On Thu, Nov 7, 2013 at 12:31 PM, Robert Gierzinger <robert.gierzinger@xxxxxx> wrote: > Will there be a limitation of the number of processes per cgroup (task counter subsystem from Frederic Weisbecker)? I guess this would be interesting for many users especially in connection with LXC. As long as this is not implemented our security policy prevents us from using LXC. I could isolate resources quite well, however, I am still able to bomb the host system once I become root in LXC-guests. I tried to circumvent this problem with apparmor, rlimits etc. but was not successful, see http://sourceforge.net/mailarchive/forum.php?thread_name=CAJ75kXYapfC_ihVyshWyGQqBL_jJbLJitgOscaCt1ciNyoyokg%40mail.gmail.com&forum_name=lxc-devel > Is there any plan for such an implementation? You probably should try using memory.kmem.limit_in_bytes it was made for that puropose IIRC -- William -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
