162306a36Sopenharmony_ci=========================== 262306a36Sopenharmony_ciNamespaces research control 362306a36Sopenharmony_ci=========================== 462306a36Sopenharmony_ci 562306a36Sopenharmony_ciThere are a lot of kinds of objects in the kernel that don't have 662306a36Sopenharmony_ciindividual limits or that have limits that are ineffective when a set 762306a36Sopenharmony_ciof processes is allowed to switch user ids. With user namespaces 862306a36Sopenharmony_cienabled in a kernel for people who don't trust their users or their 962306a36Sopenharmony_ciusers programs to play nice this problems becomes more acute. 1062306a36Sopenharmony_ci 1162306a36Sopenharmony_ciTherefore it is recommended that memory control groups be enabled in 1262306a36Sopenharmony_cikernels that enable user namespaces, and it is further recommended 1362306a36Sopenharmony_cithat userspace configure memory control groups to limit how much 1462306a36Sopenharmony_cimemory user's they don't trust to play nice can use. 1562306a36Sopenharmony_ci 1662306a36Sopenharmony_ciMemory control groups can be configured by installing the libcgroup 1762306a36Sopenharmony_cipackage present on most distros editing /etc/cgrules.conf, 1862306a36Sopenharmony_ci/etc/cgconfig.conf and setting up libpam-cgroup. 19