Does it make sense to restrict browser (FF in my case) with cgroups? Like memory and cpu usage?
If yes, how?
@musicmatze yes, it makes sense. No, root or cgroup namespaces are not needed.
If you happen to use a "modern" desktop like GNOME or KDE with systemd, this should all happen behind the scenes already; the browser should be in its own cgroup.
E.g. in my case:
$ cat /proc/1289786/cgroup
I use plasma5 on Nixos at home, but I don't think Firefox is in an own cgroup. At work I use i3 on centos7, where I guess it is also not.
I guess I can configure it somehow then?
Is possible with rootless podman.
* cgroups v2
* sysctl kernel.unprivileged_userns_clone=1
* suitable subuids and subgidsfor your used
example: (not mine)
Should be possible without podman using the same technice
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!