Re: [libvirt] [PATCH] Add ability to set rlimits at container boot
Richard,
I have to disagree that it should require idmap. It is true that without
idmap the container can freely set it's own rlimits, but I believe this
functionality could be useful to containers that don't run /sbin/init. What
I mean by that is application specific containers could have their limits
set without the application having to set them, or even having to write a
shim to set them.
Ryan
On Sun, Feb 22, 2015 at 5:59 PM, Richard Weinberger <
richard.weinberger(a)gmail.com> wrote:
On Fri, Jan 30, 2015 at 4:32 PM, Ryan Cleere
<rcleere(a)gmail.com> wrote:
> I guess I don't really have an argument for or against removing some of
them
> from <rlimits>. The original patch that I wrote and we use internally
only
> allowed setting of RLIMIT_NOFILE, but when I went to publish it back to
this
> list is was trivial to just make it a generic interface to all of the
> RLIMIT_* tunables. I don't have a need for them at this time, but I
figured
> someone else might find them useful. But if this list can come up with a
set
> we want included/excluded then the <rlimits> section can be modified
> accordingly. Although it might be confusing to an operator who is reading
> the setrlimit(2) manpage and can't understand why they can't set the
limit
> they are interested in.
BTW: This should depend on idmap (user namespaces set up).
Without user namespaces root can bypass/reset all these limits.
--
Thanks,
//richard
Attachments:
- attachment.html (text/html — 2.0 KB)