There are a lot of kinds of objects in the kernel that don't haveindividual limits or that have limits that are ineffective when a setof processes is allowed to switch user ids. With user namespacesenabled in a kernel for people who don't trust their users or theirusers programs to play nice this problems becomes more acute.Therefore it is recommended that memory control groups be enabled inkernels that enable user namespaces, and it is further recommendedthat userspace configure memory control groups to limit how muchmemory user's they don't trust to play nice can use.Memory control groups can be configured by installing the libcgrouppackage present on most distros editing /etc/cgrules.conf,/etc/cgconfig.conf and setting up libpam-cgroup.
