[lxc-users] Elegant way for unprivileged container ulimits
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Sep 16 19:23:45 UTC 2015
Quoting Bostjan Skufca (bostjan at a2o.si):
> On 15 September 2015 at 19:46, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > It sounds like it may be worthwhile. The patch shouldn't be huge, so
> > I think it's worth creating the patch and sending it to the list. Do
> > make sure to give a detailed description of how you'll use it. (Don't
> > assume I'll remember :)
>
> Tnx for the heads up. Two questions:
>
> 1. Configuration variable naming:
> (intended for all lxc-users participants)
>
> I lean towards something that is similar to what we currently have for
> setting limits in Linux. Thus I would prefer the setting to be called
> "lxc.ulimit.openfiles" or "lxc.ulimit.openfds" and not go with
> "lxc.rlimit.nofile", which is a reflection of syscall that does the
> actual trick.
> I understand that this is just an opinion, and I am interested in some
> other views. What is your opinion about this?
So long as it's documented in the lxc.container.conf manpage, use your
best judgement. I'd probably have defaulted to rlimit, but I buy your
justification, so go with ulimit.
> 2. Code placement:
> Conceptually this probably fits right before uidmapshift is being
> done, and after forking (cloning). Do you have any more specific
> pointers?
Not offhand, sorry. Looks like right before the child does
lxc_sync_barrier_parent(handler, LXC_SYNC_CONFIGURE) would be
the right place, unless you were to add a new sync point right
before the parent does the lxc_map_ids().
-serge
More information about the lxc-users
mailing list