namespaces.7: Document cgroup namespaces (CLONE_NEWCGROUP)

[thirdparty/man-pages.git] / man7 / namespaces.7

.\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
.\"
.\" %%%LICENSE_START(VERBATIM)
.\" Permission is granted to make and distribute verbatim copies of this
.\" manual provided the copyright notice and this permission notice are
.\" preserved on all copies.
.\"
.\" Permission is granted to copy and distribute modified versions of this
.\" manual under the conditions for verbatim copying, provided that the
.\" entire resulting derived work is distributed under the terms of a
.\" permission notice identical to this one.
.\"
.\" Since the Linux kernel and libraries are constantly changing, this
.\" manual page may be incorrect or out-of-date.  The author(s) assume no
.\" responsibility for errors or omissions, or for damages resulting from
.\" the use of the information contained herein.  The author(s) may not
.\" have taken the same level of care in the production of this manual,
.\" which is licensed free of charge, as they might when working
.\" professionally.
.\"
.\" Formatted or processed versions of this manual, if unaccompanied by
.\" the source, must acknowledge the copyright and authors of this work.
.\" %%%LICENSE_END
.\"
.\"
.TH NAMESPACES 7 2016-03-15 "Linux" "Linux Programmer's Manual"
.SH NAME
namespaces \- overview of Linux namespaces
.SH DESCRIPTION
A namespace wraps a global system resource in an abstraction that
makes it appear to the processes within the namespace that they
have their own isolated instance of the global resource.
Changes to the global resource are visible to other processes
that are members of the namespace, but are invisible to other processes.
One use of namespaces is to implement containers.

Linux provides the following namespaces:
.TS
lB lB lB
l lB l.
Namespace       Constant        Isolates
Cgroup  CLONE_NEWCGROUP Cgroup root directory
IPC     CLONE_NEWIPC    System V IPC, POSIX message queues
Network CLONE_NEWNET    Network devices, stacks, ports, etc.
Mount   CLONE_NEWNS     Mount points
PID     CLONE_NEWPID    Process IDs
User    CLONE_NEWUSER   User and group IDs
UTS     CLONE_NEWUTS    Hostname and NIS domain name
.TE

This page describes the various namespaces and the associated
.I /proc
files, and summarizes the APIs for working with namespaces.
.\"
.\" ==================== The namespaces API ====================
.\"
.SS The namespaces API
As well as various
.I /proc
files described below,
the namespaces API includes the following system calls:
.TP
.BR clone (2)
The
.BR clone (2)
system call creates a new process.
If the
.I flags
argument of the call specifies one or more of the
.B CLONE_NEW*
flags listed below, then new namespaces are created for each flag,
and the child process is made a member of those namespaces.
(This system call also implements a number of features
unrelated to namespaces.)
.TP
.BR setns (2)
The
.BR setns (2)
system call allows the calling process to join an existing namespace.
The namespace to join is specified via a file descriptor that refers to
one of the
.IR /proc/[pid]/ns
files described below.
.TP
.BR unshare (2)
The
.BR unshare (2)
system call moves the calling process to a new namespace.
If the
.I flags
argument of the call specifies one or more of the
.B CLONE_NEW*
flags listed below, then new namespaces are created for each flag,
and the calling process is made a member of those namespaces.
(This system call also implements a number of features
unrelated to namespaces.)
.PP
Creation of new namespaces using
.BR clone (2)
and
.BR unshare (2)
in most cases requires the
.BR CAP_SYS_ADMIN
capability.
User namespaces are the exception: since Linux 3.8,
no privilege is required to create a user namespace.
.\"
.\" ==================== The /proc/[pid]/ns/ directory ====================
.\"
.SS The /proc/[pid]/ns/ directory
Each process has a
.IR /proc/[pid]/ns/
.\" See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
subdirectory containing one entry for each namespace that
supports being manipulated by
.BR setns (2):

.in +4n
.nf
$ \fBls -l /proc/$$/ns\fP
total 0
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 cgroup -> cgroup:[4026531835]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc -> ipc:[4026531839]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt -> mnt:[4026531840]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net -> net:[4026531969]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid -> pid:[4026531836]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user -> user:[4026531837]
lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts -> uts:[4026531838]
.fi
.in

Bind mounting (see
.BR mount (2))
one of the files in this directory
to somewhere else in the filesystem keeps
the corresponding namespace of the process specified by
.I pid
alive even if all processes currently in the namespace terminate.

Opening one of the files in this directory
(or a file that is bind mounted to one of these files)
returns a file handle for
the corresponding namespace of the process specified by
.IR pid .
As long as this file descriptor remains open,
the namespace will remain alive,
even if all processes in the namespace terminate.
The file descriptor can be passed to
.BR setns (2).

