[lxc-users] Elegant way for unprivileged container ulimits

Serge Hallyn serge.hallyn at ubuntu.com
Wed Sep 16 19:23:45 UTC 2015


Quoting Bostjan Skufca (bostjan at a2o.si):
> On 15 September 2015 at 19:46, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > It sounds like it may be worthwhile.  The patch shouldn't be huge, so
> > I think it's worth creating the patch and sending it to the list.  Do
> > make sure to give a detailed description of how you'll use it.  (Don't
> > assume I'll remember :)
> 
> Tnx for the heads up. Two questions:
> 
> 1. Configuration variable naming:
> (intended for all lxc-users participants)
> 
> I lean towards something that is similar to what we currently have for
> setting limits in Linux. Thus I would prefer the setting to be called
> "lxc.ulimit.openfiles" or "lxc.ulimit.openfds" and not go with
> "lxc.rlimit.nofile", which is a reflection of syscall that does the
> actual trick.
> I understand that this is just an opinion, and I am interested in some
> other views. What is your opinion about this?

So long as it's documented in the lxc.container.conf manpage, use your
best judgement.  I'd probably have defaulted to rlimit, but I buy your
justification, so go with ulimit.

> 2. Code placement:
> Conceptually this probably fits right before uidmapshift is being
> done, and after forking (cloning). Do you have any more specific
> pointers?

Not offhand, sorry.  Looks like right before the child does
lxc_sync_barrier_parent(handler, LXC_SYNC_CONFIGURE) would be
the right place, unless you were to add a new sync point right
before the parent does the lxc_map_ids().

-serge


More information about the lxc-users mailing list