1. Patchew
  2. linux
  3. View series

[PATCH v2] docs: namespace: Tweak and reword resource control doc

Joel Savitz posted 1 patch 7 months, 4 weeks ago
There is a newer version of this series
.../namespaces/resource-control.rst           | 24 +++++++++----------
1 file changed, 12 insertions(+), 12 deletions(-)
[PATCH v2] docs: namespace: Tweak and reword resource control doc
Posted by Joel Savitz 7 months, 4 weeks ago 
Fix the document title and reword the phrasing to active voice.

Signed-off-by: Joel Savitz <jsavitz@redhat.com>
---
Changes since v1:
- Fix spelling of resource

 .../namespaces/resource-control.rst           | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/Documentation/admin-guide/namespaces/resource-control.rst b/Documentation/admin-guide/namespaces/resource-control.rst
index 369556e00f0c..350134c26a98 100644
--- a/Documentation/admin-guide/namespaces/resource-control.rst
+++ b/Documentation/admin-guide/namespaces/resource-control.rst
@@ -1,17 +1,17 @@
-===========================
-Namespaces research control
-===========================
+====================================
+User namespaces and resource control
+====================================
 
-There are a lot of kinds of objects in the kernel that don't have
-individual limits or that have limits that are ineffective when a set
-of processes is allowed to switch user ids.  With user namespaces
-enabled in a kernel for people who don't trust their users or their
-users programs to play nice this problems becomes more acute.
+The kernel contains many kinds of objects that either don't have
+individual limits or that have limits which are ineffective when
+a set of processes is allowed to switch their UID. On a system
+where there admins don't trust their users or their users' programs,
+user namespaces expose the system to potential misuse of resources.
 
-Therefore it is recommended that memory control groups be enabled in
-kernels that enable user namespaces, and it is further recommended
-that userspace configure memory control groups to limit how much
-memory user's they don't trust to play nice can use.
+In order to mitigate this, we recommend that admins enable memory
+control groups on any system that enables user namespaces.
+Furthermore, we recommend that admins configure the memory control
+groups to limit the maximum memory usable by any untrusted user.
 
 Memory control groups can be configured by installing the libcgroup
 package present on most distros editing /etc/cgrules.conf,
-- 
2.45.2
Re: [PATCH v2] docs: namespace: Tweak and reword resource control doc
Posted by Bagas Sanjaya 7 months, 4 weeks ago 
On Sat, Apr 19, 2025 at 11:04:28AM -0400, Joel Savitz wrote:
> -There are a lot of kinds of objects in the kernel that don't have
> -individual limits or that have limits that are ineffective when a set
> -of processes is allowed to switch user ids.  With user namespaces
> -enabled in a kernel for people who don't trust their users or their
> -users programs to play nice this problems becomes more acute.
> +The kernel contains many kinds of objects that either don't have
> +individual limits or that have limits which are ineffective when
> +a set of processes is allowed to switch their UID. On a system
> +where there admins don't trust their users or their users' programs,
> +user namespaces expose the system to potential misuse of resources.

Do you mean "when there are admins who don't trust ..." or "where admins don't
trust ..."?

Confused...

-- 
An old man doll... just what I always wanted! - Clara
Re: [PATCH v2] docs: namespace: Tweak and reword resource control doc
Posted by Joel Savitz 7 months, 3 weeks ago 
On Sat, Apr 19, 2025 at 10:34 PM Bagas Sanjaya <bagasdotme@gmail.com> wrote:
>
> On Sat, Apr 19, 2025 at 11:04:28AM -0400, Joel Savitz wrote:
> > -There are a lot of kinds of objects in the kernel that don't have
> > -individual limits or that have limits that are ineffective when a set
> > -of processes is allowed to switch user ids.  With user namespaces
> > -enabled in a kernel for people who don't trust their users or their
> > -users programs to play nice this problems becomes more acute.
> > +The kernel contains many kinds of objects that either don't have
> > +individual limits or that have limits which are ineffective when
> > +a set of processes is allowed to switch their UID. On a system
> > +where there admins don't trust their users or their users' programs,
> > +user namespaces expose the system to potential misuse of resources.
>
> Do you mean "when there are admins who don't trust ..." or "where admins don't
> trust ..."?

I meant to write "the admins", my bad.

>
> Confused...
>
> --
> An old man doll... just what I always wanted! - Clara

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.