[libvirt] [PATCH] Add ability to set rlimits at container boot

Ryan Cleere rcleere at gmail.com
Mon Mar 2 15:59:09 UTC 2015


Hi Richard,

All I am suggesting is that someone may want to run a custom process as
their <init> process that may or may not have the ability to set the
rlimits. This would just allow them to start in a known state. You are
absolutely right that without user namespaces the container could set them
to whatever the user wanted.

However, I think there also exists the possibility that a user not running
user namespaces could use the XML to drop the 'CAP_SYS_RESOURCE' capability
and therefore would not be able to set rlimits. But I have not tested this
scenario.

Ryan

On Mon, Feb 23, 2015 at 11:44 AM, Richard Weinberger <richard at nod.at> wrote:

> Ryan,
>
> Am 23.02.2015 um 18:37 schrieb Ryan Cleere:
> > Richard,
> >
> > I have to disagree that it should require idmap. It is true that without
> idmap the container can freely set it's own rlimits, but I believe this
> functionality could be useful to
> > containers that don't run /sbin/init. What I mean by that is application
> specific containers could have their limits set without the application
> having to set them, or even having
> > to write a shim to set them.
>
> Sorry, I don't understand. What has running a non /sbin/init do to with
> that?
> Without user namespaces root within the container can bypass these limits.
>
> Thanks,
> //richard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150302/45160077/attachment-0001.htm>


More information about the libvir-list mailing list