2.3.2.4 Cgroup Process Limits
A focused guide to Cgroup Process Limits, connecting core concepts with practical Docker and container operations.
Cgroup process limits restrict how many processes (and, more precisely, how many process IDs) a container is allowed to create, preventing a runaway fork bomb or an unexpected process leak inside one container from exhausting the host's total available process ID space.
Why Limiting Process Count Matters
The number of process IDs a Linux system can allocate is finite. If a single container is allowed to create an unbounded number of processes — whether intentionally through a fork bomb or accidentally through a bug that spawns processes faster than it cleans them up — it can exhaust the host's available PIDs, affecting every other container and the host itself.
docker run -d --pids-limit=100 myapp:1.0
This container can never have more than 100 processes running simultaneously, regardless of what the application inside attempts to spawn.
Observing the Limit in Effect
Once the limit is reached, further attempts by the container to create new processes fail at the kernel level, which an application would typically observe as a resource allocation error from whatever system call it used to attempt the fork.
docker run --pids-limit=10 --rm alpine sh -c "for i in $(seq 1 50); do sleep 1 & done; wait"
Attempting to start far more background processes than the configured limit allows results in some of those process creation attempts failing once the limit is reached.
Choosing an Appropriate Process Limit
A reasonable process limit depends entirely on the application's normal behavior — a single-process application needs only a small limit, while an application that legitimately spawns many worker processes needs a correspondingly higher one, set with enough headroom to avoid limiting normal operation.
docker exec myapp ls /proc | grep -E '^[0-9]+$' | wc -l
This counts the number of processes currently running inside a container, useful for understanding typical process counts before setting an appropriate limit.
Why Process Limits Matter
Process limits are a relatively low-cost safeguard against a category of failure — uncontrolled process growth — that can otherwise affect an entire host rather than being contained to the single misbehaving container, making this limit valuable even on hosts that are not otherwise resource-constrained.