On Sun, Sep 05, 2021 at 09:36:56PM -0400, Theodore Ts'o wrote: > On Sun, Sep 05, 2021 at 07:20:01PM +0200, Greg KH wrote: > > If you are concerned about this, please restrict the kernel.pty.max > > value to be much lower. > > The kernel.pty.max value specifies the global maximum limit. So I > believe the point solution to *this* particular container resource > limit is to mount separate instances of /dev/pts in each container > chroot with the mount option max=NUM, instead of bind-mounting the > top-level /dev/pts into each container chroot. Yes, this is literally the standard. But also, this is a problem for which you don't need any containers. Any unprivileged user on the host can open as many pty devices as they want as /dev/ptmx is openable by unprivileged user on every distro. It gets worse obviously if you set max=1024 on the host obivously as you can quickly exceed this. But most systems mount devtps without restrictions. If you're sharing your host's devpts instance then that's a misconfiguration. Christian
