Problem Statement

In a standalone host environment managed via Podman and systemd (Quadlet), containerized components currently operate without explicit resource boundaries. This lack of constraints poses a security and stability risk: a single process within a container can consume all available host CPU or memory, leading to a "noisy neighbor" effect or a total system hang (Denial of Service).

This RFE requests the mandatory implementation of resource limits and reservations within Quadlet .container files. Adopting these constraints is required to align with industry-standard hardening frameworks, specifically BSI SYS.1.6. A15, PCI-DSS v4.0 (Requirement 2.2), and CIS Docker (Control 5.10) Benchmarks, which mandate that container resource consumption be restricted to prevent service disruption. (I did not verify, but am quite sure that the same requirement is included in stig, pci-dss and other frameworks)

User Experience & Workflow

User Experience & Workflow should not significantly change. Maybe a User might have the need to customize this settings in "T-Shirt Sizes" depending on the Environment.

Requirements

[MVP] Mandatory Resource Definitions: All core service manifests must include cpu and memory resource limitations.

Business Impact

Without these controls, the platform will fail audits for BSI SYS.1.6, CIS, and PCI-DSS v4.0 (Requirement 2.2), potentially barring the product from use in government and financial sectors.

for reference a small discussion how to do it with quadlet / podman was done here: https://github.com/containers/podman/issues/20499