On Fri, Jan 30, 2015 at 4:32 PM, Ryan Cleere <rcleere@gmail.com> wrote:
I guess I don't really have an argument for or against removing some of them from <rlimits>. The original patch that I wrote and we use internally only allowed setting of RLIMIT_NOFILE, but when I went to publish it back to this list is was trivial to just make it a generic interface to all of the RLIMIT_* tunables. I don't have a need for them at this time, but I figured someone else might find them useful. But if this list can come up with a set we want included/excluded then the <rlimits> section can be modified accordingly. Although it might be confusing to an operator who is reading the setrlimit(2) manpage and can't understand why they can't set the limit they are interested in.
BTW: This should depend on idmap (user namespaces set up). Without user namespaces root can bypass/reset all these limits. -- Thanks, //richard