namespaces.7: Explain the more important benefit for cgroup namespaces

mtk: edited text supplied by Serge. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-04-29 09:49:23 +02:00 · 2016-04-29 09:49:23 +02:00 · 99ef85aba8
parent 2c4fbe3519
commit 99ef85aba8
1 changed files with 14 additions and 1 deletions
--- a/man7/namespaces.7
+++ b/man7/namespaces.7
@ -267,9 +267,22 @@ $ \fBcat /proc/20124/cgroup | grep freezer\fP
 .in
 .fi

-The virtualization provided by cgroup namespaces can be used to prevent
+The virtualization provided by cgroup namespaces serves at least two purposes.
+First, it can be used to prevent
 information leaks whereby cgroup directory paths outside of
 a container would otherwise be visible to processes in the container.
+More importantly, this allows easier and more flexible
+confinement of container root tasks, because they can mount
+their own cgroup filesystems without needing to gain access to ancestor
+cgroup directories.
+So, for example, even if
+.I /cg/1
+is owned by uid 100000, a task namespaced under
+.I /cg/1/2
+owned by UID 100000 can mount that cgroup but not change settings in
+.IR /cg/1 .
+Combined with correct enforcement of hierarchical limits,
+this prevents that task from escaping its limits.

 Use of cgroup namespaces requires a kernel that is configured with the
 .B CONFIG_CGROUPS