|
Packit |
7cfc04 |
.\" Copyright (c) 2016 by Michael Kerrisk <mtk.manpages@gmail.com>
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\" %%%LICENSE_START(VERBATIM)
|
|
Packit |
7cfc04 |
.\" Permission is granted to make and distribute verbatim copies of this
|
|
Packit |
7cfc04 |
.\" manual provided the copyright notice and this permission notice are
|
|
Packit |
7cfc04 |
.\" preserved on all copies.
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\" Permission is granted to copy and distribute modified versions of this
|
|
Packit |
7cfc04 |
.\" manual under the conditions for verbatim copying, provided that the
|
|
Packit |
7cfc04 |
.\" entire resulting derived work is distributed under the terms of a
|
|
Packit |
7cfc04 |
.\" permission notice identical to this one.
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\" Since the Linux kernel and libraries are constantly changing, this
|
|
Packit |
7cfc04 |
.\" manual page may be incorrect or out-of-date. The author(s) assume no
|
|
Packit |
7cfc04 |
.\" responsibility for errors or omissions, or for damages resulting from
|
|
Packit |
7cfc04 |
.\" the use of the information contained herein. The author(s) may not
|
|
Packit |
7cfc04 |
.\" have taken the same level of care in the production of this manual,
|
|
Packit |
7cfc04 |
.\" which is licensed free of charge, as they might when working
|
|
Packit |
7cfc04 |
.\" professionally.
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\" Formatted or processed versions of this manual, if unaccompanied by
|
|
Packit |
7cfc04 |
.\" the source, must acknowledge the copyright and authors of this work.
|
|
Packit |
7cfc04 |
.\" %%%LICENSE_END
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.TH CGROUP_NAMESPACES 7 2017-09-15 "Linux" "Linux Programmer's Manual"
|
|
Packit |
7cfc04 |
.SH NAME
|
|
Packit |
7cfc04 |
cgroup_namespaces \- overview of Linux cgroup namespaces
|
|
Packit |
7cfc04 |
.SH DESCRIPTION
|
|
Packit |
7cfc04 |
For an overview of namespaces, see
|
|
Packit |
7cfc04 |
.BR namespaces (7).
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
Cgroup namespaces virtualize the view of a process's cgroups (see
|
|
Packit |
7cfc04 |
.BR cgroups (7))
|
|
Packit |
7cfc04 |
as seen via
|
|
Packit |
7cfc04 |
.IR /proc/[pid]/cgroup
|
|
Packit |
7cfc04 |
and
|
|
Packit |
7cfc04 |
.IR /proc/[pid]/mountinfo .
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
Each cgroup namespace has its own set of cgroup root directories.
|
|
Packit |
7cfc04 |
These root directories are the base points for the relative
|
|
Packit |
7cfc04 |
locations displayed in the corresponding records in the
|
|
Packit |
7cfc04 |
.IR /proc/[pid]/cgroup
|
|
Packit |
7cfc04 |
file.
|
|
Packit |
7cfc04 |
When a process creates a new cgroup namespace using
|
|
Packit |
7cfc04 |
.BR clone (2)
|
|
Packit |
7cfc04 |
or
|
|
Packit |
7cfc04 |
.BR unshare (2)
|
|
Packit |
7cfc04 |
with the
|
|
Packit |
7cfc04 |
.BR CLONE_NEWCGROUP
|
|
Packit |
7cfc04 |
flag, it enters a new cgroup namespace in which its current
|
|
Packit |
7cfc04 |
cgroups directories become the cgroup root directories
|
|
Packit |
7cfc04 |
of the new namespace.
|
|
Packit |
7cfc04 |
(This applies both for the cgroups version 1 hierarchies
|
|
Packit |
7cfc04 |
and the cgroups version 2 unified hierarchy.)
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
When viewing
|
|
Packit |
7cfc04 |
.IR /proc/[pid]/cgroup ,
|
|
Packit |
7cfc04 |
the pathname shown in the third field of each record will be
|
|
Packit |
7cfc04 |
relative to the reading process's root directory
|
|
Packit |
7cfc04 |
for the corresponding cgroup hierarchy.
|
|
Packit |
7cfc04 |
If the cgroup directory of the target process lies outside
|
|
Packit |
7cfc04 |
the root directory of the reading process's cgroup namespace,
|
|
Packit |
7cfc04 |
then the pathname will show
|
|
Packit |
7cfc04 |
.I ../
|
|
Packit |
7cfc04 |
entries for each ancestor level in the cgroup hierarchy.
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
The following shell session demonstrates the effect of creating
|
|
Packit |
7cfc04 |
a new cgroup namespace.
|
|
Packit |
7cfc04 |
First, (as superuser) we create a child cgroup in the
|
|
Packit |
7cfc04 |
.I freezer
|
|
Packit |
7cfc04 |
hierarchy, and put the shell into that cgroup:
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
.in +4n
|
|
Packit |
7cfc04 |
.EX
|
|
Packit |
7cfc04 |
# \fBmkdir \-p /sys/fs/cgroup/freezer/sub\fP
|
|
Packit |
7cfc04 |
# \fBecho $$\fP # Show PID of this shell
|
|
Packit |
7cfc04 |
30655
|
|
Packit |
7cfc04 |
# \fBsh \-c \(aqecho 30655 > /sys/fs/cgroup/freezer/sub/cgroup.procs\(aq\fP
|
|
Packit |
7cfc04 |
# \fBcat /proc/self/cgroup | grep freezer\fP
|
|
Packit |
7cfc04 |
7:freezer:/sub
|
|
Packit |
7cfc04 |
.EE
|
|
Packit |
7cfc04 |
.in
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
Next, we use
|
|
Packit |
7cfc04 |
.BR unshare (1)
|
|
Packit |
7cfc04 |
to create a process running a new shell in new cgroup and mount namespaces:
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
.EX
|
|
Packit |
7cfc04 |
.in +4n
|
|
Packit |
7cfc04 |
# \fBunshare \-Cm bash\fP
|
|
Packit |
7cfc04 |
.in
|
|
Packit |
7cfc04 |
.EE
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
We then inspect the
|
|
Packit |
7cfc04 |
.IR /proc/[pid]/cgroup
|
|
Packit |
7cfc04 |
files of, respectively, the new shell process started by the
|
|
Packit |
7cfc04 |
.BR unshare (1)
|
|
Packit |
7cfc04 |
command, a process that is in the original cgroup namespace
|
|
Packit |
7cfc04 |
.RI ( init ,
|
|
Packit |
7cfc04 |
with PID 1), and a process in a sibling cgroup
|
|
Packit |
7cfc04 |
.RI ( sub2 ):
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
.EX
|
|
Packit |
7cfc04 |
.in +4n
|
|
Packit |
7cfc04 |
$ \fBcat /proc/self/cgroup | grep freezer\fP
|
|
Packit |
7cfc04 |
7:freezer:/
|
|
Packit |
7cfc04 |
$ \fBcat /proc/1/cgroup | grep freezer\fP
|
|
Packit |
7cfc04 |
7:freezer:/..
|
|
Packit |
7cfc04 |
$ \fBcat /proc/20124/cgroup | grep freezer\fP
|
|
Packit |
7cfc04 |
7:freezer:/../sub2
|
|
Packit |
7cfc04 |
.in
|
|
Packit |
7cfc04 |
.EE
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
From the output of the first command,
|
|
Packit |
7cfc04 |
we see that the freezer cgroup membership of the new shell
|
|
Packit |
7cfc04 |
(which is in the same cgroup as the initial shell)
|
|
Packit |
7cfc04 |
is shown defined relative to the freezer cgroup root directory
|
|
Packit |
7cfc04 |
that was established when the new cgroup namespace was created.
|
|
Packit |
7cfc04 |
(In absolute terms,
|
|
Packit |
7cfc04 |
the new shell is in the
|
|
Packit |
7cfc04 |
.I /sub
|
|
Packit |
7cfc04 |
freezer cgroup,
|
|
Packit |
7cfc04 |
and the root directory of the freezer cgroup hierarchy
|
|
Packit |
7cfc04 |
in the new cgroup namespace is also
|
|
Packit |
7cfc04 |
.IR /sub .
|
|
Packit |
7cfc04 |
Thus, the new shell's cgroup membership is displayed as \(aq/\(aq.)
