After #32, we're now in a good state where resource exhaustion in a container won't affect the host. However, it will still affect connectivity to the challenge container. Ideally, each incoming connection will have a new child cgroup policy that limits the CPU/memory/PIDs available to something smaller than the container's limits.
After #32, we're now in a good state where resource exhaustion in a container won't affect the host. However, it will still affect connectivity to the challenge container. Ideally, each incoming connection will have a new child cgroup policy that limits the CPU/memory/PIDs available to something smaller than the container's limits.