Eric Dumazet <eric.duma...@gmail.com> writes: > On Wed, 2017-07-26 at 19:03 +0200, Matteo Croce wrote: >> The following sysctl are global and can't be read or set from a netns: >> >> net.core.rmem_default >> net.core.rmem_max >> net.core.wmem_default >> net.core.wmem_max >> >> Make the following sysctl parameters available from within a network >> namespace, allowing to set unique values per network namespace. >> >> My concern is about the initial value of this sysctl in the newly >> creates netns: I'm not sure if is better to copy them from the init >> namespace or set them to the default values. >> >> Setting them to the default value has the advantage that a new namespace >> behaves like a freshly booted system, while copying them from the init >> netns has the advantage of keeping the current behaviour as the values >> from the init netns are used. >> >> Signed-off-by: Matteo Croce <mcr...@redhat.com> >> --- > > It looks that these sysctls were giving some kind of isolation. > > If we make them per namespace, a malicious usage could eat all memory > and hurt other namespaces.
We do account rmem as well as wmem allocated memory to the apropriate mem_cgs. In theory this should be okay. Bye, Hannes
