为运行的守护程序启用PAM配置(limits.conf) [英] Enable PAM configuration (limits.conf) for a running daemon
问题描述
我正在尝试使用Docker开发沙箱。 Docker通过运行的守护进程生成进程,我遇到了很多麻烦,可以在limits.conf文件中设置限制,以便它们适用于守护程序。具体来说,我正在运行一个forkbomb,以便守护进程是产生所有新进程的进程。我对使用这个电话的用户的nproc限制似乎没有得到应用,对于我来说,我的生活无法弄明白如何使其发挥作用。我很安静,就像向/etc/pam.d/添加正确的文件一样简单,但我不确定。
I'm currently attempting to develop a sandbox using Docker. Docker spawns process through a running daemon, and I am having a great deal of trouble enabling the limits set forth in the limits.conf file such that they apply to the daemon. Specifically, I am running a forkbomb such that the daemon is the process that spawns all the new processes. The nproc limitation I placed on the user making this call doesn't seemed to get applied and I for the life of me can not figure out how to make it work. I'm quiet positive it will be as simple as adding the correct file to /etc/pam.d/, but I'm not certain.
推荐答案
PAM限制仅适用于使用PAM播放的进程。默认情况下,当您在容器中启动shell时,它不会与PAM有任何关系,通过PAM设置限制将不起作用。
The PAM limits only apply to processes playing nice with PAM. By default, when you start a shell in a container, it won't have anything to do with PAM, and setting limits through PAM just won't work.
这里还有其他一些方法可以实现!
Here are some other ways to make it happen!
-
而不是立即开始你的过程,你可以启动一个很小的包装器脚本,在执行过程之前,会执行相应的
ulimit调用。
如果你想要一个交互式的shell,你可以运行 login -f< username> (例如 login -f root );这将使用正常的登录过程在机器上自动登录(并且应该通过正常的PAM机制)。
If you want an interactive shell, you can run login -f <username> (e.g. login -f root); that will use the normal login process to auto-log you on the machine (and that should go through the normal PAM mechanisms).
如果你想要>所有容器受到这些限制,您可以设置您的系统的限制,然后重新启动Docker与这些下限;容器由Docker创建,默认情况下,它们也将继承这些限制。
If you want all containers to be subject to those limits, you can set the limits on your system, then restart Docker with those lower limits; containers are created by Docker, and by default, they will inherit those limits as well.
这篇关于为运行的守护程序启用PAM配置(limits.conf)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
