From b8514ca6f39e58c623a34440f20debe9d0e8053f Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Wed, 30 Oct 2019 08:44:37 +0100
Subject: namespaces: by default create cgroupns on cgroups v2

change the default on cgroups v2 and create a new cgroup namespace.

When a cgroup namespace is used, processes inside the namespace are
only able to see cgroup paths relative to the cgroup namespace root
and not have full visibility on all the cgroups present on the
system.

The previous behaviour is maintained on a cgroups v1 host, where a
cgroup namespace is not created by default.

Closes: https://github.com/containers/libpod/issues/4363

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 cmd/podman/common.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'cmd')

diff --git a/cmd/podman/common.go b/cmd/podman/common.go
index 33a848553..37511641b 100644
--- a/cmd/podman/common.go
+++ b/cmd/podman/common.go
@@ -132,7 +132,7 @@ func getCreateFlags(c *cliconfig.PodmanCommand) {
 		"Drop capabilities from the container",
 	)
 	createFlags.String(
-		"cgroupns", "host",
+		"cgroupns", "",
 		"cgroup namespace to use",
 	)
 	createFlags.String(
-- 
cgit v1.2.3-54-g00ecf