Richard, I have to disagree that it should require idmap. It is true that without idmap the container can freely set it's own rlimits, but I believe this functionality could be useful to containers that don't run /sbin/init. What I mean by that is application specific containers could have their limits set without the application having to set them, or even having to write a shim to set them. Ryan On Sun, Feb 22, 2015 at 5:59 PM, Richard Weinberger < richard.weinberger@gmail.com> wrote:
I guess I don't really have an argument for or against removing some of
from <rlimits>. The original patch that I wrote and we use internally only allowed setting of RLIMIT_NOFILE, but when I went to publish it back to
list is was trivial to just make it a generic interface to all of the RLIMIT_* tunables. I don't have a need for them at this time, but I
someone else might find them useful. But if this list can come up with a set we want included/excluded then the <rlimits> section can be modified accordingly. Although it might be confusing to an operator who is reading the setrlimit(2) manpage and can't understand why they can't set the
On Fri, Jan 30, 2015 at 4:32 PM, Ryan Cleere <rcleere@gmail.com> wrote: them this figured limit
they are interested in.
BTW: This should depend on idmap (user namespaces set up). Without user namespaces root can bypass/reset all these limits.
-- Thanks, //richard