> Anyway, if you don't trust a container you'd better set the hard memory > limit so that it can't hurt others no matter what it runs and how it > tweaks its sub-tree knobs. If you don't trust it put it in a VM. If it's got access to GEM graphics ioctls/nodes or some other kernel interfaces then it can blow up the kernel without trying hard unless its constrained within a VM. VMs can be extremely light weight if you avoid KVM emulating an entire PC. Alan -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>