From f3c9f1229026c4ff3c5481cd6e9054729942db7b Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 23 Nov 2017 12:34:23 +0100 Subject: [PATCH] doc: document lxc.namespace.[namespace identifier] Closes #1924. Signed-off-by: Christian Brauner --- doc/lxc.container.conf.sgml.in | 59 ++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in index f00092aed..51b1a7035 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -1277,6 +1277,65 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + + Namespace Inheritance + + The capabilities can be dropped in the container if this one + is run as root. + + + + + + + + + Specify a namespace to inherit from another container or process. + The suffix needs to be + replaced with one of the namespaces that appear in the + /proc/PID/ns directory. + + + + To inherit the namespace from another process set the + to the PID of + the process, e.g. . + + + + To inherit the namespace from another container set the + to the name of + the container, e.g. . + + + + To inherit the namespace from another container located in a + different path than the standard liblxc path set the + to the full + path to the container, e.g. + . + + + + In order to inherit namespaces the caller needs to have sufficient + privilege over the process or container. + + + + Note that sharing pid namespaces between system containers will + likely not work with most init systems. + + + + Note that if two processes are in different user namespaces and one + process wants to inherit the other's network namespace it usually + needs to inherit the user namespace as well. + + + + + + Resource limits -- 2.47.2