Setting resource limits on rootless containers
A few moments ago, I told you about the concept of delegation. Normally, you need root privileges in order to set any resource limits. However, you can delegate this chore to non-privileged users. The best news is that unlike delegation under cgroups Version 1, delegation under cgroup Version 2 is perfectly safe.
To see the default setting, open the /lib/systemd/system/user@.service
file, and look for the Delegate=
line in the [Service]
section. The applicable lines should look like this:
[Service] . . . . . . Delegate=pids memory . . . . . .
By default, Fedora only allows non-privileged users to set resource limits for memory and for the maximum number of running processes. We need to edit that to include the cpu
, cpuset
, and io
resource controllers, like this:
[donnie@fedora ~]$ sudo systemctl edit --full user@.service
Edit the Delegate=
line so that it will look like this:
Delegate=pids memory io cpu cpuset
Save...