Quoting Niklas Fuchs (nkfu...@yahoo.de): > hi, > i played around with my debian image and user namespaces and have some > questions: > > cgroup limits: they dont seem to apply to a container with user ns > right? i set
They should. > lxc.cgroup.memory.limit_in_bytes = 2M but nothing gets killed, the > container starts normally > can i limit resources anyhow? What are the values of limit_in_bytes for the container's cgroup, and all ancestor cgroups? Is memory.use_hierarchy set to 1? > caps: from http://lwn.net/Articles/531114/ > "unprivileged processes can create user namespaces in which they have > full privileges, which in turn allows any other type of namespace to be > created inside a user namespace." > > does that mean that the other namespaces(like net etc) are like a child of > the user > ns? Rather, the user ns owns any namespace it creates. Capabilities in the user ns are 'targeted' toward any namespaces it owns. > i have full caps in the container, i noticed that cap restrictions > from the config dont seem to have an effect (tested e.g. net_raw, > net_admin and im still able to do everything with the eth0 inside the > container) Yeah, cap restrictions are somewhat meaningless with user namespaces. Your container already has zero capabilities targeted toward the host user namespace. > lxc-checkconfig shows everything as enabled > > thanks, niklas > > ------------------------------------------------------------------------------ > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET > Get 100% visibility into your production application - at no cost. > Code-level diagnostics for performance bottlenecks with <2% overhead > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap1 > _______________________________________________ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
