1There are a lot of kinds of objects in the kernel that don't have 2individual limits or that have limits that are ineffective when a set 3of processes is allowed to switch user ids. With user namespaces 4enabled in a kernel for people who don't trust their users or their 5users programs to play nice this problems becomes more acute. 6 7Therefore it is recommended that memory control groups be enabled in 8kernels that enable user namespaces, and it is further recommended 9that userspace configure memory control groups to limit how much 10memory user's they don't trust to play nice can use. 11 12Memory control groups can be configured by installing the libcgroup 13package present on most distros editing /etc/cgrules.conf, 14/etc/cgconfig.conf and setting up libpam-cgroup. 15