1*4882a593Smuzhiyun=========================== 2*4882a593SmuzhiyunNamespaces research control 3*4882a593Smuzhiyun=========================== 4*4882a593Smuzhiyun 5*4882a593SmuzhiyunThere are a lot of kinds of objects in the kernel that don't have 6*4882a593Smuzhiyunindividual limits or that have limits that are ineffective when a set 7*4882a593Smuzhiyunof processes is allowed to switch user ids. With user namespaces 8*4882a593Smuzhiyunenabled in a kernel for people who don't trust their users or their 9*4882a593Smuzhiyunusers programs to play nice this problems becomes more acute. 10*4882a593Smuzhiyun 11*4882a593SmuzhiyunTherefore it is recommended that memory control groups be enabled in 12*4882a593Smuzhiyunkernels that enable user namespaces, and it is further recommended 13*4882a593Smuzhiyunthat userspace configure memory control groups to limit how much 14*4882a593Smuzhiyunmemory user's they don't trust to play nice can use. 15*4882a593Smuzhiyun 16*4882a593SmuzhiyunMemory control groups can be configured by installing the libcgroup 17*4882a593Smuzhiyunpackage present on most distros editing /etc/cgrules.conf, 18*4882a593Smuzhiyun/etc/cgconfig.conf and setting up libpam-cgroup. 19