Skip to content

Commit

Permalink
Updates
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Jul 18, 2024
1 parent d79b40c commit d1425e7
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 16 deletions.
18 changes: 10 additions & 8 deletions docs/admin/main/_sources/security.rst.txt
Original file line number Diff line number Diff line change
Expand Up @@ -29,18 +29,20 @@ seccomp and apparmor. Please see the `Security Options section
Limits on resource usage by containers can be enforced using cgroups. On systems
that use cgroups v1, only the root user can set resource limits. On systems that
use cgroups v2 and systemd, all users can apply resource limits as long as the
system is configured for delegation.
system is configured for delegation to non-root users.

By default, EL9, Ubuntu 22.04, Debian 11, Fedora 31 and newer use cgroups v2 and
are configured for delegation so that unprivileged users will be able to use the
``--apply-cgroups`` and other resource limit flags of {Project} without
further configuration.

On EL8 and Ubuntu 20.04 it is possible to setup a compatible configuration by
following the 'Enabling cgroup v2' and 'Enabling CPU, CPUSET, and I/O
delegation' steps at the `rootless containers website
are configured so that non-root users will be able to use the
``--memory-*`` and ``--pids-limit`` flags of {Project} or
limit those aspects with the ``--apply-cgroups`` flag.
To enable the other resource limits follow the
'Enabling CPU, CPUSET, and I/O delegation' step at the
`rootless containers website
<https://rootlesscontaine.rs/getting-started/common/cgroup2/>`_.

On EL8 and Ubuntu 20.04 it is possible to set up a compatible configuration by
also following the 'Enabling cgroup v2' step at the above website.

See the `Limiting Container Resources section
<{userdocs}/cgroups.html>`_ of the user guide
for more details of how to apply cgroups limits to containers at runtime.
Loading

0 comments on commit d1425e7

Please sign in to comment.