✦ For everyone, free.

Practical knowledge for real and everyday life

Home

6.3.4.3 Container Process Limits

A focused guide to Container Process Limits, connecting core concepts with practical Docker and container operations.

Container process limits constrain the maximum number of processes (and threads) a container is allowed to create, protecting the host against a fork bomb or runaway process creation that could otherwise exhaust the host's available process table entries.

Setting a Process Limit

The --pids-limit flag caps the number of processes a container can have running simultaneously.

docker run -d --pids-limit=100 myapp:1.0

If processes inside this container attempt to exceed 100 concurrent processes, further process creation fails, even though the existing ones continue running.

Why This Limit Protects the Host

A process table is a host-wide, finite resource — without a per-container limit, a single container experiencing a fork bomb (whether from a bug or genuinely malicious code) could exhaust this resource, affecting every other container and process on the host.

docker run -d --pids-limit=50 myapp:1.0

A reasonable limit here ensures this container's processes, even if something goes wrong, cannot consume an unbounded share of the host's total process capacity.

Observing Current Process Count Against the Limit

A container's current process count can be checked against its configured limit, useful for determining whether a limit is appropriately sized for the application's normal operation.

docker exec myapp sh -c "ps aux | wc -l"
docker inspect myapp --format '{{.HostConfig.PidsLimit}}'
Choosing an Appropriate Process Limit

The limit should comfortably accommodate the application's normal process and thread usage, while still being low enough to meaningfully constrain a genuine runaway process creation scenario.

docker run -d --pids-limit=200 myapp:1.0
Why Container Process Limits Matter

A process limit is a relatively low-effort safeguard against a specific but serious failure mode — uncontrolled process creation exhausting a host-wide, shared resource — making it a worthwhile addition to a container's overall resource constraint configuration, alongside memory and CPU limits.

Related content