Re: [PATCH] Add ability to set rlimits at container boot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Richard,

All I am suggesting is that someone may want to run a custom process as their <init> process that may or may not have the ability to set the rlimits. This would just allow them to start in a known state. You are absolutely right that without user namespaces the container could set them to whatever the user wanted. 

However, I think there also exists the possibility that a user not running user namespaces could use the XML to drop the 'CAP_SYS_RESOURCE' capability and therefore would not be able to set rlimits. But I have not tested this scenario.

Ryan

On Mon, Feb 23, 2015 at 11:44 AM, Richard Weinberger <richard@xxxxxx> wrote:
Ryan,

Am 23.02.2015 um 18:37 schrieb Ryan Cleere:
> Richard,
>
> I have to disagree that it should require idmap. It is true that without idmap the container can freely set it's own rlimits, but I believe this functionality could be useful to
> containers that don't run /sbin/init. What I mean by that is application specific containers could have their limits set without the application having to set them, or even having
> to write a shim to set them.

Sorry, I don't understand. What has running a non /sbin/init do to with that?
Without user namespaces root within the container can bypass these limits.

Thanks,
//richard

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]