Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. Perform various network-related operations.īypass file read permission checks and directory read and execute permission checks. Implemented for the Smack Linux Security Module (LSM).
Use vhangup(2) employ various privileged ioctl(2) operations on virtual terminals.Įnable and disable kernel auditing change auditing filter rules retrieve auditing status and filtering rules.Īllow MAC configuration or state changes. Set system clock (settimeofday(2), stime(2), adjtimex(2)) set real-time (hardware) clock. Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. Perform a range of system administration operations. Use acct(2), switch process accounting on or off.
Perform I/O port operations (iopl(2) and ioperm(2)). If you omit the size entirely, the system uses 64m. If you omit the unit, the system uses bytes. Unit is optional and can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). Tune a container’s memory swappiness behavior. Tune container’s OOM preferences (-1000 to 1000) Whether to disable OOM Killer for the container or not. Limit write rate (IO per second) to a device (format: :). Limit read rate (IO per second) from a device (format: :). Limit write rate to a device (format: :). Limit read rate from a device (format: :). īlock IO weight (relative device weight, format: DEVICE_NAME:WEIGHT) Limit the CPU CFS (Completely Fair Scheduler) quotaīlock IO weight (relative weight) accepts a weight value between. Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Limit the CPU CFS (Completely Fair Scheduler) periodĬPUs in which to allow execution (0-3, 0,1) Total memory limit (memory + swap, format: ).