Serge E. Hallyn wrote: >> >> If you want security and permission arguments get with Serge and finish >> the uid namespace. The you will have a user that looks like root but >> does not have permissions to do most things. > > Right, and in particular the way it would partially solve this issue is > that the procsys limit file would be owned by root in the initial uid > namespace, so root in a child container would not be able to write to > it. >
No, uid namespace is not the right thing for this. If anything, it should be controlled by a capability flag. This is a general issue for procfs and sysfs as used for controlling any kind of system resources, though. > Defining a new mount option to set a per-sb limit seems useful though, > as I could easily see wanting to limit containers (on a 1000-container > system) to 3 ptys each for instance. What probably would make more sense is to limit containers to a specific number of inodes or open file descriptors. The pty limit was a quick hack to avoid DoS, but it's really equivalent (with a small multiplier, ~3 or so) to "open inodes". -hpa _______________________________________________ Containers mailing list contain...@lists.linux-foundation.org https://lists.linux-foundation.org/mailman/listinfo/containers _______________________________________________ Devel mailing list Devel@openvz.org https://openvz.org/mailman/listinfo/devel