Hi Richard,
All I am suggesting is that someone may want to run a custom process as their <init> process that may or may not have the ability to set the rlimits. This would just allow them to start in a known state. You are absolutely right that without user namespaces the container could set them to whatever the user wanted.
However, I think there also exists the possibility that a user not running user namespaces could use the XML to drop the 'CAP_SYS_RESOURCE' capability and therefore would not be able to set rlimits. But I have not tested this scenario.
Ryan
On Mon, Feb 23, 2015 at 11:44 AM, Richard Weinberger <richard@xxxxxx> wrote:
Ryan,
Am 23.02.2015 um 18:37 schrieb Ryan Cleere:
> Richard,
>
> I have to disagree that it should require idmap. It is true that without idmap the container can freely set it's own rlimits, but I believe this functionality could be useful to
> containers that don't run /sbin/init. What I mean by that is application specific containers could have their limits set without the application having to set them, or even having
> to write a shim to set them.
Sorry, I don't understand. What has running a non /sbin/init do to with that?
Without user namespaces root within the container can bypass these limits.
Thanks,
//richard
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list