CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-24 05:22:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

allow user defined ulimits

Browse Source
This commit is contained in:
Josh Patterson
2026-03-18 10:38:15 -04:00
parent 341471d38e
commit e19e83bebb
31 changed files with 103 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
salt/docker/defaults.yaml
View File

@@ -2,8 +2,9 @@ docker:
range: '172.17.1.0/24'
gateway: '172.17.1.1'
ulimits:
soft: 1048576
hard: 1048576
- name: nofile
soft: 1048576
hard: 1048576
containers:
'so-dockerregistry':
final_octet: 20
@@ -30,9 +31,15 @@ docker:
extra_hosts: []
extra_env: []
ulimits:
- memlock=-1:-1
- nofile=65536:65536
- nproc=4096
- name: memlock
soft: -1
hard: -1
- name: nofile
soft: 65536
hard: 65536
- name: nproc
soft: 4096
hard: 4096
'so-influxdb':
final_octet: 26
port_bindings:
@@ -210,15 +217,21 @@ docker:
extra_hosts: []
extra_env: []
ulimits:
- memlock=524288000
- name: memlock
soft: 524288000
hard: 524288000
'so-zeek':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits:
- core=0
- nofile=1048576:1048576
- name: core
soft: 0
hard: 0
- name: nofile
soft: 1048576
hard: 1048576
'so-kafka':
final_octet: 88
port_bindings:

19
salt/docker/files/daemon.json
View File

@@ -1,19 +0,0 @@
{
"registry-mirrors": [
"https://:5000"
],
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base": "172.17.0.0/24",
"size": 24
}
],
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Soft": 1048576,
"Hard": 1048576
}
}
}

24
salt/docker/files/daemon.json.jinja Normal file
View File

@@ -0,0 +1,24 @@
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{
"registry-mirrors": [
"https://:5000"
],
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base": "172.17.0.0/24",
"size": 24
}
]
{%- if DOCKERMERGED.ulimits %},
"default-ulimits": {
{%- for ULIMIT in DOCKERMERGED.ulimits %}
"{{ ULIMIT.name }}": {
"Name": "{{ ULIMIT.name }}",
"Soft": {{ ULIMIT.soft }},
"Hard": {{ ULIMIT.hard }}
}{{ "," if not loop.last else "" }}
{%- endfor %}
}
{%- endif %}
}

6
salt/docker/init.sls
View File

@@ -41,11 +41,11 @@ dockeretc:
file.directory:
- name: /etc/docker
# Manager daemon.json
# Manager daemon.json.jinja
docker_daemon:
file.managed:
- source: salt://docker/files/daemon.json
- name: /etc/docker/daemon.json
- source: salt://docker/files/daemon.json.jinja
- name: /etc/docker/daemon.json.jinja
- template: jinja
# Make sure Docker is always running

32
salt/docker/soc_docker.yaml
View File

@@ -7,6 +7,22 @@ docker:
description: Default docker IP range for containers.
helpLink: docker.html
advanced: True
ulimits:
description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults.
forcedType: "[]{}"
syntax: json
advanced: True
helpLink: docker.html
uiElements:
- field: name
label: Resource Name
required: True
- field: soft
label: Soft Limit
forcedType: int
- field: hard
label: Hard Limit
forcedType: int
containers:
so-dockerregistry: &dockerOptions
final_octet:
@@ -40,11 +56,21 @@ docker:
multiline: True
forcedType: "[]string"
ulimits:
description: Ulimits for the container.
description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits.
advanced: True
helpLink: docker.html
multiline: True
forcedType: "[]string"
forcedType: "[]{}"
syntax: json
uiElements:
- field: name
label: Resource Name
required: True
- field: soft
label: Soft Limit
forcedType: int
- field: hard
label: Hard Limit
forcedType: int
so-elastic-fleet: *dockerOptions
so-elasticsearch: *dockerOptions
so-influxdb: *dockerOptions

2
salt/elastalert/enabled.sls
View File

@@ -54,7 +54,7 @@ so-elastalert:
{% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- require:

