# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2024-06-01 05:44+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "cgroup_namespaces" msgstr "" #. type: TH #: archlinux debian-unstable opensuse-tumbleweed #, no-wrap msgid "2024-05-02" msgstr "" #. type: TH #: archlinux debian-unstable #, no-wrap msgid "Linux man-pages 6.8" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "NAME" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "cgroup_namespaces - overview of Linux cgroup namespaces" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "DESCRIPTION" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "For an overview of namespaces, see B(7)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Cgroup namespaces virtualize the view of a process's cgroups (see " "B(7)) as seen via IpidI and IpidI." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Each cgroup namespace has its own set of cgroup root directories. These " "root directories are the base points for the relative locations displayed in " "the corresponding records in the IpidI file. When a " "process creates a new cgroup namespace using B(2) or B(2) " "with the B flag, its current cgroups directories become the " "cgroup root directories of the new namespace. (This applies both for the " "cgroups version 1 hierarchies and the cgroups version 2 unified hierarchy.)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When reading the cgroup memberships of a \"target\" process from IpidI, the pathname shown in the third field of each record will be " "relative to the reading process's root directory for the corresponding " "cgroup hierarchy. If the cgroup directory of the target process lies " "outside the root directory of the reading process's cgroup namespace, then " "the pathname will show I<../> entries for each ancestor level in the cgroup " "hierarchy." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The following shell session demonstrates the effect of creating a new cgroup " "namespace." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "First, (as superuser) in a shell in the initial cgroup namespace, we create " "a child cgroup in the I hierarchy, and place a process in that " "cgroup that we will use as part of the demonstration below:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "# B\n" "# B # Create a process that lives for a while\n" "[1] 20124\n" "# B /sys/fs/cgroup/freezer/sub2/cgroup.procs>\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "We then create another child cgroup in the I hierarchy and put the " "shell into that cgroup:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "# B\n" "# B # Show PID of this shell\n" "30655\n" "# B /sys/fs/cgroup/freezer/sub/cgroup.procs>\n" "# B\n" "7:freezer:/sub\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Next, we use B(1) to create a process running a new shell in new " "cgroup and mount namespaces:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "# B\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "From the new shell started by B(1), we then inspect the IpidI files of, respectively, the new shell, a process that is in " "the initial cgroup namespace (I, with PID 1), and the process in the " "sibling cgroup (I):" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "sh2# B\n" "7:freezer:/\n" "sh2# B\n" "7:freezer:/..\n" "sh2# B\n" "7:freezer:/../sub2\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "From the output of the first command, we see that the freezer cgroup " "membership of the new shell (which is in the same cgroup as the initial " "shell) is shown defined relative to the freezer cgroup root directory that " "was established when the new cgroup namespace was created. (In absolute " "terms, the new shell is in the I freezer cgroup, and the root " "directory of the freezer cgroup hierarchy in the new cgroup namespace is " "also I. Thus, the new shell's cgroup membership is displayed as " "\\[aq]/\\[aq].)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "However, when we look in I we see the following " "anomaly:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "sh2# B\n" "155 145 0:32 /.. /sys/fs/cgroup/freezer ...\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The fourth field of this line (I) should show the directory in the " "cgroup filesystem which forms the root of this mount. Since by the " "definition of cgroup namespaces, the process's current freezer cgroup " "directory became its root freezer cgroup directory, we should see \\[aq]/" "\\[aq] in this field. The problem here is that we are seeing a mount entry " "for the cgroup filesystem corresponding to the initial cgroup namespace " "(whose cgroup filesystem is indeed rooted at the parent directory of " "I). To fix this problem, we must remount the freezer cgroup filesystem " "from the new shell (i.e., perform the mount from a process that is in the " "new cgroup namespace), after which we see the expected results:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "sh2# B # Don\\[aq]t propagate mount events\n" " # to other namespaces\n" "sh2# B\n" "sh2# B\n" "sh2# B\n" "155 145 0:32 / /sys/fs/cgroup/freezer rw,relatime ...\n" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "STANDARDS" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "Linux." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "NOTES" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Use of cgroup namespaces requires a kernel that is configured with the " "B option." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The virtualization provided by cgroup namespaces serves a number of purposes:" msgstr "" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "\\[bu]" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "It prevents information leaks whereby cgroup directory paths outside of a " "container would otherwise be visible to processes in the container. Such " "leakages could, for example, reveal information about the container " "framework to containerized applications." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "It eases tasks such as container migration. The virtualization provided by " "cgroup namespaces allows containers to be isolated from knowledge of the " "pathnames of ancestor cgroups. Without such isolation, the full cgroup " "pathnames (displayed in I) would need to be replicated " "on the target system when migrating a container; those pathnames would also " "need to be unique, so that they don't conflict with other pathnames on the " "target system." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "It allows better confinement of containerized processes, because it is " "possible to mount the container's cgroup filesystems such that the container " "processes can't gain access to ancestor cgroup directories. Consider, for " "example, the following scenario:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "We have a cgroup directory, I, that is owned by user ID 9000." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "We have a process, I, also owned by user ID 9000, that is namespaced " "under the cgroup I (i.e., I was placed in a new cgroup namespace " "via B(2) or B(2) with the B flag)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In the absence of cgroup namespacing, because the cgroup directory I " "is owned (and writable) by UID 9000 and process I is also owned by user " "ID 9000, process I would be able to modify the contents of cgroups files " "(i.e., change cgroup settings) not only in I but also in the " "ancestor cgroup directory I. Namespacing process I under the " "cgroup directory I, in combination with suitable mount operations " "for the cgroup filesystem (as shown above), prevents it modifying files in " "I, since it cannot even see the contents of that directory (or of " "further removed cgroup ancestor directories). Combined with correct " "enforcement of hierarchical limits, this prevents process I from escaping " "the limits imposed by ancestor cgroups." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "SEE ALSO" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "B(1), B(2), B(2), B(2), B(5), " "B(7), B(7), B(7), B(7)" msgstr "" #. type: TH #: debian-bookworm #, no-wrap msgid "2023-02-05" msgstr "" #. type: TH #: debian-bookworm #, no-wrap msgid "Linux man-pages 6.03" msgstr "" #. type: Plain text #: debian-bookworm msgid "Namespaces are a Linux-specific feature." msgstr "" #. type: TH #: fedora-40 fedora-rawhide mageia-cauldron #, no-wrap msgid "2023-10-31" msgstr "" #. type: TH #: fedora-40 mageia-cauldron #, no-wrap msgid "Linux man-pages 6.06" msgstr "" #. type: TH #: fedora-rawhide #, no-wrap msgid "Linux man-pages 6.7" msgstr "" #. type: TH #: opensuse-leap-15-6 #, no-wrap msgid "2023-03-30" msgstr "" #. type: TH #: opensuse-leap-15-6 #, no-wrap msgid "Linux man-pages 6.04" msgstr "" #. type: TH #: opensuse-tumbleweed #, no-wrap msgid "Linux man-pages (unreleased)" msgstr ""