15 lines
764 B
Plaintext
15 lines
764 B
Plaintext
There are a lot of kinds of objects in the kernel that don't have
|
|
individual limits or that have limits that are ineffective when a set
|
|
of processes is allowed to switch user ids. With user namespaces
|
|
enabled in a kernel for people who don't trust their users or their
|
|
users programs to play nice this problems becomes more acute.
|
|
|
|
Therefore it is recommended that memory control groups be enabled in
|
|
kernels that enable user namespaces, and it is further recommended
|
|
that userspace configure memory control groups to limit how much
|
|
memory user's they don't trust to play nice can use.
|
|
|
|
Memory control groups can be configured by installing the libcgroup
|
|
package present on most distros editing /etc/cgrules.conf,
|
|
/etc/cgconfig.conf and setting up libpam-cgroup.
|