| Eric W. Biederman | e11f0ae | 2013-01-25 16:48:31 -0800 | [diff] [blame] | 1 | There are a lot of kinds of objects in the kernel that don't have |
| 2 | individual limits or that have limits that are ineffective when a set |
| 3 | of processes is allowed to switch user ids. With user namespaces |
| 4 | enabled in a kernel for people who don't trust their users or their |
| 5 | users programs to play nice this problems becomes more acute. |
| 6 | |
| 7 | Therefore it is recommended that memory control groups be enabled in |
| 8 | kernels that enable user namespaces, and it is further recommended |
| 9 | that userspace configure memory control groups to limit how much |
| 10 | memory user's they don't trust to play nice can use. |
| 11 | |
| 12 | Memory control groups can be configured by installing the libcgroup |
| 13 | package present on most distros editing /etc/cgrules.conf, |
| 14 | /etc/cgconfig.conf and setting up libpam-cgroup. |