On Sun, Sep 05, 2021 at 07:20:01PM +0200, Greg KH wrote: > If you are concerned about this, please restrict the kernel.pty.max > value to be much lower. The kernel.pty.max value specifies the global maximum limit. So I believe the point solution to *this* particular container resource limit is to mount separate instances of /dev/pts in each container chroot with the mount option max=NUM, instead of bind-mounting the top-level /dev/pts into each container chroot. And <whack> we can use the rubber mallet to hit one more mole in the whack-a-mole game. :-) Or you can just assume that all of the containers are cooperatively trying to share the OS resources, and if there is a malicious container, it can be handled out-of-band by non-technical means (e.g., by having the Site Reliability Engineer tracking down owner of said malicious container, and then talking to their manager to tell them not to do that particular anti-social thing, docking the owner's social credit account, etc.). - Ted