In Linux 3.7 and earlier, these files were visible as hard links.
Since Linux 3.8, they appear as symbolic links.
If two processes are in the same namespace, then the inode numbers of their
.IR /proc/[pid]/ns/xxx
symbolic links will be the same; an application can check this using the
.I stat.st_ino
field returned by
.BR stat (2).
The content of this symbolic link is a string containing
the namespace type and inode number as in the following example:

.in +4n
.nf
$ \fBreadlink /proc/$$/ns/uts\fP
uts:[4026531838]
.fi
.in

The files in this subdirectory are as follows:
.TP
.IR /proc/[pid]/ns/cgroup " (since Linux 4.6)"
This file is a handle for the cgroup namespace of the process.
.TP
.IR /proc/[pid]/ns/ipc " (since Linux 3.0)"
This file is a handle for the IPC namespace of the process.
.TP
.IR /proc/[pid]/ns/mnt " (since Linux 3.8)"
This file is a handle for the mount namespace of the process.
.TP
.IR /proc/[pid]/ns/net " (since Linux 3.0)"
This file is a handle for the network namespace of the process.
.TP
.IR /proc/[pid]/ns/pid " (since Linux 3.8)"
This file is a handle for the PID namespace of the process.
.TP
.IR /proc/[pid]/ns/user " (since Linux 3.8)"
This file is a handle for the user namespace of the process.
.TP
.IR /proc/[pid]/ns/uts " (since Linux 3.0)"
This file is a handle for the UTS namespace of the process.
.\"
.\" ==================== Cgroup namespaces ====================
.\"
.SS Cgroup namespaces (CLONE_NEWCGROUP)
Cgroup namespaces virtualize the view of a process's cgroups as seen via
.IR /proc/[pid]/cgroup
(see
.BR cgroups (7)).

Each cgroup namespace has its own set of cgroup root directories,
which are the base points for the relative locations displayed in
.IR /proc/[pid]/cgroup .
When a process creates a new cgroup namespace using
.BR clone (2)
or
.BR unshare (2)
with the
.BR CLONE_NEWCGROUP
flag, then its current cgroups directories become its cgroup root directories.
(This applies both for the cgroups version 1 hierarchies
as well as the cgroups version 2 unified hierarchy.)

When viewing
.IR /proc/[pid]/cgroup ,
the pathname shown in the third field of each record will be
relative to the reading process's cgroup root directory.
If the cgroup directory of the target process lies outside
the cgroup root directory for this namespace,
then the pathname will show
.I /..
entries for each ancestor level in the cgroup hierarchy.

The following shell session demonstrates the effect of creating
a new cgroup namespace.
First, we create child cgroup in the
.I freezer
hierarchy, and put the shell into that cgroup:

.nf
.in +4n
$ \fBsudo mkdir \-p /sys/fs/cgroup/freezer/sub\fP
$ \fBecho $$\fP                      # Show PID of this shell
30655
$ \fBsudo sh \-c 'echo 30655 > /sys/fs/cgroup/sub'\fP
$ \fBcat /proc/self/cgroup | grep freezer\fP
7:freezer:/sub
.in
.fi

Next, we use
.BR unshare (1)
to create a process running a shell in new user and cgroup namespaces:

.nf
.in +4n
$ \fBunshare -U -C bash\fP
.in
.fi

We then inspect the
.IR /proc/[pid]/cgroup
files of, respectively, the new shell process started by the
.BR unshare (1)
command, a process that is in the original cgroup namespace
.RI ( init ,
with PID 1), and a process in a sibling cgroup:

.nf
.in +4n
$ \fBcat /proc/self/cgroup | grep freezer\fP
7:freezer:/
$ \fBcat /proc/1/cgroup | grep freezer\fP
7:freezer:/..
$ \fBcat /proc/20124/cgroup | grep freezer\fP
7:freezer:/../sub2
.in
.fi

The virtualization provided by cgroup namespaces can be used to prevent
information leaks whereby cgroup directory paths outside of
a container would otherwise be visible to processes in the container.

Use of cgroup namespaces requires a kernel that is configured with the
.B CONFIG_CGROUPS
option.
.\"
.\" ==================== IPC namespaces ====================
.\"
.SS IPC namespaces (CLONE_NEWIPC)
IPC namespaces isolate certain IPC resources,
namely, System V IPC objects (see
.BR svipc (7))
and (since Linux 2.6.30)
.\" commit 7eafd7c74c3f2e67c27621b987b28397110d643f
.\" https://lwn.net/Articles/312232/
POSIX message queues (see
.BR mq_overview (7)).
The common characteristic of these IPC mechanisms is that IPC
objects are identified by mechanisms other than filesystem
pathnames.

Each IPC namespace has its own set of System V IPC identifiers and
its own POSIX message queue filesystem.
Objects created in an IPC namespace are visible to all other processes
that are members of that namespace,
but are not visible to processes in other IPC namespaces.

