0

I'm trying to follow CIS Security Benchmark for Docker containers and there are checks like "Use --pids-limit flag with an appropriate value when launching the container" that I can't do if I'm using version 3 of docker-compose.

So I was thinking on running a script that would do docker container update --pids-limit 1234 <container-name> but ran into the issue of getting the container's name from docker-compose in an automated way, so that it runs for every service listed on the yml.

Victor Praxedes
  • 11
  • 1
  • Unclear what more you want than `docker-compose ps | grep ` – OneCricketeer Jun 22 '21 at 20:08
  • If I'm grepping by the service name, I could just use the service name straight into the script. To be more clear, I want to have the script to run for each service listed on the yml as they go up. – Victor Praxedes Jun 22 '21 at 20:18
  • "As they go up" would require compose to have some execution callback hook to know when the container transitions between states. If you really want that level of control, I suggest using the Golang/Python Compose _Client_ rather than shell scripts – OneCricketeer Jun 22 '21 at 20:19
  • Compose file format v2 is still supported, and supports more of the detailed `docker run` options that aren't appropriate for Swarm (including [`pids_limit:`](https://docs.docker.com/compose/compose-file/compose-file-v2/#pids_limit)). Would that better match your needs? – David Maze Jun 22 '21 at 20:30
  • @DavidMaze if i had the option to go back to v2, I would for sure. It seems that the way to go is using the Python/Golang API as Cricketeer suggestedd. – Victor Praxedes Jun 22 '21 at 23:05

0 Answers0