[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_ssh_to_job

Keith Brown wrote:
I will look into CGroups. I suppose I will wait until RHEL 7.2 is out then
upgrade and try out CGroups.

cgroups don't do what you think they do. Putting a process within a cgroup container means that process is constrained by the limits of the container, nothing more. Containers do nothing to prevent users from exploiting local resources or privilege escalation vulnerabilities that permit them to escape the confines of containers.

Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science