[Lxc-users] clarifications on user ns

[Serge Hallyn]

Quoting Niklas Fuchs (nkfuchs at yahoo.de):
> hi,
> i played around with my debian image and user namespaces and have some
> questions:
> 
> cgroup limits: they dont seem to apply to a container with user ns
> right? i set 

They should.

> lxc.cgroup.memory.limit_in_bytes = 2M but nothing gets killed, the
> container starts normally
> can i limit resources anyhow?

What are the values of limit_in_bytes for the container's cgroup, and
all ancestor cgroups?  Is memory.use_hierarchy set to 1?

> caps: from http://lwn.net/Articles/531114/
> "unprivileged processes can create user namespaces in which they have
> full privileges, which in turn allows any other type of namespace to be
> created inside a user namespace."
> 
> does that mean that the other namespaces(like net etc) are like a child of the user
> ns?

Rather, the user ns owns any namespace it creates.  Capabilities in the
user ns are 'targeted' toward any namespaces it owns.

> i have full caps in the container, i noticed that cap restrictions
> from the config dont seem to have an effect (tested e.g. net_raw,
> net_admin and im still able to do everything with the eth0 inside the
> container)

Yeah, cap restrictions are somewhat meaningless with user namespaces.
Your container already has zero capabilities targeted toward the host
user namespace.

> lxc-checkconfig shows everything as enabled
> 
> thanks, niklas
> 
> ------------------------------------------------------------------------------
> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users