cgroup_namespaces — overview of Linux cgroup namespaces
For an overview of namespaces, see namespaces(7).
Cgroup namespaces virtualize the view of a process's
cgroups (see cgroups(7)) as seen via
/proc/[pid]/cgroup and
/proc/[pid]/mountinfo.
Each cgroup namespace has its own set of cgroup root
directories. These root directories are the base points for
the relative locations displayed in the corresponding records
in the /proc/[pid]/cgroup file.
When a process creates a new cgroup namespace using clone(2) or unshare(2) with the
CLONE_NEWCGROUP flag, its
current cgroups directories become the cgroup root
directories of the new namespace. (This applies both for the
cgroups version 1 hierarchies and the cgroups version 2
unified hierarchy.)
When reading the cgroup memberships of a "target" process
from /proc/[pid]/cgroup, the
pathname shown in the third field of each record will be
relative to the reading process's root directory for the
corresponding cgroup hierarchy. If the cgroup directory of
the target process lies outside the root directory of the
reading process's cgroup namespace, then the pathname will
show ../ entries
for each ancestor level in the cgroup hierarchy.
The following shell session demonstrates the effect of creating a new cgroup namespace.
First, (as superuser) in a shell in the initial cgroup
namespace, we create a child cgroup in the freezer hierarchy, and place
a process in that cgroup that we will use as part of the
demonstration below:
# mkdir −p /sys/fs/cgroup/freezer/sub2 # sleep 10000 & # Create a process that lives for a while [1] 20124 # echo 20124 > /sys/fs/cgroup/freezer/sub2/cgroup.procs
We then create another child cgroup in the freezer hierarchy and put the
shell into that cgroup:
# mkdir −p /sys/fs/cgroup/freezer/sub # echo $$ # Show PID of this shell 30655 # echo 30655 > /sys/fs/cgroup/freezer/sub/cgroup.procs # cat /proc/self/cgroup | grep freezer 7:freezer:/sub
Next, we use unshare(1) to create a process running a new shell in new cgroup and mount namespaces:
# PS1="sh2# " unshare −Cm bash
From the new shell started by unshare(1), we then inspect
the /proc/[pid]/cgroup files
of, respectively, the new shell, a process that is in the
initial cgroup namespace (init, with PID 1), and the
process in the sibling cgroup (sub2):
sh2# cat /proc/self/cgroup | grep freezer 7:freezer:/ sh2# cat /proc/1/cgroup | grep freezer 7:freezer:/.. sh2# cat /proc/20124/cgroup | grep freezer 7:freezer:/../sub2
From the output of the first command, we see that the
freezer cgroup membership of the new shell (which is in the
same cgroup as the initial shell) is shown defined relative
to the freezer cgroup root directory that was established
when the new cgroup namespace was created. (In absolute
terms, the new shell is in the /sub freezer cgroup, and the root directory
of the freezer cgroup hierarchy in the new cgroup namespace
is also /sub. Thus, the new
shell's cgroup membership is displayed as '/'.)
However, when we look in /proc/self/mountinfo we see the following
anomaly:
sh2# cat /proc/self/mountinfo | grep freezer 155 145 0:32 /.. /sys/fs/cgroup/freezer ...
The fourth field of this line (/..) should show the directory in the
cgroup filesystem which forms the root of this mount. Since
by the definition of cgroup namespaces, the process's current
freezer cgroup directory became its root freezer cgroup
directory, we should see '/' in this field. The problem here
is that we are seeing a mount entry for the cgroup filesystem
corresponding to the initial cgroup namespace (whose cgroup
filesystem is indeed rooted at the parent directory of
sub). To fix this
problem, we must remount the freezer cgroup filesystem from
the new shell (i.e., perform the mount from a process that is
in the new cgroup namespace), after which we see the expected
results:
sh2# mount −−make−rslave / # Don't propagate mount events # to other namespaces sh2# umount /sys/fs/cgroup/freezer sh2# mount −t cgroup −o freezer freezer /sys/fs/cgroup/freezer sh2# cat /proc/self/mountinfo | grep freezer 155 145 0:32 / /sys/fs/cgroup/freezer rw,relatime ...
Use of cgroup namespaces requires a kernel that is
configured with the CONFIG_CGROUPS option.
The virtualization provided by cgroup namespaces serves a number of purposes:
It prevents information leaks whereby cgroup directory paths outside of a container would otherwise be visible to processes in the container. Such leakages could, for example, reveal information about the container framework to containerized applications.
It eases tasks such as container migration. The
virtualization provided by cgroup namespaces allows
containers to be isolated from knowledge of the
pathnames of ancestor cgroups. Without such isolation,
the full cgroup pathnames (displayed in /proc/self/cgroups) would need to be
replicated on the target system when migrating a
container; those pathnames would also need to be
unique, so that they don't conflict with other
pathnames on the target system.
It allows better confinement of containerized processes, because it is possible to mount the container's cgroup filesystems such that the container processes can't gain access to ancestor cgroup directories. Consider, for example, the following scenario:
We have a cgroup directory,
/cg/1, that is owned by user ID 9000.We have a process,
X, also owned by user ID 9000, that is namespaced under the cgroup/cg/1/2(i.e.,Xwas placed in a new cgroup namespace via clone(2) or unshare(2) with theCLONE_NEWCGROUPflag).
In the absence of cgroup namespacing, because the
cgroup directory /cg/1 is
owned (and writable) by UID 9000 and process
X is also owned by user
ID 9000, process X would
be able to modify the contents of cgroups files (i.e.,
change cgroup settings) not only in /cg/1/2 but also in the ancestor
cgroup directory /cg/1.
Namespacing process X
under the cgroup directory /cg/1/2, in combination with suitable
mount operations for the cgroup filesystem (as shown
above), prevents it modifying files in /cg/1, since it cannot even see the
contents of that directory (or of further removed
cgroup ancestor directories). Combined with correct
enforcement of hierarchical limits, this prevents
process X from escaping
the limits imposed by ancestor cgroups.
unshare(1), clone(2), setns(2), unshare(2), proc(5), cgroups(7), credentials(7), namespaces(7), user_namespaces(7)
This page is part of release 5.11 of the Linux man-pages project. A
description of the project, information about reporting bugs,
and the latest version of this page, can be found at
https://www.kernel.org/doc/man−pages/.
|
Copyright (c) 2016 by Michael Kerrisk <mtk.manpagesgmail.com> %%%LICENSE_START(VERBATIM) Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Since the Linux kernel and libraries are constantly changing, this manual page may be incorrect or out-of-date. The author(s) assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. The author(s) may not have taken the same level of care in the production of this manual, which is licensed free of charge, as they might when working professionally. Formatted or processed versions of this manual, if unaccompanied by the source, must acknowledge the copyright and authors of this work. %%%LICENSE_END |