*: add support for cgroup namespace

The cgroup namespace is a new kernel feature available in 4.6+ that allows a container to isolate its cgroup hierarchy. This is invaluable for hiding information from /proc/self/cgroup, but it also allows you to modify your hierarchy inside a user namespace (even a rootless container). Signed-off-by: Aleksa Sarai <[email protected]>
opencontainers · Apr 25, 2016 · bc0d866 · bc0d866
1 parent f955d90
commit bc0d866
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 1 deletion.
diff --git a/config-linux.md b/config-linux.md
@@ -33,6 +33,7 @@ The following parameters can be specified to setup namespaces:
     * **`ipc`** processes inside the container will only be able to communicate to other processes inside the same container via system level IPC
     * **`uts`** the container will be able to have its own hostname and domain name
     * **`user`** the container will be able to remap user and group IDs from the host to local users and groups within the container
+    * **`cgroup`** the container will have an isolated cgroup hierarchy that it can manage
 
 * **`path`** *(string, optional)* - path to namespace file in the [runtime mount namespace](glossary.md#runtime-namespace)
 
@@ -62,6 +63,9 @@ Also, when a path is specified, a runtime MUST assume that the setup for that pa
         },
         {
             "type": "user"
+        },
+        {
+            "type": "cgroup"
         }
     ]
 ```

diff --git a/config.md b/config.md
@@ -590,6 +590,12 @@ Here is a full example `config.json` for reference.
             },
             {
                 "type": "mount"
+            },
+            {
+                "type": "user"
+            },
+            {
+                "type": "cgroup"
             }
         ],
         "maskedPaths": [

diff --git a/schema/defs-linux.json b/schema/defs-linux.json
@@ -224,7 +224,8 @@
                 "network",
                 "uts",
                 "ipc",
-                "user"
+                "user",
+                "cgroup"
             ]
         },
         "NamespaceReference": {

diff --git a/specs-go/config.go b/specs-go/config.go
@@ -169,6 +169,8 @@ const (
 	UTSNamespace = "uts"
 	// UserNamespace for isolating user and group IDs
 	UserNamespace = "user"
+	// CgroupNamespace for isolating cgroup hierarchies
+	CgroupNamespace = "cgroup"
 )
 
 // IDMapping specifies UID/GID mappings
-Original file line number
+Diff line change
@@ Expand Up / @@ -224,7 +224,8 @@ @@
                     "network",
                     "uts",
                     "ipc",
-                    "user"
+                    "user",
+                    "cgroup"
                 ]
             },
             "NamespaceReference": {
@@ Expand Down @@