Documentation\namespaces\resource-control.txt

 

Chinese translated version of Documentation/resource-control.txt

If you have any comment or update to the content, please contact the
original document maintainer directly.  However, if you have a problem
communicating in English you can also ask the Chinese maintainer for
help.  Contact the Chinese maintainer if this translation is outdated
or if there is a problem with the translation.

Chinese maintainer: 赵晶  anana53@qq.com
---------------------------------------------------------------------
Documentation/resource-control.txt 的中文翻译

如果想评论或更新本文的内容，请直接联系原文档的维护者。如果你使用英文
交流有困难的话，也可以向中文版维护者求助。如果本翻译更新不及时或者翻
译存在问题，请联系中文版维护者。

中文版维护者： 赵晶  anana53@qq.com
中文版翻译者： 赵晶  anana53@qq.com
中文版校译者： 赵晶  anana53@qq.com

以下为正文
---------------------------------------------------------------------

There are a lot of kinds of objects in the kernel that don't have
individual limits or that have limits that are ineffective when a set
of processes is allowed to switch user ids.  With user namespaces
enabled in a kernel for people who don't trust their users or their
users programs to play nice this problems becomes more acute.

Therefore it is recommended that memory control groups be enabled in
kernels that enable user namespaces, and it is further recommended
that userspace configure memory control groups to limit how much
memory user's they don't trust to play nice can use.

Memory control groups can be configured by installing the libcgroup
package present on most distros editing /etc/cgrules.conf,
/etc/cgconfig.conf and setting up libpam-cgroup.

在内核中有很多各种各样的对象，他们没有
个体限制，或有当一组进程允许
切换用户ID时是无效的限制。随着用户空间
在内核中的启用，人们不信任他们的用户或他们
优先解决这个问题的用户程序，情况变得更加严重。

因此建议在内核中启用存储组，
使用户的命名空间可使用。并进一步建议
这个用户空间的配置存储器控制组设一个限制，多少
内存时，用户会不信任优先级可以使用。

存储器控制组可以通过安装libcgroup
目前大多数发行版／etc／cgrules.conf，
/ cgconfig.conf包来配置和设置libpam-cgroup.