# mkdir -p /sys/fs/cgroup/freezer/sub2 # sleep 10000 & # Create a process that lives for a while  20124 # echo 20124 > /sys/fs/cgroup/freezer/sub2/cgroup.procs
We then create another child cgroup in the freezer hierarchy and put the shell into that cgroup:
# mkdir -p /sys/fs/cgroup/freezer/sub # echo $$ # Show PID of this shell 30655 # echo 30655 > /sys/fs/cgroup/freezer/sub/cgroup.procs # cat /proc/self/cgroup | grep freezer 7:freezer:/sub
Next, we use unshare(1) to create a process running a new shell in new cgroup and mount namespaces:
We then inspect the /proc/[pid]/cgroup files of, respectively, the new shell process started by the unshare(1) command, a process that is in the original cgroup namespace (init, with PID 1), and the process in the sibling cgroup (sub2):
# unshare -Cm bash
From the output of the first command, we see that the freezer cgroup membership of the new shell (which is in the same cgroup as the initial shell) is shown defined relative to the freezer cgroup root directory that was established when the new cgroup namespace was created. (In absolute terms, the new shell is in the /sub freezer cgroup, and the root directory of the freezer cgroup hierarchy in the new cgroup namespace is also /sub. Thus, the new shell's cgroup membership is displayed as '/'.) However, when we look in /proc/self/mountinfo we see the following anomaly:
$ cat /proc/self/cgroup | grep freezer 7:freezer:/ $ cat /proc/1/cgroup | grep freezer 7:freezer:/.. $ cat /proc/20124/cgroup | grep freezer 7:freezer:/../sub2
The fourth field of this line (/..) should show the directory in the cgroup filesystem which forms the root of this mount. Since by the definition of cgroup namespaces, the process's current freezer cgroup directory became its root freezer cgroup directory, we should see '/' in this field. The problem here is that we are seeing a mount entry for the cgroup filesystem corresponding to our initial shell process's cgroup namespace (whose cgroup filesystem is indeed rooted in the parent directory of sub). We need to remount the freezer cgroup filesystem inside this cgroup namespace, after which we see the expected results:
# cat /proc/self/mountinfo | grep freezer 155 145 0:32 /.. /sys/fs/cgroup/freezer ...
# mount --make-rslave / # Don't propagate mount events # to other namespaces # umount /sys/fs/cgroup/freezer # mount -t cgroup -o freezer freezer /sys/fs/cgroup/freezer # cat /proc/self/mountinfo | grep freezer 155 145 0:32 / /sys/fs/cgroup/freezer rw,relatime ...
- It prevents information leaks whereby cgroup directory paths outside of a container would otherwise be visible to processes in the container. Such leakages could, for example, reveal information about the container framework to containerized applications.
- It eases tasks such as container migration. The virtualization provided by cgroup namespaces allows containers to be isolated from knowledge of the pathnames of ancestor cgroups. Without such isolation, the full cgroup pathnames (displayed in /proc/self/cgroups) would need to be replicated on the target system when migrating a container; those pathnames would also need to be unique, so that they don't conflict with other pathnames on the target system.
- It allows better confinement of containerized processes, because it is possible to mount the container's cgroup filesystems such that the container processes can't gain access to ancestor cgroup directories. Consider, for example, the following scenario:
- We have a cgroup directory, /cg/1, that is owned by user ID 9000.
- In the absence of cgroup namespacing, because the cgroup directory /cg/1 is owned (and writable) by UID 9000 and process X is also owned by user ID 9000, then process X would be able to modify the contents of cgroups files (i.e., change cgroup settings) not only in /cg/1/2 but also in the ancestor cgroup directory /cg/1. Namespacing process X under the cgroup directory /cg/1/2, in combination with suitable mount operations for the cgroup filesystem (as shown above), prevents it modifying files in /cg/1, since it cannot even see the contents of that directory (or of further removed cgroup ancestor directories). Combined with correct enforcement of hierarchical limits, this prevents process X from escaping the limits imposed by ancestor cgroups.