Skip to content

Commit f0e4d33

Browse files
cypharcyphar
committed
*: add support for cgroup namespace
The cgroup namespace is a new kernel feature available in 4.6+ that allows a container to isolate its cgroup hierarchy. Currently this only really hides information in /proc/self/cgroup. But it may (in future) allow unprivileged processes to safely manage their own cgroup hierarchies (allowing rootless containers to manage cgroups). Signed-off-by: Aleksa Sarai <[email protected]>
1 parent f955d90 commit f0e4d33

4 files changed

Lines changed: 20 additions & 7 deletions

File tree

config-linux.md

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -27,12 +27,13 @@ Namespaces are specified as an array of entries inside the `namespaces` root fie
2727
The following parameters can be specified to setup namespaces:
2828

2929
* **`type`** *(string, required)* - namespace type. The following namespaces types are supported:
30-
* **`pid`** processes inside the container will only be able to see other processes inside the same container
31-
* **`network`** the container will have its own network stack
32-
* **`mount`** the container will have an isolated mount table
33-
* **`ipc`** processes inside the container will only be able to communicate to other processes inside the same container via system level IPC
34-
* **`uts`** the container will be able to have its own hostname and domain name
35-
* **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container
30+
* **`pid`** processes inside the container will only be able to see other processes inside the same container. Support for this was added in Linux 2.6.24.
31+
* **`network`** the container will have its own network stack. Support for this was added in Linux 2.6.24.
32+
* **`mount`** the container will have an isolated mount table. Support for this was added in Linux 2.4.19.
33+
* **`ipc`** processes inside the container will only be able to communicate to other processes inside the same container via system level IPC. Support for this was added in Linux 2.6.19.
34+
* **`uts`** the container will be able to have its own hostname and domain name. Support for this was added in Linux 2.6.19.
35+
* **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container. Support for this was added in Linux 3.8.
36+
* **`cgroup`** the container will have an isolated view of its cgroup hierarchy. Support for this was added in Linux 4.6.
3637

3738
* **`path`** *(string, optional)* - path to namespace file in the [runtime mount namespace](glossary.md#runtime-namespace)
3839

@@ -62,6 +63,9 @@ Also, when a path is specified, a runtime MUST assume that the setup for that pa
6263
},
6364
{
6465
"type": "user"
66+
},
67+
{
68+
"type": "cgroup"
6569
}
6670
]
6771
```

config.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -590,6 +590,12 @@ Here is a full example `config.json` for reference.
590590
},
591591
{
592592
"type": "mount"
593+
},
594+
{
595+
"type": "user"
596+
},
597+
{
598+
"type": "cgroup"
593599
}
594600
],
595601
"maskedPaths": [

schema/defs-linux.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -224,7 +224,8 @@
224224
"network",
225225
"uts",
226226
"ipc",
227-
"user"
227+
"user",
228+
"cgroup"
228229
]
229230
},
230231
"NamespaceReference": {

specs-go/config.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,8 @@ const (
169169
UTSNamespace = "uts"
170170
// UserNamespace for isolating user and group IDs
171171
UserNamespace = "user"
172+
// CgroupNamespace for isolating cgroup hierarchies
173+
CgroupNamespace = "cgroup"
172174
)
173175

174176
// IDMapping specifies UID/GID mappings

0 commit comments

Comments
 (0)