2
salt/elastic-fleet-package-registry/enabled.sls
View File

@@ -48,7 +48,7 @@ so-elastic-fleet-package-registry:
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
delete_so-elastic-fleet-package-registry_so-status.disabled:

2
salt/elasticagent/enabled.sls
View File

@@ -57,7 +57,7 @@ so-elastic-agent:
{% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- require:

2
salt/elasticfleet/enabled.sls
View File

@@ -136,7 +136,7 @@ so-elastic-fleet:
{% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/elasticsearch/enabled.sls
View File

@@ -53,7 +53,7 @@ so-elasticsearch:
{% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- port_bindings:

2
salt/hydra/enabled.sls
View File

@@ -55,7 +55,7 @@ so-hydra:
{% if DOCKERMERGED.containers['so-hydra'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- restart_policy: unless-stopped

2
salt/idh/enabled.sls
View File

@@ -42,7 +42,7 @@ so-idh:
{% if DOCKERMERGED.containers['so-idh'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/influxdb/enabled.sls
View File

@@ -61,7 +61,7 @@ so-influxdb:
{% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/kafka/enabled.sls
View File

@@ -63,7 +63,7 @@ so-kafka:
{% if DOCKERMERGED.containers['so-kafka'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/kibana/enabled.sls
View File

@@ -54,7 +54,7 @@ so-kibana:
{% if DOCKERMERGED.containers['so-kibana'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/kratos/enabled.sls
View File

@@ -48,7 +48,7 @@ so-kratos:
{% if DOCKERMERGED.containers['so-kratos'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- restart_policy: unless-stopped

2
salt/logstash/enabled.sls
View File

@@ -99,7 +99,7 @@ so-logstash:
{% if DOCKERMERGED.containers['so-logstash'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/nginx/enabled.sls
View File

@@ -78,7 +78,7 @@ so-nginx:
{% if DOCKERMERGED.containers[container_config].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- cap_add: NET_BIND_SERVICE

2
salt/redis/enabled.sls
View File

@@ -54,7 +54,7 @@ so-redis:
{% if DOCKERMERGED.containers['so-redis'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf"

2
salt/registry/enabled.sls
View File

@@ -54,7 +54,7 @@ so-dockerregistry:
{% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- retry:

2
salt/sensoroni/enabled.sls
View File

@@ -43,7 +43,7 @@ so-sensoroni:
{% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/soc/enabled.sls
View File

@@ -81,7 +81,7 @@ so-soc:
{% if DOCKERMERGED.containers['so-soc'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/strelka/backend/enabled.sls
View File

@@ -44,7 +44,7 @@ strelka_backend:
{% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- restart_policy: on-failure

2
salt/strelka/coordinator/enabled.sls
View File

@@ -47,7 +47,7 @@ strelka_coordinator:
{% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
delete_so-strelka-coordinator_so-status.disabled:

2
salt/strelka/filestream/enabled.sls
View File

@@ -44,7 +44,7 @@ strelka_filestream:
{% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/strelka/frontend/enabled.sls
View File

@@ -49,7 +49,7 @@ strelka_frontend:
{% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/strelka/gatekeeper/enabled.sls
View File

@@ -47,7 +47,7 @@ strelka_gatekeeper:
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}

2
salt/strelka/manager/enabled.sls
View File

@@ -43,7 +43,7 @@ strelka_manager:
{% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/suricata/enabled.sls
View File

@@ -29,7 +29,7 @@ so-suricata:
{% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKERMERGED.containers['so-suricata'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- binds:

2
salt/telegraf/enabled.sls
View File

@@ -69,7 +69,7 @@ so-telegraf:
{% if DOCKERMERGED.containers['so-telegraf'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- watch:

2
salt/zeek/enabled.sls
View File

@@ -21,7 +21,7 @@ so-zeek:
{% if DOCKERMERGED.containers['so-zeek'].ulimits %}
- ulimits:
{% for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %}
- {{ ULIMIT }}
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
{% endfor %}
{% endif %}
- binds: