forked from luck/tmp_suning_uos_patched
userns: Recommend use of memory control groups.
In the help text describing user namespaces recommend use of memory control groups. In many cases memory control groups are the only mechanism there is to limit how much memory a user who can create user namespaces can use. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
parent
0bd14b4fd7
commit
e11f0ae388
14
Documentation/namespaces/resource-control.txt
Normal file
14
Documentation/namespaces/resource-control.txt
Normal file
|
@ -0,0 +1,14 @@
|
|||
There are a lot of kinds of objects in the kernel that don't have
|
||||
individual limits or that have limits that are ineffective when a set
|
||||
of processes is allowed to switch user ids. With user namespaces
|
||||
enabled in a kernel for people who don't trust their users or their
|
||||
users programs to play nice this problems becomes more acute.
|
||||
|
||||
Therefore it is recommended that memory control groups be enabled in
|
||||
kernels that enable user namespaces, and it is further recommended
|
||||
that userspace configure memory control groups to limit how much
|
||||
memory user's they don't trust to play nice can use.
|
||||
|
||||
Memory control groups can be configured by installing the libcgroup
|
||||
package present on most distros editing /etc/cgrules.conf,
|
||||
/etc/cgconfig.conf and setting up libpam-cgroup.
|
|
@ -1035,6 +1035,13 @@ config USER_NS
|
|||
help
|
||||
This allows containers, i.e. vservers, to use user namespaces
|
||||
to provide different user info for different servers.
|
||||
|
||||
When user namespaces are enabled in the kernel it is
|
||||
recommended that the MEMCG and MEMCG_KMEM options also be
|
||||
enabled and that user-space use the memory control groups to
|
||||
limit the amount of memory a memory unprivileged users can
|
||||
use.
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
config PID_NS
|
||||
|
|
Loading…
Reference in New Issue
Block a user