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
However, when we look in
|
|
Packit |
7cfc04 |
.IR /proc/self/mountinfo
|
|
Packit |
7cfc04 |
we see the following anomaly:
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
.EX
|
|
Packit |
7cfc04 |
.in +4n
|
|
Packit |
7cfc04 |
# \fBcat /proc/self/mountinfo | grep freezer\fP
|
|
Packit |
7cfc04 |
155 145 0:32 /.. /sys/fs/cgroup/freezer ...
|
|
Packit |
7cfc04 |
.in
|
|
Packit |
7cfc04 |
.EE
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
The fourth field of this line
|
|
Packit |
7cfc04 |
.RI ( /.. )
|
|
Packit |
7cfc04 |
should show the
|
|
Packit |
7cfc04 |
directory in the cgroup filesystem which forms the root of this mount.
|
|
Packit |
7cfc04 |
Since by the definition of cgroup namespaces, the process's current
|
|
Packit |
7cfc04 |
freezer cgroup directory became its root freezer cgroup directory,
|
|
Packit |
7cfc04 |
we should see \(aq/\(aq in this field.
|
|
Packit |
7cfc04 |
The problem here is that we are seeing a mount entry for the cgroup
|
|
Packit |
7cfc04 |
filesystem corresponding to our initial shell process's cgroup namespace
|
|
Packit |
7cfc04 |
(whose cgroup filesystem is indeed rooted in the parent directory of
|
|
Packit |
7cfc04 |
.IR sub ).
|
|
Packit |
7cfc04 |
We need to remount the freezer cgroup filesystem
|
|
Packit |
7cfc04 |
inside this cgroup namespace, after which we see the expected results:
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
.EX
|
|
Packit |
7cfc04 |
.in +4n
|
|
Packit |
7cfc04 |
# \fBmount \-\-make\-rslave /\fP # Don't propagate mount events
|
|
Packit |
7cfc04 |
# to other namespaces
|
|
Packit |
7cfc04 |
# \fBumount /sys/fs/cgroup/freezer\fP
|
|
Packit |
7cfc04 |
# \fBmount \-t cgroup \-o freezer freezer /sys/fs/cgroup/freezer\fP
|
|
Packit |
7cfc04 |
# \fBcat /proc/self/mountinfo | grep freezer\fP
|
|
Packit |
7cfc04 |
155 145 0:32 / /sys/fs/cgroup/freezer rw,relatime ...
|
|
Packit |
7cfc04 |
.in
|
|
Packit |
7cfc04 |
.EE
|
|
Packit |
7cfc04 |
.PP
|
|
Packit |
7cfc04 |
Use of cgroup namespaces requires a kernel that is configured with the
|
|
Packit |
7cfc04 |
.B CONFIG_CGROUPS
|
|
Packit |
7cfc04 |
option.
|
|
Packit |
7cfc04 |
.\"
|
|
Packit |
7cfc04 |
.SH CONFORMING TO
|
|
Packit |
7cfc04 |
Namespaces are a Linux-specific feature.
|
|
Packit |
7cfc04 |
.SH NOTES
|
|
Packit |
7cfc04 |
Among the purposes served by the
|
|
Packit |
7cfc04 |
virtualization provided by cgroup namespaces are the following:
|
|
Packit |
7cfc04 |
.IP * 2
|
|
Packit |
7cfc04 |
It prevents information leaks whereby cgroup directory paths outside of
|
|
Packit |
7cfc04 |
a container would otherwise be visible to processes in the container.
|
|
Packit |
7cfc04 |
Such leakages could, for example,
|
|
Packit |
7cfc04 |
reveal information about the container framework
|
|
Packit |
7cfc04 |
to containerized applications.
|
|
Packit |
7cfc04 |
.IP *
|
|
Packit |
7cfc04 |
It eases tasks such as container migration.
|
|
Packit |
7cfc04 |
The virtualization provided by cgroup namespaces
|
|
Packit |
7cfc04 |
allows containers to be isolated from knowledge of
|
|
Packit |
7cfc04 |
the pathnames of ancestor cgroups.
|
|
Packit |
7cfc04 |
Without such isolation, the full cgroup pathnames (displayed in
|
|
Packit |
7cfc04 |
.IR /proc/self/cgroups )
|
|
Packit |
7cfc04 |
would need to be replicated on the target system when migrating a container;
|
|
Packit |
7cfc04 |
those pathnames would also need to be unique,
|
|
Packit |
7cfc04 |
so that they don't conflict with other pathnames on the target system.
|
|
Packit |
7cfc04 |
.IP *
|
|
Packit |
7cfc04 |
It allows better confinement of containerized processes,
|
|
Packit |
7cfc04 |
because it is possible to mount the container's cgroup filesystems such that
|
|
Packit |
7cfc04 |
the container processes can't gain access to ancestor cgroup directories.
