public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-05 16:54:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/Documentation/admin-guide/namespaces/resource-control.rst

19 lines
875 B
ReStructuredText
Raw Permalink Normal View History

docs: namespace: Tweak and reword resource control doc Fix the document title and reword the phrasing to active voice. Signed-off-by: Joel Savitz <jsavitz@redhat.com> Message-ID: <20250421161723.1138903-1-jsavitz@redhat.com> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2025-04-21 12:17:23 -04:00
====================================
User namespaces and resource control
====================================
docs: namespaces: convert to ReST Rename the namespaces documentation files to ReST, add an index for them and adjust in order to produce a nice html output via the Sphinx build system. There are two upper case file names. Rename them to lower case, as we're working to avoid upper case file names at Documentation. At its new index.rst, let's add a :orphan: while this is not linked to the main index.rst file, in order to avoid build warnings. Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-04-18 12:43:16 -03:00
docs: namespace: Tweak and reword resource control doc Fix the document title and reword the phrasing to active voice. Signed-off-by: Joel Savitz <jsavitz@redhat.com> Message-ID: <20250421161723.1138903-1-jsavitz@redhat.com> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2025-04-21 12:17:23 -04:00
The kernel contains many kinds of objects that either don't have
individual limits or that have limits which are ineffective when
a set of processes is allowed to switch their UID. On a system
where the admins don't trust their users or their users' programs,
user namespaces expose the system to potential misuse of resources.
userns: Recommend use of memory control groups. In the help text describing user namespaces recommend use of memory control groups. In many cases memory control groups are the only mechanism there is to limit how much memory a user who can create user namespaces can use. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
2013-01-25 16:48:31 -08:00
docs: namespace: Tweak and reword resource control doc Fix the document title and reword the phrasing to active voice. Signed-off-by: Joel Savitz <jsavitz@redhat.com> Message-ID: <20250421161723.1138903-1-jsavitz@redhat.com> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2025-04-21 12:17:23 -04:00
In order to mitigate this, we recommend that admins enable memory
control groups on any system that enables user namespaces.
Furthermore, we recommend that admins configure the memory control
groups to limit the maximum memory usable by any untrusted user.
userns: Recommend use of memory control groups. In the help text describing user namespaces recommend use of memory control groups. In many cases memory control groups are the only mechanism there is to limit how much memory a user who can create user namespaces can use. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
2013-01-25 16:48:31 -08:00
Memory control groups can be configured by installing the libcgroup
package present on most distros editing /etc/cgrules.conf,
/etc/cgconfig.conf and setting up libpam-cgroup.
Reference in a new issue Copy permalink