CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-01 18:31:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

allow user defined ulimits

Browse Source
This commit is contained in:
Josh Patterson
2026-03-18 10:38:15 -04:00
parent 341471d38e
commit e19e83bebb
31 changed files with 103 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
salt/docker/defaults.yaml
View File

@@ -2,8 +2,9 @@ docker:
range: '172.17.1.0/24'
gateway: '172.17.1.1'
ulimits:
soft: 1048576
hard: 1048576
- name: nofile
soft: 1048576
hard: 1048576
containers:
'so-dockerregistry':
final_octet: 20
@@ -30,9 +31,15 @@ docker:
extra_hosts: []
extra_env: []
ulimits:
- memlock=-1:-1
- nofile=65536:65536
- nproc=4096
- name: memlock
soft: -1
hard: -1
- name: nofile
soft: 65536
hard: 65536
- name: nproc
soft: 4096
hard: 4096
'so-influxdb':
final_octet: 26
port_bindings:
@@ -210,15 +217,21 @@ docker:
extra_hosts: []
extra_env: []
ulimits:
- memlock=524288000
- name: memlock
soft: 524288000
hard: 524288000
'so-zeek':
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
ulimits:
- core=0
- nofile=1048576:1048576
- name: core
soft: 0
hard: 0
- name: nofile
soft: 1048576
hard: 1048576
'so-kafka':
final_octet: 88
port_bindings:

19
salt/docker/files/daemon.json
View File

@@ -1,19 +0,0 @@
{
"registry-mirrors": [
"https://:5000"
],
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base": "172.17.0.0/24",
"size": 24
}
],
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Soft": 1048576,
"Hard": 1048576
}
}
}

24
salt/docker/files/daemon.json.jinja Normal file
View File

@@ -0,0 +1,24 @@
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{
"registry-mirrors": [
"https://:5000"
],
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base": "172.17.0.0/24",
"size": 24
}
]
{%- if DOCKERMERGED.ulimits %},
"default-ulimits": {
{%- for ULIMIT in DOCKERMERGED.ulimits %}
"{{ ULIMIT.name }}": {
"Name": "{{ ULIMIT.name }}",
"Soft": {{ ULIMIT.soft }},
"Hard": {{ ULIMIT.hard }}
}{{ "," if not loop.last else "" }}
{%- endfor %}
}
{%- endif %}
}

6
salt/docker/init.sls
View File

@@ -41,11 +41,11 @@ dockeretc:
file.directory:
- name: /etc/docker
# Manager daemon.json
# Manager daemon.json.jinja
docker_daemon:
file.managed:
- source: salt://docker/files/daemon.json
- name: /etc/docker/daemon.json
- source: salt://docker/files/daemon.json.jinja
- name: /etc/docker/daemon.json.jinja
- template: jinja
# Make sure Docker is always running

32
salt/docker/soc_docker.yaml
View File

@@ -7,6 +7,22 @@ docker:
description: Default docker IP range for containers.
helpLink: docker.html
advanced: True
ulimits:
description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults.
forcedType: "[]{}"
syntax: json
advanced: True
helpLink: docker.html
uiElements:
- field: name
label: Resource Name
required: True
- field: soft
label: Soft Limit
forcedType: int
- field: hard
label: Hard Limit
forcedType: int
containers:
so-dockerregistry: &dockerOptions
final_octet:
@@ -40,11 +56,21 @@ docker:
multiline: True
forcedType: "[]string"
ulimits:
description: Ulimits for the container.
description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits.
advanced: True
helpLink: docker.html
multiline: True
forcedType: "[]string"
forcedType: "[]{}"
syntax: json
uiElements:
- field: name
label: Resource Name
required: True
- field: soft
label: Soft Limit
forcedType: int
- field: hard
label: Hard Limit
forcedType: int
so-elastic-fleet: *dockerOptions
so-elasticsearch: *dockerOptions
so-influxdb: *dockerOptions