1*bf6b7a74SMauro Carvalho Chehab=========================== 2*bf6b7a74SMauro Carvalho ChehabNamespaces research control 3*bf6b7a74SMauro Carvalho Chehab=========================== 4*bf6b7a74SMauro Carvalho Chehab 5*bf6b7a74SMauro Carvalho ChehabThere are a lot of kinds of objects in the kernel that don't have 6*bf6b7a74SMauro Carvalho Chehabindividual limits or that have limits that are ineffective when a set 7*bf6b7a74SMauro Carvalho Chehabof processes is allowed to switch user ids. With user namespaces 8*bf6b7a74SMauro Carvalho Chehabenabled in a kernel for people who don't trust their users or their 9*bf6b7a74SMauro Carvalho Chehabusers programs to play nice this problems becomes more acute. 10*bf6b7a74SMauro Carvalho Chehab 11*bf6b7a74SMauro Carvalho ChehabTherefore it is recommended that memory control groups be enabled in 12*bf6b7a74SMauro Carvalho Chehabkernels that enable user namespaces, and it is further recommended 13*bf6b7a74SMauro Carvalho Chehabthat userspace configure memory control groups to limit how much 14*bf6b7a74SMauro Carvalho Chehabmemory user's they don't trust to play nice can use. 15*bf6b7a74SMauro Carvalho Chehab 16*bf6b7a74SMauro Carvalho ChehabMemory control groups can be configured by installing the libcgroup 17*bf6b7a74SMauro Carvalho Chehabpackage present on most distros editing /etc/cgrules.conf, 18*bf6b7a74SMauro Carvalho Chehab/etc/cgconfig.conf and setting up libpam-cgroup. 19