Summary
Config files can specify arbitrary dockerargs, including arguments that remove or override resource constraints on spawned containers. An unrestricted container could consume all available CPU, memory, or disk on the host.
Location
config-samples/ — no sample demonstrates resource limits; entrypoint.sh — no defaults are enforced.
Attack Vector
A config entry such as:
{
"schedule": "* * * * *",
"image": "ubuntu",
"command": "stress --cpu 8 --vm 4 --vm-bytes 2G",
"dockerargs": "--memory=0 --cpus=0"
}Will spawn an unconstrained container every minute, potentially exhausting host resources.
Recommended Fix
- Add default resource limits to the sample configs and document them in the README
- Consider enforcing sensible defaults in
make_image_cmd unless explicitly overridden:
# Default limits unless user provides their own
DOCKERARGS="${DOCKERARGS:-} --memory=512m --cpus=1.0"
- Note the DoS risk in the security documentation.
Severity
Low
Summary
Config files can specify arbitrary
dockerargs, including arguments that remove or override resource constraints on spawned containers. An unrestricted container could consume all available CPU, memory, or disk on the host.Location
config-samples/— no sample demonstrates resource limits;entrypoint.sh— no defaults are enforced.Attack Vector
A config entry such as:
{ "schedule": "* * * * *", "image": "ubuntu", "command": "stress --cpu 8 --vm 4 --vm-bytes 2G", "dockerargs": "--memory=0 --cpus=0" }Will spawn an unconstrained container every minute, potentially exhausting host resources.
Recommended Fix
make_image_cmdunless explicitly overridden:Severity
Low