cgroup_namespaces(7)

1CGROUP_NAMESPACES(7)       Linux Programmer's Manual      CGROUP_NAMESPACES(7)
2
3
4

NAME

6       cgroup_namespaces - overview of Linux cgroup namespaces
7

DESCRIPTION

9       For an overview of namespaces, see namespaces(7).
10
11       Cgroup  namespaces  virtualize  the  view  of  a process's cgroups (see
12       cgroups(7)) as seen via /proc/[pid]/cgroup and /proc/[pid]/mountinfo.
13
14       Each cgroup namespace has its  own  set  of  cgroup  root  directories.
15       These  root  directories are the base points for the relative locations
16       displayed in the corresponding records in the /proc/[pid]/cgroup  file.
17       When  a  process  creates  a  new  cgroup  namespace  using clone(2) or
18       unshare(2) with the CLONE_NEWCGROUP flag, it enters a new cgroup names‐
19       pace  in  which  its current cgroups directories become the cgroup root
20       directories of the new namespace.  (This applies both for  the  cgroups
21       version 1 hierarchies and the cgroups version 2 unified hierarchy.)
22
23       When  viewing /proc/[pid]/cgroup, the pathname shown in the third field
24       of each record will be relative to the reading process's root directory
25       for the corresponding cgroup hierarchy.  If the cgroup directory of the
26       target process lies outside the root directory of the reading process's
27       cgroup  namespace,  then  the  pathname  will show ../ entries for each
28       ancestor level in the cgroup hierarchy.
29
30       The following shell session demonstrates the effect of creating  a  new
31       cgroup  namespace.   First,  (as superuser) we create a child cgroup in
32       the freezer hierarchy, and put the shell into that cgroup:
33
34           # mkdir -p /sys/fs/cgroup/freezer/sub
35           # echo $$                      # Show PID of this shell
36           30655
37           # sh -c 'echo 30655 > /sys/fs/cgroup/freezer/sub/cgroup.procs'
38           # cat /proc/self/cgroup | grep freezer
39           7:freezer:/sub
40
41       Next, we use unshare(1) to create a process running a new shell in  new
42       cgroup and mount namespaces:
43
44           # unshare -Cm bash
45
46       We  then inspect the /proc/[pid]/cgroup files of, respectively, the new
47       shell process started by the unshare(1) command, a process that  is  in
48       the  original  cgroup  namespace (init, with PID 1), and a process in a
49       sibling cgroup (sub2):
50
51           $ cat /proc/self/cgroup | grep freezer
52           7:freezer:/
53           $ cat /proc/1/cgroup | grep freezer
54           7:freezer:/..
55           $ cat /proc/20124/cgroup | grep freezer
56           7:freezer:/../sub2
57
58       From the output of the first command, we see that  the  freezer  cgroup
59       membership of the new shell (which is in the same cgroup as the initial
60       shell) is shown defined relative to the freezer cgroup  root  directory
61       that  was  established  when the new cgroup namespace was created.  (In
62       absolute terms, the new shell is in the /sub freezer  cgroup,  and  the
63       root directory of the freezer cgroup hierarchy in the new cgroup names‐
64       pace is also /sub.  Thus, the new shell's  cgroup  membership  is  dis‐
65       played as '/'.)
66
67       However,  when  we  look  in  /proc/self/mountinfo we see the following
68       anomaly:
69
70           # cat /proc/self/mountinfo | grep freezer
71           155 145 0:32 /.. /sys/fs/cgroup/freezer ...
72
73       The fourth field of this line (/..)  should show the directory  in  the