The following
.I /proc
interfaces are distinct in each IPC namespace:
.IP * 3
The POSIX message queue interfaces in
.IR /proc/sys/fs/mqueue .
.IP *
The System V IPC interfaces in
.IR /proc/sys/kernel ,
namely:
.IR msgmax ,
.IR msgmnb  ,
.IR msgmni ,
.IR sem ,
.IR shmall ,
.IR shmmax ,
.IR shmmni ,
and
.IR shm_rmid_forced .
.IP *
The System V IPC interfaces in
.IR /proc/sysvipc .
.PP
When an IPC namespace is destroyed
(i.e., when the last process that is a member of the namespace terminates),
all IPC objects in the namespace are automatically destroyed.

Use of IPC namespaces requires a kernel that is configured with the
.B CONFIG_IPC_NS
option.
.\"
.\" ==================== Network namespaces ====================
.\"
.SS Network namespaces (CLONE_NEWNET)
Network namespaces provide isolation of the system resources associated
with networking: network devices, IPv4 and IPv6 protocol stacks,
IP routing tables, firewalls, the
.I /proc/net
directory, the
.I /sys/class/net
directory, port numbers (sockets), and so on.
A physical network device can live in exactly one
network namespace.
A virtual network device ("veth") pair provides a pipe-like abstraction
.\" FIXME Add pointer to veth(4) page when it is eventually completed
that can be used to create tunnels between network namespaces,
and can be used to create a bridge to a physical network device
in another namespace.

When a network namespace is freed
(i.e., when the last process in the namespace terminates),
its physical network devices are moved back to the
initial network namespace (not to the parent of the process).

Use of network namespaces requires a kernel that is configured with the
.B CONFIG_NET_NS
option.
.\"
.\" ==================== Mount namespaces ====================
.\"
.SS Mount namespaces (CLONE_NEWNS)
Mount namespaces isolate the set of filesystem mount points,
meaning that processes in different mount namespaces can
have different views of the filesystem hierarchy.
The set of mounts in a mount namespace is modified using
.BR mount (2)
and
.BR umount (2).

The
.IR /proc/[pid]/mounts
file (present since Linux 2.4.19)
lists all the filesystems currently mounted in the
process's mount namespace.
The format of this file is documented in
.BR fstab (5).
Since kernel version 2.6.15, this file is pollable:
after opening the file for reading, a change in this file
(i.e., a filesystem mount or unmount) causes
.BR select (2)
to mark the file descriptor as readable, and
.BR poll (2)
and
.BR epoll_wait (2)
mark the file as having an error condition.

The
.IR /proc/[pid]/mountstats
file (present since Linux 2.6.17)
exports information (statistics, configuration information)
about the mount points in the process's mount namespace.
This file is readable only by the owner of the process.
Lines in this file have the form:
.RS
.in 12
.nf

device /dev/sda7 mounted on /home with fstype ext3 [statistics]
(       1      )            ( 2 )             (3 ) (4)
.fi
.in

The fields in each line are:
.TP 5
(1)
The name of the mounted device
(or "nodevice" if there is no corresponding device).
.TP
(2)
The mount point within the filesystem tree.
.TP
(3)
The filesystem type.
.TP
(4)
Optional statistics and configuration information.
Currently (as at Linux 2.6.26), only NFS filesystems export
information via this field.
.RE
.\"
.\" ==================== PID namespaces ====================
.\"
.SS PID namespaces (CLONE_NEWPID)
See
.BR pid_namespaces (7).
.\"
.\" ==================== User namespaces ====================
.\"
.SS User namespaces (CLONE_NEWUSER)
See
.BR user_namespaces (7).
.\"
.\" ==================== UTS namespaces ====================
.\"
.SS UTS namespaces (CLONE_NEWUTS)
UTS namespaces provide isolation of two system identifiers:
the hostname and the NIS domain name.
These identifiers are set using
.BR sethostname (2)
and
.BR setdomainname (2),
and can be retrieved using
.BR uname (2),
.BR gethostname (2),
and
.BR getdomainname (2).

Use of UTS namespaces requires a kernel that is configured with the
.B CONFIG_UTS_NS
option.
.SH CONFORMING TO
Namespaces are a Linux-specific feature.
.SH EXAMPLE
See
.BR user_namespaces (7).
.SH SEE ALSO
.BR lsns (1),
.BR nsenter (1),
.BR readlink (1),
.BR unshare (1),
.BR clone (2),
.BR setns (2),
.BR unshare (2),
.BR proc (5),
.BR capabilities (7),
.BR cgroups (7),
.BR credentials (7),
.BR pid_namespaces (7),
.BR user_namespaces (7),
.BR switch_root (8)