| 123456789101112131415161718 |
- ====================================
- User namespaces and resource control
- ====================================
- The kernel contains many kinds of objects that either don't have
- individual limits or that have limits which are ineffective when
- a set of processes is allowed to switch their UID. On a system
- where the admins don't trust their users or their users' programs,
- user namespaces expose the system to potential misuse of resources.
- In order to mitigate this, we recommend that admins enable memory
- control groups on any system that enables user namespaces.
- Furthermore, we recommend that admins configure the memory control
- groups to limit the maximum memory usable by any untrusted user.
- Memory control groups can be configured by installing the libcgroup
- package present on most distros editing /etc/cgrules.conf,
- /etc/cgconfig.conf and setting up libpam-cgroup.
|