cgroup_namespaces.7: Note another of the benefits of cgroup namespaces

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-05-07 09:15:19 +02:00 · 2016-05-07 09:15:19 +02:00 · 10b547c577
parent a2b7dba58c
commit 10b547c577
1 changed files with 10 additions and 0 deletions
--- a/man7/cgroup_namespaces.7
+++ b/man7/cgroup_namespaces.7
@ -156,6 +156,16 @@ Such leakages could, for example,
 reveal information about the container framework
 to containerized applications.
 .IP *
+It eases tasks such as container migration.
+The virtualization provided by cgroup namespaces
+allows containers to be isolated from knowledge of
+the pathnames of ancestor cgroups.
+Without such isolation,
+the full cgroup pathnames would need to be replicated on the target
+system when migrating a container;
+those pathnames would also need to be unique,
+so that they don't conflict with other pathnames on the target system.
+.IP *
 It allows better confinement of containererized processes,
 because it is possible to mount the container's cgroup filesystems such that
 the container processes can't gain access to ancestor cgroup directories.