-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
userns-remap:: user namespace does not isolate user limits #27444
Comments
Cc @estesp interesting issue... On 17 Oct 2016 12:53 p.m., "Andrey Arapov" notifications@github.com wrote:
|
The underlying issue is that the ulimits controls are not namespaced. For the limit you are talking about, If you want a more granular approach to per-container process limits, and are able to use a host with Linux kernel 4.3 or above, the more recent |
Ah yes that makes sense. It is not specific to user namespaces either. Using the Closing as working as intended, even if a bit unexpected. (Feel free to continue conversation). |
Interesting that this patch (re: namespacing the nproc limits per user/userns) just showed up on the containers linux mailing list--linking here for posterity as others may find this issue in the future: https://lists.linuxfoundation.org/pipermail/containers/2016-October/037599.html |
That's really interesting, thanks for sharing this link here :-) |
Description
The user namespace does not isolate user limits.
Is this a current cgroups limitation?
Steps to reproduce the issue:
/etc/subuid
and/etc/subgid
files with the following line:--userns-remap=default
argumentDescribe the results you received:
[containerB] The processes can't spawn due to a user limit:
Describe the results you expected:
[containerB] The processes should be normally running (up to 7 processes)
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
The text was updated successfully, but these errors were encountered: