Two containers (managed by Pouch) sharing the same IPC namespace can exhaust the host memory and crash the host, even when a cgroup memory limit is applied to them.

The ‘IPC=shareable’ option enables multiple containers to share the same IPC namespace. One of these containers (container A) can constantly create IPC resources under its cgroup’s memory restriction to communicate with other containers (container B) in the same IPC namespace. The memory usage of these IPC resources is counted by the cgroup of container A, and this count will be cleared if container A exits. However, these IPC resources are not released after the exit of container A but are destroyed with the end of this container’s IPC namespace. This means that these IPC resources will continue to occupy memory if container B does not exit. In this case, attackers can start two containers in the ‘IPC=shareable’ mode and repeatedly restart one of the containers to ignore the cgroup’s restriction. This restarted container can create lots of IPC resources until it exhausts the host’s memory.