LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

namespaces.7: Document the /proc/sys/user/* files added in Linux 4.9 

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2017-04-17 15:34:15 +02:00
parent 2f7a331e53
commit 5046cb7268
1 changed files with 86 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
man7/namespaces.7
View File

@ -202,6 +202,92 @@ these symbolic links is governed by a ptrace access mode
check; see
.BR ptrace (2).
.\"
.\" ==================== The /proc/sys/user directory ====================
.\"
.SS The /proc/sys/user directory
The files in the
.I /proc/sys/user
directory (which is present since Linux 4.9) expose limits
on the number of namespaces of various types that can be created.
The files are as follows:
.TP
.IR max_cgroup_namespaces
The value in this file defines a per-user limit on the number of
cgroup namespaces that may be created in the user namespace.
.TP
.IR max_ipc_namespaces
The value in this file defines a per-user limit on the number of
ipc namespaces that may be created in the user namespace.
.TP
.IR max_mnt_namespaces
The value in this file defines a per-user limit on the number of
mount namespaces that may be created in the user namespace.
.TP
.IR max_net_namespaces
The value in this file defines a per-user limit on the number of
network namespaces that may be created in the user namespace.
.TP
.IR max_pid_namespaces
The value in this file defines a per-user limit on the number of
pid namespaces that may be created in the user namespace.
.TP
.IR max_user_namespaces
The value in this file defines a per-user limit on the number of
user namespaces that may be created in the user namespace.
.TP
.IR max_uts_namespaces
The value in this file defines a per-user limit on the number of
user namespaces that may be created in the user namespace.
.PP
Note the following details about these files:
.IP * 3
The values in these files are modifiable by privileged processes.
.IP *
The values exposed by these files are the limits for the user namespace
in which the opening process resides.
.IP *
The limits are per-user.
Each user in the same user namespace
can create namespaces up to the defined limit.
.IP *
The limits apply to all users, including UID 0.
.IP *
These limits apply in addition to any other per-namespace
limits (such as those for PID and user namespaces) that may be enforced.
.IP *
Upon encountering these limits,
.BR clone (2)
and
.BR unshare (2)
fail with the error
.BR ENOSPC .
.IP *
For the initial user namespace,
the default value in each of these files is half the limit on the number
of threads that may be created
.RI ( /proc/sys/kernel/threads-max ).
In all descendant user namespaces, the default value in each file is
.BR MAXINT .
.IP *
When a namespace is created, the object is also accounted
against ancestor namespaces.
More precisely:
.RS
.IP + 3
Each user namespace has a creator UID.
.IP +
When a namespace is created,
it is accounted against the creator UIDs in each of the
ancestor user namespaces,
and the kernel ensures that the corresponding namespace limit
for the creator UID in the ancestor namespace is not exceeded.
.IP +
The aforementioned point ensures that creating a new user namespace
cannot be used as a means to escape the limits in force
in the current user namespace.
.RE
.PP
.\"
.\" ==================== Cgroup namespaces ====================
.\"
.SS Cgroup namespaces (CLONE_NEWCGROUP)