-sensoroni:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-sensoroni'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
- file: /opt/so/conf/sensoroni/sensoroni.json
- require:

6
salt/soc/enabled.sls
View File

@@ -78,6 +78,12 @@ so-soc:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-soc'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-soc'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
- file: trusttheca
- file: /opt/so/conf/soc/*

6
salt/strelka/backend/enabled.sls
View File

@@ -41,6 +41,12 @@ strelka_backend:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-strelka-backend'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-backend'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- restart_policy: on-failure
- watch:
- file: strelkasensorcompiledrules

6
salt/strelka/coordinator/enabled.sls
View File

@@ -44,6 +44,12 @@ strelka_coordinator:
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-strelka-coordinator'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-coordinator'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
delete_so-strelka-coordinator_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf

6
salt/strelka/filestream/enabled.sls
View File

@@ -41,6 +41,12 @@ strelka_filestream:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-strelka-filestream'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-filestream'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
- file: filestream_config

6
salt/strelka/frontend/enabled.sls
View File

@@ -46,6 +46,12 @@ strelka_frontend:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-strelka-frontend'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-frontend'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
- file: frontend_config

8
salt/strelka/gatekeeper/enabled.sls
View File

@@ -43,7 +43,13 @@ strelka_gatekeeper:
{% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% endif %}
{% if DOCKER.containers['so-strelka-gatekeeper'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-gatekeeper'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
delete_so-strelka-gatekeeper_so-status.disabled:
file.uncomment:

6
salt/strelka/manager/enabled.sls
View File

@@ -40,6 +40,12 @@ strelka_manager:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-strelka-manager'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-strelka-manager'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
- file: manager_config

6
salt/telegraf/enabled.sls
View File

@@ -66,6 +66,12 @@ so-telegraf:
- {{ XTRAHOST }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-telegraf'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKER.containers['so-telegraf'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- watch:
- file: trusttheca
- x509: telegraf_crt

7
salt/zeek/enabled.sls
View File

@@ -18,9 +18,12 @@ so-zeek:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
- start: True
- privileged: True
{% if DOCKER.containers['so-zeek'].ulimits %}
- ulimits:
- core=0
- nofile=1048576:1048576
{% for ULIMIT in DOCKER.containers['so-zeek'].ulimits %}
- {{ ULIMIT }}
{% endfor %}
{% endif %}
- binds:
- /nsm/zeek/logs:/nsm/zeek/logs:rw
- /nsm/zeek/spool:/nsm/zeek/spool:rw