H. Peter Anvin wrote: > Daniel Lezcano wrote: > >> sukadev@xxxxxxxxxxxxxxxxxx wrote: >> >>> Enable multiple instances of devpts filesystem so each container can >>> allocate >>> ptys independently. >>> >>> >> Hi suka, >> >> It looks like the /proc/sys/kernel/pty/max and nr are not virtualized. >> Modifying in the container the "max" pty, that impacts the init_pty. >> Same as nr which does not show the real number of pty allocated for the >> container. >> >> Are you planning to fix this ? >> >> > > That's a separate issue, i.e. a resource allocation > localization/globalization issue. The main reason for these limits is > top put a cap on the amount of low kernel memory used on 32-bit systems > especially, which is somewhat inherently global. > > Resource limit partitioning is a much bigger and orthogonal problem. > In this case we don't have the pty allocated independently, no ? I mean one container can allocate 4095 pty, making a pty starvation for others containers. Or imagine I am a vilain and I want to mess the other containers, I can do echo 0 > /proc/sys/kernel/pty/max. AFAIR, we said people making isolation of a resource is in charge (if it is relevant), to take into account the /proc/sys part. For example, making the network per namespace all the network configuration variable located in /proc/sys/net are per namespace too. When it is irrelevant the file is read-only or just not displayed. IMHO, pty/max and pty/nr is part of the "multiple devpts instances" feature. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers