[libvirt] [PATCH] Add ability to set rlimits at container boot
Ryan Cleere
rcleere at gmail.com
Mon Feb 23 17:37:43 UTC 2015
Richard,
I have to disagree that it should require idmap. It is true that without
idmap the container can freely set it's own rlimits, but I believe this
functionality could be useful to containers that don't run /sbin/init. What
I mean by that is application specific containers could have their limits
set without the application having to set them, or even having to write a
shim to set them.
Ryan
On Sun, Feb 22, 2015 at 5:59 PM, Richard Weinberger <
richard.weinberger at gmail.com> wrote:
> On Fri, Jan 30, 2015 at 4:32 PM, Ryan Cleere <rcleere at gmail.com> wrote:
> > I guess I don't really have an argument for or against removing some of
> them
> > from <rlimits>. The original patch that I wrote and we use internally
> only
> > allowed setting of RLIMIT_NOFILE, but when I went to publish it back to
> this
> > list is was trivial to just make it a generic interface to all of the
> > RLIMIT_* tunables. I don't have a need for them at this time, but I
> figured
> > someone else might find them useful. But if this list can come up with a
> set
> > we want included/excluded then the <rlimits> section can be modified
> > accordingly. Although it might be confusing to an operator who is reading
> > the setrlimit(2) manpage and can't understand why they can't set the
> limit
> > they are interested in.
>
> BTW: This should depend on idmap (user namespaces set up).
> Without user namespaces root can bypass/reset all these limits.
>
> --
> Thanks,
> //richard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150223/f3877c46/attachment-0001.htm>
More information about the libvir-list
mailing list