Hello Eric, On 07/21/2016 06:39 PM, Eric W. Biederman wrote:
This patchset addresses two use cases: - Implement a sane upper bound on the number of namespaces. - Provide a way for sandboxes to limit the attack surface from namespaces. The maximum sane case I can imagine is if every process is a fat process, so I set the maximum number of namespaces to the maximum number of threads. I make these limits recursive and per user namespace so that a usernamespace root can reduce the limits further. If a user namespace root raises the limit the limit in the parent namespace will be honored. I have cut this implementation to the bare minimum needed to achieve these objectives. Does anyone know if there is a proper error code to return for resource limit exceeded? I am currently using -EUSERS or -ENFILE but both of those feel a little wrong.
ENFILE certainly seems weird. I suppose my first question is: why two different errors? Some alternatives you might want to consider: E2BIG, EOVERFLOW, or (maybe) ERANGE. Cheers, Michael _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
