From: Karel Zak Date: Mon, 21 Mar 2016 20:08:05 +0000 (+0100) Subject: Merge branch '2016-03-02/cgns' of https://github.com/hallyn/util-linux X-Git-Tag: v2.28-rc2~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca8c69a9f2671d3dbf589736e5a62611d760cb77;p=thirdparty%2Futil-linux.git Merge branch '2016-03-02/cgns' of https://github.com/hallyn/util-linux * '2016-03-02/cgns' of https://github.com/hallyn/util-linux: Implement support for cgroup namespaces --- ca8c69a9f2671d3dbf589736e5a62611d760cb77 diff --cc sys-utils/unshare.1 index cd873cb46f,973bc048c9..085a92be03 --- a/sys-utils/unshare.1 +++ b/sys-utils/unshare.1 @@@ -47,9 -46,14 +47,14 @@@ firewall rules, the \fI/proc/net\fP an sockets, etc. (\fBCLONE_NEWNET\fP flag) .TP .BR "pid namespace" -Children will have a distinct set of PID to process mappings from their parent. +Children will have a distinct set of PID-to-process mappings from their parent. (\fBCLONE_NEWPID\fP flag) .TP + .BR "cgroup namespace" + The process will have a virtualized view of \fI/proc\:/self\:/cgroup\fP, and new + cgroup mounts will be rooted at the namespace cgroup root. + (\fBCLONE_NEWCGROUP\fP flag) + .TP .BR "user namespace" The process will have a distinct set of UIDs, GIDs and capabilities. (\fBCLONE_NEWUSER\fP flag) @@@ -57,44 -61,46 +62,48 @@@ See \fBclone\fR(2) for the exact semantics of the flags. .SH OPTIONS .TP -.BR \-i , " \-\-ipc"[=\fIfile\fP] -Unshare the IPC namespace. If \fIfile\fP is specified then persistent namespace is created -by bind mount. +.BR \-i , " \-\-ipc" [ =\fIfile ] +Unshare the IPC namespace. If \fIfile\fP is specified, then a persistent +namespace is created by a bind mount. .TP -.BR \-m , " \-\-mount"[=\fIfile\fP] -Unshare the mount namespace. If \fIfile\fP is specified then persistent namespace is created -by bind mount. Note that \fIfile\fP has to be located on filesystem with -propagation flag set to \fBprivate\fP. Use command \fBfindmnt -o+PROPAGATION\fP -if not sure about the current setting. See also examples below. +.BR \-m , " \-\-mount" [ =\fIfile ] +Unshare the mount namespace. If \fIfile\fP is specified, then a persistent +namespace is created by a bind mount. +Note that \fIfile\fP has to be located on a filesystem with the propagation +flag set to \fBprivate\fP. Use the command \fBfindmnt -o+PROPAGATION\fP +when not sure about the current setting. See also the examples below. .TP -.BR \-n , " \-\-net"[=\fIfile\fP] -Unshare the network namespace. If \fIfile\fP is specified then persistent namespace is created -by bind mount. +.BR \-n , " \-\-net" [ =\fIfile ] +Unshare the network namespace. If \fIfile\fP is specified, then a persistent +namespace is created by a bind mount. .TP -.BR \-p , " \-\-pid"[=\fIfile\fP] -Unshare the pid namespace. If \fIfile\fP is specified then persistent namespace is created -by bind mount. See also the \fB--fork\fP and \fB--mount-proc\fP options. +.BR \-p , " \-\-pid" [ =\fIfile ] +Unshare the PID namespace. If \fIfile\fP is specified then persistent +namespace is created by a bind mount. See also the \fB--fork\fP and +\fB--mount-proc\fP options. .TP -.BR \-u , " \-\-uts"[=\fIfile\fP] -Unshare the UTS namespace. If \fIfile\fP is specified then persistent namespace is created -by bind mount. +.BR \-u , " \-\-uts" [ =\fIfile ] +Unshare the UTS namespace. If \fIfile\fP is specified, then a persistent +namespace is created by a bind mount. .TP -.BR \-U , " \-\-user"[=\fIfile\fP] -Unshare the user namespace. If \fIfile\fP is specified then persistent namespace is created -by bind mount. +.BR \-U , " \-\-user" [ =\fIfile ] +Unshare the user namespace. If \fIfile\fP is specified, then a persistent +namespace is created by a bind mount. .TP + .BR \-C , " \-\-cgroup"[=\fIfile\fP] + Unshare the cgroup namespace. If \fIfile\fP is specified then persistent namespace is created + by bind mount. + .TP .BR \-f , " \-\-fork" Fork the specified \fIprogram\fR as a child process of \fBunshare\fR rather than -running it directly. This is useful when creating a new pid namespace. +running it directly. This is useful when creating a new PID namespace. .TP -.BR \-\-mount\-proc "[=\fImountpoint\fP]" +.BR \-\-mount\-proc [ =\fImountpoint ] Just before running the program, mount the proc filesystem at \fImountpoint\fP -(default is /proc). This is useful when creating a new pid namespace. It also +(default is /proc). This is useful when creating a new PID namespace. It also implies creating a new mount namespace since the /proc mount would otherwise mess up existing programs on the system. The new proc filesystem is explicitly -mounted as private (by MS_PRIVATE|MS_REC). +mounted as private (with MS_PRIVATE|MS_REC). .TP .BR \-r , " \-\-map\-root\-user" Run the program only after the current effective user and group IDs have been mapped to