suzanne.soy/man-pages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gh-pages
man-pages/man7/cgroup_namespaces.7.html
Suzanne Soy 4c89183f2b Added man pages from my system
2021-03-31 01:06:50 +01:00

364 lines
9.4 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of CGROUP_NAMESPACES</TITLE>
</HEAD><BODY>
<H1>CGROUP_NAMESPACES</H1>
Section: Linux Programmer's Manual (7)<BR>Updated: 2019-08-02<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
cgroup_namespaces - overview of Linux cgroup namespaces
<A NAME="lbAC">&nbsp;</A>
<H2>DESCRIPTION</H2>
For an overview of namespaces, see
<B><A HREF="/cgi-bin/man/man2html?7+namespaces">namespaces</A></B>(7).
<P>
Cgroup namespaces virtualize the view of a process's cgroups (see
<B><A HREF="/cgi-bin/man/man2html?7+cgroups">cgroups</A></B>(7))
as seen via
<I>/proc/[pid]/cgroup</I>
and
<I>/proc/[pid]/mountinfo</I>.
<P>
Each cgroup namespace has its own set of cgroup root directories.
These root directories are the base points for the relative
locations displayed in the corresponding records in the
<I>/proc/[pid]/cgroup</I>
file.
When a process creates a new cgroup namespace using
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2)
or
<B><A HREF="/cgi-bin/man/man2html?2+unshare">unshare</A></B>(2)
with the
<B>CLONE_NEWCGROUP</B>
flag, its current
cgroups directories become the cgroup root directories
of the new namespace.
(This applies both for the cgroups version 1 hierarchies
and the cgroups version 2 unified hierarchy.)
<P>
When reading the cgroup memberships of a &quot;target&quot; process from
<I>/proc/[pid]/cgroup</I>,
the pathname shown in the third field of each record will be
relative to the reading process's root directory
for the corresponding cgroup hierarchy.
If the cgroup directory of the target process lies outside
the root directory of the reading process's cgroup namespace,
then the pathname will show
<I>../</I>
entries for each ancestor level in the cgroup hierarchy.
<P>
The following shell session demonstrates the effect of creating
a new cgroup namespace.
<P>
First, (as superuser) in a shell in the initial cgroup namespace,
we create a child cgroup in the
<I>freezer</I>
hierarchy, and place a process in that cgroup that we will
use as part of the demonstration below:
<P>
# <B>mkdir -p /sys/fs/cgroup/freezer/sub2</B>
# <B>sleep 10000 &amp;</B> # Create a process that lives for a while
[1] 20124
# <B>echo 20124 &gt; /sys/fs/cgroup/freezer/sub2/cgroup.procs</B>
<P>
We then create another child cgroup in the
<I>freezer</I>
hierarchy and put the shell into that cgroup:
<P>
# <B>mkdir -p /sys/fs/cgroup/freezer/sub</B>
# <B>echo $$</B> # Show PID of this shell
30655
# <B>echo 30655 &gt; /sys/fs/cgroup/freezer/sub/cgroup.procs</B>
# <B>cat /proc/self/cgroup | grep freezer</B>
7:freezer:/sub
<P>
Next, we use
<B><A HREF="/cgi-bin/man/man2html?1+unshare">unshare</A></B>(1)
to create a process running a new shell in new cgroup and mount namespaces:
<P>
# <B>PS1=&quot;sh2# &quot; unshare -Cm bash</B>
<P>
From the new shell started by
<B><A HREF="/cgi-bin/man/man2html?1+unshare">unshare</A></B>(1),
we then inspect the
<I>/proc/[pid]/cgroup</I>
files of, respectively, the new shell,
a process that is in the initial cgroup namespace
(<I>init</I>,
with PID 1), and the process in the sibling cgroup
(<I>sub2</I>):
<P>
sh2# <B>cat /proc/self/cgroup | grep freezer</B>
7:freezer:/
sh2# <B>cat /proc/1/cgroup | grep freezer</B>
7:freezer:/..
sh2# <B>cat /proc/20124/cgroup | grep freezer</B>
7:freezer:/../sub2
<P>
From the output of the first command,
we see that the freezer cgroup membership of the new shell
(which is in the same cgroup as the initial shell)
is shown defined relative to the freezer cgroup root directory
that was established when the new cgroup namespace was created.
(In absolute terms,
the new shell is in the
<I>/sub</I>
freezer cgroup,
and the root directory of the freezer cgroup hierarchy
in the new cgroup namespace is also
<I>/sub</I>.
Thus, the new shell's cgroup membership is displayed as '/'.)
<P>
However, when we look in
<I>/proc/self/mountinfo</I>
we see the following anomaly:
<P>
sh2# <B>cat /proc/self/mountinfo | grep freezer</B>
155 145 0:32 /.. /sys/fs/cgroup/freezer ...
<P>
The fourth field of this line
(<I>/..</I>)
should show the
directory in the cgroup filesystem which forms the root of this mount.
Since by the definition of cgroup namespaces, the process's current
freezer cgroup directory became its root freezer cgroup directory,
we should see '/' in this field.
The problem here is that we are seeing a mount entry for the cgroup
filesystem corresponding to the initial cgroup namespace
(whose cgroup filesystem is indeed rooted at the parent directory of
<I>sub</I>).
