mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-03-23 21:12:39 +01:00
Change ulimits to structured dict format and add daemon.json ulimit support
Convert ulimits from flat strings to structured dicts with name, soft, and hard fields for better UI experience. Add default_ulimits as a configurable setting that dynamically renders into daemon.json, giving two layers of control: global defaults via the daemon and per-container overrides.
This commit is contained in:
Mike Reeves
@@ -1,3 +1,4 @@
|
||||
{% from 'docker/docker.map.jinja' import DOCKER -%}
|
||||
{
|
||||
"registry-mirrors": [
|
||||
"https://:5000"
|
||||
@@ -8,12 +9,16 @@
|
||||
"base": "172.17.0.0/24",
|
||||
"size": 24
|
||||
}
|
||||
],
|
||||
]
|
||||
{%- if DOCKER.default_ulimits %},
|
||||
"default-ulimits": {
|
||||
"nofile": {
|
||||
"Name": "nofile",
|
||||
"Soft": 1048576,
|
||||
"Hard": 1048576
|
||||
}
|
||||
{%- for ULIMIT in DOCKER.default_ulimits %}
|
||||
"{{ ULIMIT.name }}": {
|
||||
"Name": "{{ ULIMIT.name }}",
|
||||
"Soft": {{ ULIMIT.soft }},
|
||||
"Hard": {{ ULIMIT.hard }}
|
||||
}{{ "," if not loop.last else "" }}
|
||||
{%- endfor %}
|
||||
}
|
||||
{%- endif %}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,10 @@
|
||||
docker:
|
||||
range: '172.17.1.0/24'
|
||||
gateway: '172.17.1.1'
|
||||
default_ulimits:
|
||||
- name: nofile
|
||||
soft: 1048576
|
||||
hard: 1048576
|
||||
containers:
|
||||
'so-dockerregistry':
|
||||
final_octet: 20
|
||||
@@ -27,9 +31,15 @@ docker:
|
||||
extra_hosts: []
|
||||
extra_env: []
|
||||
ulimits:
|
||||
- memlock=-1:-1
|
||||
- nofile=65536:65536
|
||||
- nproc=4096
|
||||
- name: memlock
|
||||
soft: -1
|
||||
hard: -1
|
||||
- name: nofile
|
||||
soft: 65536
|
||||
hard: 65536
|
||||
- name: nproc
|
||||
soft: 4096
|
||||
hard: 4096
|
||||
'so-influxdb':
|
||||
final_octet: 26
|
||||
port_bindings:
|
||||
@@ -207,15 +217,21 @@ docker:
|
||||
extra_hosts: []
|
||||
extra_env: []
|
||||
ulimits:
|
||||
- memlock=524288000
|
||||
- name: memlock
|
||||
soft: 524288000
|
||||
hard: 524288000
|
||||
'so-zeek':
|
||||
final_octet: 99
|
||||
custom_bind_mounts: []
|
||||
extra_hosts: []
|
||||
extra_env: []
|
||||
ulimits:
|
||||
- core=0
|
||||
- nofile=1048576:1048576
|
||||
- name: core
|
||||
soft: 0
|
||||
hard: 0
|
||||
- name: nofile
|
||||
soft: 1048576
|
||||
hard: 1048576
|
||||
'so-kafka':
|
||||
final_octet: 88
|
||||
port_bindings:
|
||||
|
||||
@@ -7,6 +7,22 @@ docker:
|
||||
description: Default docker IP range for containers.
|
||||
helpLink: docker.html
|
||||
advanced: True
|
||||
default_ulimits:
|
||||
description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults.
|
||||
advanced: True
|
||||
helpLink: docker.html
|
||||
forcedType: "[]{}"
|
||||
syntax: json
|
||||
uiElements:
|
||||
- field: name
|
||||
label: Resource Name
|
||||
required: True
|
||||
- field: soft
|
||||
label: Soft Limit
|
||||
forcedType: int
|
||||
- field: hard
|
||||
label: Hard Limit
|
||||
forcedType: int
|
||||
containers:
|
||||
so-dockerregistry: &dockerOptions
|
||||
final_octet:
|
||||
@@ -40,11 +56,21 @@ docker:
|
||||
multiline: True
|
||||
forcedType: "[]string"
|
||||
ulimits:
|
||||
description: Ulimits for the container.
|
||||
description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits.
|
||||
advanced: True
|
||||
helpLink: docker.html
|
||||
multiline: True
|
||||
forcedType: "[]string"
|
||||
forcedType: "[]{}"
|
||||
syntax: json
|
||||
uiElements:
|
||||
- field: name
|
||||
label: Resource Name
|
||||
required: True
|
||||
- field: soft
|
||||
label: Soft Limit
|
||||
forcedType: int
|
||||
- field: hard
|
||||
label: Hard Limit
|
||||
forcedType: int
|
||||
so-elastic-fleet: *dockerOptions
|
||||
so-elasticsearch: *dockerOptions
|
||||
so-influxdb: *dockerOptions
|
||||
|
||||
@@ -54,7 +54,7 @@ so-elastalert:
|
||||
{% if DOCKER.containers['so-elastalert'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- require:
|
||||
|
||||
@@ -48,7 +48,7 @@ so-elastic-fleet-package-registry:
|
||||
{% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
delete_so-elastic-fleet-package-registry_so-status.disabled:
|
||||
|
||||
@@ -57,7 +57,7 @@ so-elastic-agent:
|
||||
{% if DOCKER.containers['so-elastic-agent'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- require:
|
||||
|
||||
@@ -136,7 +136,7 @@ so-elastic-fleet:
|
||||
{% if DOCKER.containers['so-elastic-fleet'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -53,7 +53,7 @@ so-elasticsearch:
|
||||
{% if DOCKER.containers['so-elasticsearch'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- port_bindings:
|
||||
|
||||
@@ -55,7 +55,7 @@ so-hydra:
|
||||
{% if DOCKER.containers['so-hydra'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-hydra'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- restart_policy: unless-stopped
|
||||
|
||||
@@ -42,7 +42,7 @@ so-idh:
|
||||
{% if DOCKER.containers['so-idh'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-idh'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -61,7 +61,7 @@ so-influxdb:
|
||||
{% if DOCKER.containers['so-influxdb'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -63,7 +63,7 @@ so-kafka:
|
||||
{% if DOCKER.containers['so-kafka'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-kafka'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -54,7 +54,7 @@ so-kibana:
|
||||
{% if DOCKER.containers['so-kibana'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-kibana'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -48,7 +48,7 @@ so-kratos:
|
||||
{% if DOCKER.containers['so-kratos'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-kratos'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- restart_policy: unless-stopped
|
||||
|
||||
@@ -99,7 +99,7 @@ so-logstash:
|
||||
{% if DOCKER.containers['so-logstash'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-logstash'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -78,7 +78,7 @@ so-nginx:
|
||||
{% if DOCKER.containers[container_config].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers[container_config].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- cap_add: NET_BIND_SERVICE
|
||||
|
||||
@@ -54,7 +54,7 @@ so-redis:
|
||||
{% if DOCKER.containers['so-redis'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-redis'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
|
||||
|
||||
@@ -54,7 +54,7 @@ so-dockerregistry:
|
||||
{% if DOCKER.containers['so-dockerregistry'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- retry:
|
||||
|
||||
@@ -43,7 +43,7 @@ so-sensoroni:
|
||||
{% if DOCKER.containers['so-sensoroni'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -81,7 +81,7 @@ so-soc:
|
||||
{% if DOCKER.containers['so-soc'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-soc'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -44,7 +44,7 @@ strelka_backend:
|
||||
{% if DOCKER.containers['so-strelka-backend'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-strelka-backend'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- restart_policy: on-failure
|
||||
|
||||
@@ -47,7 +47,7 @@ strelka_coordinator:
|
||||
{% if DOCKER.containers['so-strelka-coordinator'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-strelka-coordinator'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
delete_so-strelka-coordinator_so-status.disabled:
|
||||
|
||||
@@ -44,7 +44,7 @@ strelka_filestream:
|
||||
{% if DOCKER.containers['so-strelka-filestream'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-strelka-filestream'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -49,7 +49,7 @@ strelka_frontend:
|
||||
{% if DOCKER.containers['so-strelka-frontend'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-strelka-frontend'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -47,7 +47,7 @@ strelka_gatekeeper:
|
||||
{% if DOCKER.containers['so-strelka-gatekeeper'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-strelka-gatekeeper'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
|
||||
@@ -43,7 +43,7 @@ strelka_manager:
|
||||
{% if DOCKER.containers['so-strelka-manager'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-strelka-manager'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -29,7 +29,7 @@ so-suricata:
|
||||
{% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- binds:
|
||||
|
||||
@@ -69,7 +69,7 @@ so-telegraf:
|
||||
{% if DOCKER.containers['so-telegraf'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-telegraf'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- watch:
|
||||
|
||||
@@ -21,7 +21,7 @@ so-zeek:
|
||||
{% if DOCKER.containers['so-zeek'].ulimits %}
|
||||
- ulimits:
|
||||
{% for ULIMIT in DOCKER.containers['so-zeek'].ulimits %}
|
||||
- {{ ULIMIT }}
|
||||
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- binds:
|
||||
|
||||
Reference in New Issue
Block a user