mirror of https://github.com/mkerrisk/man-pages
cgroup_namespaces.7: Note another of the benefits of cgroup namespaces
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
a2b7dba58c
commit
10b547c577
|
@ -156,6 +156,16 @@ Such leakages could, for example,
|
|||
reveal information about the container framework
|
||||
to containerized applications.
|
||||
.IP *
|
||||
It eases tasks such as container migration.
|
||||
The virtualization provided by cgroup namespaces
|
||||
allows containers to be isolated from knowledge of
|
||||
the pathnames of ancestor cgroups.
|
||||
Without such isolation,
|
||||
the full cgroup pathnames would need to be replicated on the target
|
||||
system when migrating a container;
|
||||
those pathnames would also need to be unique,
|
||||
so that they don't conflict with other pathnames on the target system.
|
||||
.IP *
|
||||
It allows better confinement of containererized processes,
|
||||
because it is possible to mount the container's cgroup filesystems such that
|
||||
the container processes can't gain access to ancestor cgroup directories.
|
||||
|
|
Loading…
Reference in New Issue