1bf6b7a74SMauro Carvalho Chehab=========================== 2bf6b7a74SMauro Carvalho ChehabNamespaces research control 3bf6b7a74SMauro Carvalho Chehab=========================== 4bf6b7a74SMauro Carvalho Chehab 5bf6b7a74SMauro Carvalho ChehabThere are a lot of kinds of objects in the kernel that don't have 6bf6b7a74SMauro Carvalho Chehabindividual limits or that have limits that are ineffective when a set 7bf6b7a74SMauro Carvalho Chehabof processes is allowed to switch user ids. With user namespaces 8bf6b7a74SMauro Carvalho Chehabenabled in a kernel for people who don't trust their users or their 9bf6b7a74SMauro Carvalho Chehabusers programs to play nice this problems becomes more acute. 10bf6b7a74SMauro Carvalho Chehab 11bf6b7a74SMauro Carvalho ChehabTherefore it is recommended that memory control groups be enabled in 12bf6b7a74SMauro Carvalho Chehabkernels that enable user namespaces, and it is further recommended 13bf6b7a74SMauro Carvalho Chehabthat userspace configure memory control groups to limit how much 14bf6b7a74SMauro Carvalho Chehabmemory user's they don't trust to play nice can use. 15bf6b7a74SMauro Carvalho Chehab 16bf6b7a74SMauro Carvalho ChehabMemory control groups can be configured by installing the libcgroup 17bf6b7a74SMauro Carvalho Chehabpackage present on most distros editing /etc/cgrules.conf, 18bf6b7a74SMauro Carvalho Chehab/etc/cgconfig.conf and setting up libpam-cgroup. 19