^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) ===========================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) Namespaces research control
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) ===========================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) There are a lot of kinds of objects in the kernel that don't have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) individual limits or that have limits that are ineffective when a set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) of processes is allowed to switch user ids. With user namespaces
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) enabled in a kernel for people who don't trust their users or their
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) users programs to play nice this problems becomes more acute.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) Therefore it is recommended that memory control groups be enabled in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) kernels that enable user namespaces, and it is further recommended
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) that userspace configure memory control groups to limit how much
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) memory user's they don't trust to play nice can use.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) Memory control groups can be configured by installing the libcgroup
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) package present on most distros editing /etc/cgrules.conf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) /etc/cgconfig.conf and setting up libpam-cgroup.
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags