mirror of https://github.com/mkerrisk/man-pages
namespaces.7: Document the /proc/sys/user/* files added in Linux 4.9
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
2f7a331e53
commit
5046cb7268
|
@ -202,6 +202,92 @@ these symbolic links is governed by a ptrace access mode
|
||||||
check; see
|
check; see
|
||||||
.BR ptrace (2).
|
.BR ptrace (2).
|
||||||
.\"
|
.\"
|
||||||
|
.\" ==================== The /proc/sys/user directory ====================
|
||||||
|
.\"
|
||||||
|
.SS The /proc/sys/user directory
|
||||||
|
The files in the
|
||||||
|
.I /proc/sys/user
|
||||||
|
directory (which is present since Linux 4.9) expose limits
|
||||||
|
on the number of namespaces of various types that can be created.
|
||||||
|
The files are as follows:
|
||||||
|
.TP
|
||||||
|
.IR max_cgroup_namespaces
|
||||||
|
The value in this file defines a per-user limit on the number of
|
||||||
|
cgroup namespaces that may be created in the user namespace.
|
||||||
|
.TP
|
||||||
|
.IR max_ipc_namespaces
|
||||||
|
The value in this file defines a per-user limit on the number of
|
||||||
|
ipc namespaces that may be created in the user namespace.
|
||||||
|
.TP
|
||||||
|
.IR max_mnt_namespaces
|
||||||
|
The value in this file defines a per-user limit on the number of
|
||||||
|
mount namespaces that may be created in the user namespace.
|
||||||
|
.TP
|
||||||
|
.IR max_net_namespaces
|
||||||
|
The value in this file defines a per-user limit on the number of
|
||||||
|
network namespaces that may be created in the user namespace.
|
||||||
|
.TP
|
||||||
|
.IR max_pid_namespaces
|
||||||
|
The value in this file defines a per-user limit on the number of
|
||||||
|
pid namespaces that may be created in the user namespace.
|
||||||
|
.TP
|
||||||
|
.IR max_user_namespaces
|
||||||
|
The value in this file defines a per-user limit on the number of
|
||||||
|
user namespaces that may be created in the user namespace.
|
||||||
|
.TP
|
||||||
|
.IR max_uts_namespaces
|
||||||
|
The value in this file defines a per-user limit on the number of
|
||||||
|
user namespaces that may be created in the user namespace.
|
||||||
|
.PP
|
||||||
|
Note the following details about these files:
|
||||||
|
.IP * 3
|
||||||
|
The values in these files are modifiable by privileged processes.
|
||||||
|
.IP *
|
||||||
|
The values exposed by these files are the limits for the user namespace
|
||||||
|
in which the opening process resides.
|
||||||
|
.IP *
|
||||||
|
The limits are per-user.
|
||||||
|
Each user in the same user namespace
|
||||||
|
can create namespaces up to the defined limit.
|
||||||
|
.IP *
|
||||||
|
The limits apply to all users, including UID 0.
|
||||||
|
.IP *
|
||||||
|
These limits apply in addition to any other per-namespace
|
||||||
|
limits (such as those for PID and user namespaces) that may be enforced.
|
||||||
|
.IP *
|
||||||
|
Upon encountering these limits,
|
||||||
|
.BR clone (2)
|
||||||
|
and
|
||||||
|
.BR unshare (2)
|
||||||
|
fail with the error
|
||||||
|
.BR ENOSPC .
|
||||||
|
.IP *
|
||||||
|
For the initial user namespace,
|
||||||
|
the default value in each of these files is half the limit on the number
|
||||||
|
of threads that may be created
|
||||||
|
.RI ( /proc/sys/kernel/threads-max ).
|
||||||
|
In all descendant user namespaces, the default value in each file is
|
||||||
|
.BR MAXINT .
|
||||||
|
.IP *
|
||||||
|
When a namespace is created, the object is also accounted
|
||||||
|
against ancestor namespaces.
|
||||||
|
More precisely:
|
||||||
|
.RS
|
||||||
|
.IP + 3
|
||||||
|
Each user namespace has a creator UID.
|
||||||
|
.IP +
|
||||||
|
When a namespace is created,
|
||||||
|
it is accounted against the creator UIDs in each of the
|
||||||
|
ancestor user namespaces,
|
||||||
|
and the kernel ensures that the corresponding namespace limit
|
||||||
|
for the creator UID in the ancestor namespace is not exceeded.
|
||||||
|
.IP +
|
||||||
|
The aforementioned point ensures that creating a new user namespace
|
||||||
|
cannot be used as a means to escape the limits in force
|
||||||
|
in the current user namespace.
|
||||||
|
.RE
|
||||||
|
.PP
|
||||||
|
.\"
|
||||||
.\" ==================== Cgroup namespaces ====================
|
.\" ==================== Cgroup namespaces ====================
|
||||||
.\"
|
.\"
|
||||||
.SS Cgroup namespaces (CLONE_NEWCGROUP)
|
.SS Cgroup namespaces (CLONE_NEWCGROUP)
|
||||||
|
|
Loading…
Reference in New Issue