On Fri, Apr 27, 2012 at 11:56:12AM -0400, Vivek Goyal wrote: > On Fri, Apr 27, 2012 at 08:51:40AM -0700, Tejun Heo wrote: > > On Fri, Apr 27, 2012 at 11:48:41AM -0400, Vivek Goyal wrote: > > > Not an unpriviliged malicious application. In typical cgroup scenario, we > > > can allow unpriviliged users to create child cgroups so that it can > > > further subdivide its resources to its children group. (ex. put firefox > > > in one cgroup, open office in another group etc.). > > > > > > So it is not same as jack up nr_requests. > > > > I find allowing unpriv users creating cgroups dumb. cgroup consumes > > kernel memory. Sans using kmemcg, what prevents them from creating > > gazillion cgroups and consuming all memories? The idea of allowing > > cgroups to !priv users is just broken from the get go. > > Well creating a task consumes memory too but we allow unpriv users to > create tasks. :-) Well, kernel can kill tasks and reclaim that memory so this is not an appropriate example. A more suitable example probably is AIO where kernel pins down some memory and we limit that amount by upper limit on number of aio requests. Thanks Vivek _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
