23 Feb
2015
23 Feb
'15
6:44 p.m.
Ryan, Am 23.02.2015 um 18:37 schrieb Ryan Cleere:
Richard,
I have to disagree that it should require idmap. It is true that without idmap the container can freely set it's own rlimits, but I believe this functionality could be useful to containers that don't run /sbin/init. What I mean by that is application specific containers could have their limits set without the application having to set them, or even having to write a shim to set them.
Sorry, I don't understand. What has running a non /sbin/init do to with that? Without user namespaces root within the container can bypass these limits. Thanks, //richard