diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-10-30 08:44:37 +0100 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-11-05 17:29:01 +0100 |
commit | b8514ca6f39e58c623a34440f20debe9d0e8053f (patch) | |
tree | 94145f510cb7df7cdf9006c2b8bfcc4404c4a50a /docs/source | |
parent | 17eadda68b868ab1dc8c455f4f537b78ad3962a5 (diff) | |
download | podman-b8514ca6f39e58c623a34440f20debe9d0e8053f.tar.gz podman-b8514ca6f39e58c623a34440f20debe9d0e8053f.tar.bz2 podman-b8514ca6f39e58c623a34440f20debe9d0e8053f.zip |
namespaces: by default create cgroupns on cgroups v2
change the default on cgroups v2 and create a new cgroup namespace.
When a cgroup namespace is used, processes inside the namespace are
only able to see cgroup paths relative to the cgroup namespace root
and not have full visibility on all the cgroups present on the
system.
The previous behaviour is maintained on a cgroups v1 host, where a
cgroup namespace is not created by default.
Closes: https://github.com/containers/libpod/issues/4363
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'docs/source')
-rw-r--r-- | docs/source/markdown/podman-create.1.md | 4 | ||||
-rw-r--r-- | docs/source/markdown/podman-run.1.md | 4 |
2 files changed, 6 insertions, 2 deletions
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 6617850fd..2e0dd934c 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -67,12 +67,14 @@ Drop Linux capabilities **--cgroupns**=*mode* -Set the cgroup namespace mode for the container, by default **host** is used. +Set the cgroup namespace mode for the container. **host**: use the host's cgroup namespace inside the container. **container:<NAME|ID>**: join the namespace of the specified container. **private**: create a new cgroup namespace. **ns:<PATH>**: join the namespace at the specified path. +If the host uses cgroups v1, the default is set to **host**. On cgroups v2 the default is **private**. + **--cgroups**=*mode* Determines whether the container will create CGroups. diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index d6d8f4c1e..8baa39570 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -81,12 +81,14 @@ Drop Linux capabilities **--cgroupns**=*mode* -Set the cgroup namespace mode for the container, by default **host** is used. +Set the cgroup namespace mode for the container. **host**: use the host's cgroup namespace inside the container. **container:<NAME|ID>**: join the namespace of the specified container. **private**: create a new cgroup namespace. **ns:<PATH>**: join the namespace at the specified path. +If the host uses cgroups v1, the default is set to **host**. On cgroups v2 the default is **private**. + **--cgroups**=*mode* Determines whether the container will create CGroups. |