|
|
Packit |
7cfc04 |
Consider, for example, the following scenario:
|
|
Packit |
7cfc04 |
.RS 4
|
|
Packit |
7cfc04 |
.IP \(bu 2
|
|
Packit |
7cfc04 |
We have a cgroup directory,
|
|
Packit |
7cfc04 |
.IR /cg/1 ,
|
|
Packit |
7cfc04 |
that is owned by user ID 9000.
|
|
Packit |
7cfc04 |
.IP \(bu
|
|
Packit |
7cfc04 |
We have a process,
|
|
Packit |
7cfc04 |
.IR X ,
|
|
Packit |
7cfc04 |
also owned by user ID 9000,
|
|
Packit |
7cfc04 |
that is namespaced under the cgroup
|
|
Packit |
7cfc04 |
.IR /cg/1/2
|
|
Packit |
7cfc04 |
(i.e.,
|
|
Packit |
7cfc04 |
.I X
|
|
Packit |
7cfc04 |
was placed in a new cgroup namespace via
|
|
Packit |
7cfc04 |
.BR clone (2)
|
|
Packit |
7cfc04 |
or
|
|
Packit |
7cfc04 |
.BR unshare (2)
|
|
Packit |
7cfc04 |
with the
|
|
Packit |
7cfc04 |
.BR CLONE_NEWCGROUP
|
|
Packit |
7cfc04 |
flag).
|
|
Packit |
7cfc04 |
.RE
|
|
Packit |
7cfc04 |
.IP
|
|
Packit |
7cfc04 |
In the absence of cgroup namespacing, because the cgroup directory
|
|
Packit |
7cfc04 |
.IR /cg/1
|
|
Packit |
7cfc04 |
is owned (and writable) by UID 9000 and process
|
|
Packit |
7cfc04 |
.I X
|
|
Packit |
7cfc04 |
is also owned by user ID 9000, then process
|
|
Packit |
7cfc04 |
.I X
|
|
Packit |
7cfc04 |
would be able to modify the contents of cgroups files
|
|
Packit |
7cfc04 |
(i.e., change cgroup settings) not only in
|
|
Packit |
7cfc04 |
.IR /cg/1/2
|
|
Packit |
7cfc04 |
but also in the ancestor cgroup directory
|
|
Packit |
7cfc04 |
.IR /cg/1 .
|
|
Packit |
7cfc04 |
Namespacing process
|
|
Packit |
7cfc04 |
.IR X
|
|
Packit |
7cfc04 |
under the cgroup directory
|
|
Packit |
7cfc04 |
.IR /cg/1/2 ,
|
|
Packit |
7cfc04 |
in combination with suitable mount operations
|
|
Packit |
7cfc04 |
for the cgroup filesystem (as shown above),
|
|
Packit |
7cfc04 |
prevents it modifying files in
|
|
Packit |
7cfc04 |
.IR /cg/1 ,
|
|
Packit |
7cfc04 |
since it cannot even see the contents of that directory
|
|
Packit |
7cfc04 |
(or of further removed cgroup ancestor directories).
|
|
Packit |
7cfc04 |
Combined with correct enforcement of hierarchical limits,
|
|
Packit |
7cfc04 |
this prevents process
|
|
Packit |
7cfc04 |
.I X
|
|
Packit |
7cfc04 |
from escaping the limits imposed by ancestor cgroups.
|
|
Packit |
7cfc04 |
.SH SEE ALSO
|
|
Packit |
7cfc04 |
.BR unshare (1),
|
|
Packit |
7cfc04 |
.BR clone (2),
|
|
Packit |
7cfc04 |
.BR setns (2),
|
|
Packit |
7cfc04 |
.BR unshare (2),
|
|
Packit |
7cfc04 |
.BR proc (5),
|
|
Packit |
7cfc04 |
.BR cgroups (7),
|
|
Packit |
7cfc04 |
.BR credentials (7),
|
|
Packit |
7cfc04 |
.BR namespaces (7),
|
|
Packit |
7cfc04 |
.BR user_namespaces (7)
|
|
Packit |
7cfc04 |
.SH COLOPHON
|
|
Packit |
7cfc04 |
This page is part of release 4.15 of the Linux
|
|
Packit |
7cfc04 |
.I man-pages
|
|
Packit |
7cfc04 |
project.
|
|
Packit |
7cfc04 |
A description of the project,
|
|
Packit |
7cfc04 |
information about reporting bugs,
|
|
Packit |
7cfc04 |
and the latest version of this page,
|
|
Packit |
7cfc04 |
can be found at
|
|
Packit |
7cfc04 |
\%https://www.kernel.org/doc/man\-pages/.
|