Hi Richard,

All I am suggesting is that someone may want to run a custom process as their <init> process that may or may not have the ability to set the rlimits. This would just allow them to start in a known state. You are absolutely right that without user namespaces the container could set them to whatever the user wanted.

However, I think there also exists the possibility that a user not running user namespaces could use the XML to drop the 'CAP_SYS_RESOURCE' capability and therefore would not be able to set rlimits. But I have not tested this scenario.

Ryan

On Mon, Feb 23, 2015 at 11:44 AM, Richard Weinberger <richard@nod.at> wrote:

Ryan,

Am 23.02.2015 um 18:37 schrieb Ryan Cleere:
> Richard,
>
> I have to disagree that it should require idmap. It is true that without idmap the container can freely set it's own rlimits, but I believe this functionality could be useful to
> containers that don't run /sbin/init. What I mean by that is application specific containers could have their limits set without the application having to set them, or even having
> to write a shim to set them.

Sorry, I don't understand. What has running a non /sbin/init do to with that?
Without user namespaces root within the container can bypass these limits.

Thanks,
//richard