[PATCH 0/9] Multiple devpts instances
H. Peter Anvin
hpa at zytor.com
Mon Feb 23 13:18:17 PST 2009
Serge E. Hallyn wrote:
>>
>> If you want security and permission arguments get with Serge and finish
>> the uid namespace. The you will have a user that looks like root but
>> does not have permissions to do most things.
>
> Right, and in particular the way it would partially solve this issue is
> that the procsys limit file would be owned by root in the initial uid
> namespace, so root in a child container would not be able to write to
> it.
>
No, uid namespace is not the right thing for this. If anything, it
should be controlled by a capability flag. This is a general issue for
procfs and sysfs as used for controlling any kind of system resources,
though.
> Defining a new mount option to set a per-sb limit seems useful though,
> as I could easily see wanting to limit containers (on a 1000-container
> system) to 3 ptys each for instance.
What probably would make more sense is to limit containers to a specific
number of inodes or open file descriptors. The pty limit was a quick
hack to avoid DoS, but it's really equivalent (with a small multiplier,
~3 or so) to "open inodes".
-hpa
More information about the Containers
mailing list