remind101
Replace nproc with pids limit
Support for configuring the nproc limit was added in https://github.com/remind101/empire/pull/761, however, I don't think it's ever actually worked the way it was intended.
From the docker run docs:
Be careful setting nproc with the ulimit flag as nproc is designed by Linux to set the maximum number of processes available to a user, not to a container. For example, start four containers with daemon user:
$ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox topThe 4th container fails and reports “[8] System error: resource temporarily unavailable” error. This fails because the caller set nproc=3 resulting in the first three containers using up the three processes quota set for the daemon user.
I ran into this behavior when attempting to enable user namespace remapping. Recent versions of Docker support a more granular alternative that's cgroup aware: https://github.com/moby/moby/pull/18697
Unfortunately, this doesn't seem to be supported in ECS yet, but I think a good alternative for the time being would be to add a flag to Empire that allows it to start in a user namespace compatibility mode so that nproc is disabled.