To fix this problem, we must remount the freezer cgroup filesystem
from the new shell (i.e., perform the mount from a process that is in the
new cgroup namespace), after which we see the expected results:
<P>
sh2# <B>mount --make-rslave /</B> # Don't propagate mount events
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;to&nbsp;other&nbsp;namespaces
sh2# <B>umount /sys/fs/cgroup/freezer</B>
sh2# <B>mount -t cgroup -o freezer freezer /sys/fs/cgroup/freezer</B>
sh2# <B>cat /proc/self/mountinfo | grep freezer</B>
155 145 0:32 / /sys/fs/cgroup/freezer rw,relatime ...
<A NAME="lbAD">&nbsp;</A>
<H2>CONFORMING TO</H2>
Namespaces are a Linux-specific feature.
<A NAME="lbAE">&nbsp;</A>
<H2>NOTES</H2>
Use of cgroup namespaces requires a kernel that is configured with the
<B>CONFIG_CGROUPS</B>
option.
<P>
The virtualization provided by cgroup namespaces serves a number of purposes:
<DL COMPACT>
<DT id="1">*<DD>
It prevents information leaks whereby cgroup directory paths outside of
a container would otherwise be visible to processes in the container.
Such leakages could, for example,
reveal information about the container framework
to containerized applications.
<DT id="2">*<DD>
It eases tasks such as container migration.
The virtualization provided by cgroup namespaces
allows containers to be isolated from knowledge of
the pathnames of ancestor cgroups.
Without such isolation, the full cgroup pathnames (displayed in
<I>/proc/self/cgroups</I>)
would need to be replicated on the target system when migrating a container;
those pathnames would also need to be unique,
so that they don't conflict with other pathnames on the target system.
<DT id="3">*<DD>
It allows better confinement of containerized processes,
because it is possible to mount the container's cgroup filesystems such that
the container processes can't gain access to ancestor cgroup directories.
Consider, for example, the following scenario:
<DL COMPACT><DT id="4"><DD>
<DL COMPACT>
<DT id="5">&bull;<DD>
We have a cgroup directory,
<I>/cg/1</I>,
that is owned by user ID 9000.
<DT id="6">&bull;<DD>
We have a process,
<I>X</I>,
also owned by user ID 9000,
that is namespaced under the cgroup
<I>/cg/1/2</I>
(i.e.,
<I>X</I>
was placed in a new cgroup namespace via
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2)
or
<B><A HREF="/cgi-bin/man/man2html?2+unshare">unshare</A></B>(2)
with the
<B>CLONE_NEWCGROUP</B>
flag).
</DL>
</DL>
<DT id="7"><DD>
In the absence of cgroup namespacing, because the cgroup directory
<I>/cg/1</I>
is owned (and writable) by UID 9000 and process
<I>X</I>
is also owned by user ID 9000, then process
<I>X</I>
would be able to modify the contents of cgroups files
(i.e., change cgroup settings) not only in
<I>/cg/1/2</I>
but also in the ancestor cgroup directory
<I>/cg/1</I>.
Namespacing process
<I>X</I>
under the cgroup directory
<I>/cg/1/2</I>,
in combination with suitable mount operations
for the cgroup filesystem (as shown above),
prevents it modifying files in
<I>/cg/1</I>,
since it cannot even see the contents of that directory
(or of further removed cgroup ancestor directories).
Combined with correct enforcement of hierarchical limits,
this prevents process
<I>X</I>
from escaping the limits imposed by ancestor cgroups.
</DL>
<A NAME="lbAF">&nbsp;</A>
<H2>SEE ALSO</H2>
<B><A HREF="/cgi-bin/man/man2html?1+unshare">unshare</A></B>(1),
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2),
<B><A HREF="/cgi-bin/man/man2html?2+setns">setns</A></B>(2),
<B><A HREF="/cgi-bin/man/man2html?2+unshare">unshare</A></B>(2),
<B><A HREF="/cgi-bin/man/man2html?5+proc">proc</A></B>(5),
<B><A HREF="/cgi-bin/man/man2html?7+cgroups">cgroups</A></B>(7),
<B><A HREF="/cgi-bin/man/man2html?7+credentials">credentials</A></B>(7),
<B><A HREF="/cgi-bin/man/man2html?7+namespaces">namespaces</A></B>(7),
<B><A HREF="/cgi-bin/man/man2html?7+user_namespaces">user_namespaces</A></B>(7)
<A NAME="lbAG">&nbsp;</A>
<H2>COLOPHON</H2>
This page is part of release 5.05 of the Linux
<I>man-pages</I>
project.
A description of the project,
information about reporting bugs,
and the latest version of this page,
can be found at
<A HREF="https://www.kernel.org/doc/man-pages/.">https://www.kernel.org/doc/man-pages/.</A>
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="8"><A HREF="#lbAB">NAME</A><DD>
<DT id="9"><A HREF="#lbAC">DESCRIPTION</A><DD>
<DT id="10"><A HREF="#lbAD">CONFORMING TO</A><DD>
<DT id="11"><A HREF="#lbAE">NOTES</A><DD>
<DT id="12"><A HREF="#lbAF">SEE ALSO</A><DD>
<DT id="13"><A HREF="#lbAG">COLOPHON</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:07 GMT, March 31, 2021
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink