mirror of https://github.com/mkerrisk/man-pages
namespaces.7: Explain the more important benefit for cgroup namespaces
mtk: edited text supplied by Serge. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
2c4fbe3519
commit
99ef85aba8
|
@ -267,9 +267,22 @@ $ \fBcat /proc/20124/cgroup | grep freezer\fP
|
|||
.in
|
||||
.fi
|
||||
|
||||
The virtualization provided by cgroup namespaces can be used to prevent
|
||||
The virtualization provided by cgroup namespaces serves at least two purposes.
|
||||
First, it can be used to prevent
|
||||
information leaks whereby cgroup directory paths outside of
|
||||
a container would otherwise be visible to processes in the container.
|
||||
More importantly, this allows easier and more flexible
|
||||
confinement of container root tasks, because they can mount
|
||||
their own cgroup filesystems without needing to gain access to ancestor
|
||||
cgroup directories.
|
||||
So, for example, even if
|
||||
.I /cg/1
|
||||
is owned by uid 100000, a task namespaced under
|
||||
.I /cg/1/2
|
||||
owned by UID 100000 can mount that cgroup but not change settings in
|
||||
.IR /cg/1 .
|
||||
Combined with correct enforcement of hierarchical limits,
|
||||
this prevents that task from escaping its limits.
|
||||
|
||||
Use of cgroup namespaces requires a kernel that is configured with the
|
||||
.B CONFIG_CGROUPS
|
||||
|
|
Loading…
Reference in New Issue