Re: userns, netns, and quick physical memory consumption by unprivileged user

From: Michal Hocko
Date: Mon Mar 14 2016 - 05:14:33 EST

On Fri 11-03-16 18:06:59, Yuriy M. Kaminskiy wrote:
> And also tried with memcg:
> t=/sys/fs/cgroup/memory/test1;mkdir $t;echo 0 >$t/tasks;
> echo 48M >$t/memory.limit_in_bytes; su testuser [...]
> and it has not helped at all (rather opposite, it ended up with killed
> init and kernel panic; well, later is pure (un)luck; but point is, memcg
> apparently *CANNOT* curb net/ns allocations).

It seems you were using memcg v1 here. This didn't have the kernel
memory accounting enabled by default. With the v2 you get both user and
kernel (well some subset of it) accounting enabled. Whether we account
also netns related data structures sufficiently is a question. I haven't
checked. But it would be worth trying and fix.

Michal Hocko