[Devel] [PATCH RH7] ve/pid: Export kernel.pid_max via ve cgroup
Cyrill Gorcunov
gorcunov at virtuozzo.com
Tue Jul 19 06:02:48 PDT 2016
On Tue, Jul 19, 2016 at 03:25:08PM +0300, Pavel Tikhomirov wrote:
> >
> > p.s. I'm not really follow why this feature is needed in container
> > at all, i mean the @pid_max virtualization. Presume due to hist. reasons.
>
> If the only reason was(as far as I understood
> https://jira.sw.ru/browse/PSBM-6437) to have more pids available on host(for
> pid mapping from containers pids) but not in CT, than actually we can
> instead make kernel.pid_max readonly in CT and we won't need c/r-ing it.
>
> Why pid_max is writable in pidns in Upstream is also a riddle - one can
> restrict number of processes to 301 from unprivileged user on hole node,
> like:
> unshare -Upm --fork --mount-proc sysctl -w kernel.pid_max=301
Fair enough, thanks!
More information about the Devel
mailing list