On Fri, Apr 27, 2012 at 08:51:40AM -0700, Tejun Heo wrote: > On Fri, Apr 27, 2012 at 11:48:41AM -0400, Vivek Goyal wrote: > > Not an unpriviliged malicious application. In typical cgroup scenario, we > > can allow unpriviliged users to create child cgroups so that it can > > further subdivide its resources to its children group. (ex. put firefox > > in one cgroup, open office in another group etc.). > > > > So it is not same as jack up nr_requests. > > I find allowing unpriv users creating cgroups dumb. cgroup consumes > kernel memory. Sans using kmemcg, what prevents them from creating > gazillion cgroups and consuming all memories? The idea of allowing > cgroups to !priv users is just broken from the get go. Well creating a task consumes memory too but we allow unpriv users to create tasks. :-) May be a system wide cgroup limit will make sense? Thanks Vivek _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
