cgroup: introduce cgroup namespaces
Introduce the ability to create new cgroup namespace. The newly created cgroup namespace remembers the cgroup of the process at the point of creation of the cgroup namespace (referred as cgroupns-root). The main purpose of cgroup namespace is to virtualize the contents of /proc/self/cgroup file. Processes inside a cgroup namespace are only able to see paths relative to their namespace root (unless they are moved outside of their cgroupns-root, at which point they will see a relative path from their cgroupns-root). For a correctly setup container this enables container-tools (like libcontainer, lxc, lmctfy, etc.) to create completely virtualized containers without leaking system level cgroup hierarchy to the task. This patch only implements the 'unshare' part of the cgroupns. Signed-off-by: Aditya Kali <adityakali@google.com> Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Tejun Heo <tj@kernel.org>
This commit is contained in:
Aditya Kali
@@ -17,6 +17,11 @@
|
||||
#include <linux/seq_file.h>
|
||||
#include <linux/kernfs.h>
|
||||
#include <linux/jump_label.h>
|
||||
#include <linux/nsproxy.h>
|
||||
#include <linux/types.h>
|
||||
#include <linux/ns_common.h>
|
||||
#include <linux/nsproxy.h>
|
||||
#include <linux/user_namespace.h>
|
||||
|
||||
#include <linux/cgroup-defs.h>
|
||||
|
||||
@@ -611,4 +616,48 @@ static inline void cgroup_sk_free(struct sock_cgroup_data *skcd) {}
|
||||
|
||||
#endif /* CONFIG_CGROUP_DATA */
|
||||
|
||||
struct cgroup_namespace {
|
||||
atomic_t count;
|
||||
struct ns_common ns;
|
||||
struct user_namespace *user_ns;
|
||||
struct css_set *root_cset;
|
||||
};
|
||||
|
||||
extern struct cgroup_namespace init_cgroup_ns;
|
||||
|
||||
#ifdef CONFIG_CGROUPS
|
||||
|
||||
void free_cgroup_ns(struct cgroup_namespace *ns);
|
||||
|
||||
struct cgroup_namespace *copy_cgroup_ns(unsigned long flags,
|
||||
struct user_namespace *user_ns,
|
||||
struct cgroup_namespace *old_ns);
|
||||
|
||||
char *cgroup_path_ns(struct cgroup *cgrp, char *buf, size_t buflen,
|
||||
struct cgroup_namespace *ns);
|
||||
|
||||
#else /* !CONFIG_CGROUPS */
|
||||
|
||||
static inline void free_cgroup_ns(struct cgroup_namespace *ns) { }
|
||||
static inline struct cgroup_namespace *
|
||||
copy_cgroup_ns(unsigned long flags, struct user_namespace *user_ns,
|
||||
struct cgroup_namespace *old_ns)
|
||||
{
|
||||
return old_ns;
|
||||
}
|
||||
|
||||
#endif /* !CONFIG_CGROUPS */
|
||||
|
||||
static inline void get_cgroup_ns(struct cgroup_namespace *ns)
|
||||
{
|
||||
if (ns)
|
||||
atomic_inc(&ns->count);
|
||||
}
|
||||
|
||||
static inline void put_cgroup_ns(struct cgroup_namespace *ns)
|
||||
{
|
||||
if (ns && atomic_dec_and_test(&ns->count))
|
||||
free_cgroup_ns(ns);
|
||||
}
|
||||
|
||||
#endif /* _LINUX_CGROUP_H */
|
||||
|
||||
Reference in New Issue
Block a user