1==================================== 2User namespaces and resource control 3==================================== 4 5The kernel contains many kinds of objects that either don't have 6individual limits or that have limits which are ineffective when 7a set of processes is allowed to switch their UID. On a system 8where the admins don't trust their users or their users' programs, 9user namespaces expose the system to potential misuse of resources. 10 11In order to mitigate this, we recommend that admins enable memory 12control groups on any system that enables user namespaces. 13Furthermore, we recommend that admins configure the memory control 14groups to limit the maximum memory usable by any untrusted user. 15 16Memory control groups can be configured by installing the libcgroup 17package present on most distros editing /etc/cgrules.conf, 18/etc/cgconfig.conf and setting up libpam-cgroup. 19