Daniel Lezcano wrote: > > Yep, I changed my mind, I think Eric and HPA are right. devpts is a > file system and not a namespace even if the result is the same. That > makes sense to keep a global sysctl for the root container and handle > security problem with user namespace and mount option. > No, it's more dramatic than that. Namespaces are not resource allocation boundaries, even though in the container use case you probably want both. Furthermore, namespaces are relatively straightforward in comparison: you generally either want to share a namespace or you don't. Resource control policies are much more complex. In the general case you want to be able to support a hierarchial cascade of policies; at the least you want to have global and local limits. Furthermore, there are a number of use cases for resource allocation boundaries that do *not* involve namespaces. -hpa _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
