[ale] Containers... use?

Jim Kinney jim.kinney at gmail.com
Mon Sep 18 07:43:45 EDT 2017


Yep. The chroot provides only what can be run and cgroups controls the resources.

I don't write directly into sys tree (usually). Sysctl.conf is my preferred method. Cgroups has conf file for everything, /etc/cgconfig.conf. The man page cgconfig.conf has multiple examples.

On September 18, 2017 12:01:01 AM EDT, Steve Litt <slitt at troubleshooters.com> wrote:
>On Sun, 17 Sep 2017 17:32:24 -0400
>Jim Kinney <jim.kinney at gmail.com> wrote:
>> 
>> On September 17, 2017 5:11:38 PM EDT, Steve Litt
>> <slitt at troubleshooters.com> wrote:
>> >On Sat, 16 Sep 2017 22:21:32 -0400
>> >Jim Kinney <jim.kinney at gmail.com> wrote:
>> >
>> >  
>> >> 
>> >> Chroots work well. Add cgroups and its rather locked down.  
>> >
>> >What part do cgroups add to the mix?
>> > 
>> >SteveT
>
>
>> Best explanation is wikipedia
>> 
>> https://en.m.wikipedia.org/wiki/Cgroups
>> 
>> Short answer: it's how you set usage limits on a process.
>
>So if I understand you correctly, cgroups doesn't directly enhance
>security, but instead "locks down" how much of certain resources a
>process and any of its spawned processes can use. If I'm not mistaken,
>the chroot enhances security. That sound right?
>
>When you control cgroups, do you interact with the /sys/fs/cgroup tree?
>
>Thanks,
> 
>SteveT
>
>Steve Litt
>September 2017 featured book: Manager's Guide to Technical
>Troubleshooting Brand new, second edition
>http://www.troubleshooters.com/mgr
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo

-- 
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20170918/c8bb3c34/attachment.html>


More information about the Ale mailing list