From: ebied...@xmission.com (Eric W. Biederman) Date: Mon, 25 Jul 2016 19:44:50 -0500
> User namespaces have enabled unprivileged users access to a lot more > data structures and so to catch programs that go crazy we need a lot > more limits. I believe some of those limits make sense per namespace. > As it is easy in some cases to say any more than Y number of those > per namespace is excessive. For example a limit of 1,000,000 ipv4 > routes per network namespaces is a sanity check as there are > currently 621,649 ipv4 prefixes advertized in bgp. When we give a new namespace to unprivileged users, we honestly should make the sysctl settings we give to them become "limits". They can further constrain the sysctl settings but may not raise them.
