userns; Document per user per user namespace limits.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This commit is contained in:
Eric W. Biederman
parent
537f7ccb39
commit
9c722e406a
|
|
@ -69,6 +69,7 @@ proc/ <empty>
|
|||
sunrpc/ SUN Remote Procedure Call (NFS)
|
||||
vm/ memory management tuning
|
||||
buffer and cache management
|
||||
user/ Per user per user namespace limits
|
||||
|
||||
These are the subdirs I have on my system. There might be more
|
||||
or other subdirs in another setup. If you see another dir, I'd
|
||||
|
|
|
|||
|
|
@ -0,0 +1,66 @@
|
|||
Documentation for /proc/sys/user/* kernel version 4.9.0
|
||||
(c) 2016 Eric Biederman <ebiederm@xmission.com>
|
||||
|
||||
==============================================================
|
||||
|
||||
This file contains the documetation for the sysctl files in
|
||||
/proc/sys/user.
|
||||
|
||||
The files in this directory can be used to override the default
|
||||
limits on the number of namespaces and other objects that have
|
||||
per user per user namespace limits.
|
||||
|
||||
The primary purpose of these limits is to stop programs that
|
||||
malfunction and attempt to create a ridiculous number of objects,
|
||||
before the malfunction becomes a system wide problem. It is the
|
||||
intention that the defaults of these limits are set high enough that
|
||||
no program in normal operation should run into these limits.
|
||||
|
||||
The creation of per user per user namespace objects are charged to
|
||||
the user in the user namespace who created the object and
|
||||
verified to be below the per user limit in that user namespace.
|
||||
|
||||
The creation of objects is also charged to all of the users
|
||||
who created user namespaces the creation of the object happens
|
||||
in (user namespaces can be nested) and verified to be below the per user
|
||||
limits in the user namespaces of those users.
|
||||
|
||||
This recursive counting of created objects ensures that creating a
|
||||
user namespace does not allow a user to escape their current limits.
|
||||
|
||||
Currently, these files are in /proc/sys/user:
|
||||
|
||||
- max_cgroup_namespaces
|
||||
|
||||
The maximum number of cgroup namespaces that any user in the current
|
||||
user namespace may create.
|
||||
|
||||
- max_ipc_namespaces
|
||||
|
||||
The maximum number of ipc namespaces that any user in the current
|
||||
user namespace may create.
|
||||
|
||||
- max_mnt_namespaces
|
||||
|
||||
The maximum number of mount namespaces that any user in the current
|
||||
user namespace may create.
|
||||
|
||||
- max_net_namespaces
|
||||
|
||||
The maximum number of network namespaces that any user in the
|
||||
current user namespace may create.
|
||||
|
||||
- max_pid_namespaces
|
||||
|
||||
The maximum number of pid namespaces that any user in the current
|
||||
user namespace may create.
|
||||
|
||||
- max_user_namespaces
|
||||
|
||||
The maximum number of user namespaces that any user in the current
|
||||
user namespace may create.
|
||||
|
||||
- max_uts_namespaces
|
||||
|
||||
The maximum number of user namespaces that any user in the current
|
||||
user namespace may create.
|
||||
Loading…
Reference in New Issue