Follow

Does it make sense to restrict browser (FF in my case) with cgroups? Like memory and cpu usage?

If yes, how?

And, appending to that question, is it possible without root? Like user cgroup namespace somehow?

@musicmatze yes, it makes sense. No, root or cgroup namespaces are not needed.

If you happen to use a "modern" desktop like GNOME or KDE with systemd, this should all happen behind the scenes already; the browser should be in its own cgroup.

E.g. in my case:
$ cat /proc/1289786/cgroup
0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-google\x2dchrome-1289378.scope/1289786

@bugaevc
I use plasma5 on Nixos at home, but I don't think Firefox is in an own cgroup. At work I use i3 on centos7, where I guess it is also not.

I guess I can configure it somehow then?

@musicmatze
Is possible with rootless podman.
you need
* cgroups v2
* sysctl kernel.unprivileged_userns_clone=1
* suitable subuids and subgidsfor your used
example: (not mine)
gist.github.com/eoli3n/93111f2

Should be possible without podman using the same technice

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!