Skip to content

Commit 9a3a8a5

Browse files
cypharcrosbymichael
cyphar
authored and
crosbymichael
committed
libcontainer: implement CLONE_NEWCGROUP
This is a very simple implementation because it doesn't require any configuration unlike the other namespaces, and in its current state it only masks paths. This feature is available in Linux 4.6+ and is enabled by default for kernels compiled with CONFIG_CGROUP=y. Signed-off-by: Aleksa Sarai <asarai@suse.de> Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
1 parent 7ca079f commit 9a3a8a5

3 files changed

Lines changed: 21 additions & 12 deletions

File tree

libcontainer/configs/namespaces_linux.go

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,13 @@ import (
77
)
88

99
const (
10-
NEWNET NamespaceType = "NEWNET"
11-
NEWPID NamespaceType = "NEWPID"
12-
NEWNS NamespaceType = "NEWNS"
13-
NEWUTS NamespaceType = "NEWUTS"
14-
NEWIPC NamespaceType = "NEWIPC"
15-
NEWUSER NamespaceType = "NEWUSER"
10+
NEWNET NamespaceType = "NEWNET"
11+
NEWPID NamespaceType = "NEWPID"
12+
NEWNS NamespaceType = "NEWNS"
13+
NEWUTS NamespaceType = "NEWUTS"
14+
NEWIPC NamespaceType = "NEWIPC"
15+
NEWUSER NamespaceType = "NEWUSER"
16+
NEWCGROUP NamespaceType = "NEWCGROUP"
1617
)
1718

1819
var (
@@ -35,6 +36,8 @@ func NsName(ns NamespaceType) string {
3536
return "user"
3637
case NEWUTS:
3738
return "uts"
39+
case NEWCGROUP:
40+
return "cgroup"
3841
}
3942
return ""
4043
}
@@ -68,6 +71,7 @@ func NamespaceTypes() []NamespaceType {
6871
NEWNET,
6972
NEWPID,
7073
NEWNS,
74+
NEWCGROUP,
7175
}
7276
}
7377

libcontainer/configs/namespaces_syscall.go

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,17 @@ func (n *Namespace) Syscall() int {
88
return namespaceInfo[n.Type]
99
}
1010

11+
// This is not yet in the Go stdlib.
12+
const syscall_CLONE_NEWCGROUP = (1 << 29)
13+
1114
var namespaceInfo = map[NamespaceType]int{
12-
NEWNET: unix.CLONE_NEWNET,
13-
NEWNS: unix.CLONE_NEWNS,
14-
NEWUSER: unix.CLONE_NEWUSER,
15-
NEWIPC: unix.CLONE_NEWIPC,
16-
NEWUTS: unix.CLONE_NEWUTS,
17-
NEWPID: unix.CLONE_NEWPID,
15+
NEWNET: unix.CLONE_NEWNET,
16+
NEWNS: unix.CLONE_NEWNS,
17+
NEWUSER: unix.CLONE_NEWUSER,
18+
NEWIPC: unix.CLONE_NEWIPC,
19+
NEWUTS: unix.CLONE_NEWUTS,
20+
NEWPID: unix.CLONE_NEWPID,
21+
NEWCGROUP: syscall_CLONE_NEWCGROUP,
1822
}
1923

2024
// CloneFlags parses the container's Namespaces options to set the correct

libcontainer/specconv/spec_linux.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ var namespaceMapping = map[specs.LinuxNamespaceType]configs.NamespaceType{
2828
specs.UserNamespace: configs.NEWUSER,
2929
specs.IPCNamespace: configs.NEWIPC,
3030
specs.UTSNamespace: configs.NEWUTS,
31+
specs.CgroupNamespace: configs.NEWCGROUP,
3132
}
3233

3334
var mountPropagationMapping = map[string]int{

0 commit comments

Comments
 (0)