Keith Brown wrote:
I will look into CGroups. I suppose I will wait until RHEL 7.2 is out then upgrade and try out CGroups.
cgroups don't do what you think they do. Putting a process within a cgroup container means that process is constrained by the limits of the container, nothing more. Containers do nothing to prevent users from exploiting local resources or privilege escalation vulnerabilities that permit them to escape the confines of containers.
-- Rich Pieri <ratinox@xxxxxxx> MIT Laboratory for Nuclear Science