Does it make sense to restrict browser (FF in my case) with cgroups? Like memory and cpu usage?
If yes, how?
@musicmatze yes, it makes sense. No, root or cgroup namespaces are not needed.
If you happen to use a "modern" desktop like GNOME or KDE with systemd, this should all happen behind the scenes already; the browser should be in its own cgroup.
E.g. in my case:
$ cat /proc/1289786/cgroup
0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-google\x2dchrome-1289378.scope/1289786
@bugaevc
I use plasma5 on Nixos at home, but I don't think Firefox is in an own cgroup. At work I use i3 on centos7, where I guess it is also not.
I guess I can configure it somehow then?
@musicmatze
Is possible with rootless podman.
you need
* cgroups v2
* sysctl kernel.unprivileged_userns_clone=1
* suitable subuids and subgidsfor your used
example: (not mine)
https://gist.github.com/eoli3n/93111f23dbb1233f2f00f460663f99e2
Should be possible without podman using the same technice
And, appending to that question, is it possible without root? Like user cgroup namespace somehow?