1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Christian Brauner <christian.brauner@ubuntu.com>
3 Date: Sat, 4 Apr 2020 12:07:43 +0200
4 Subject: [PATCH] api-extensions: add and document cgroup_advanced_isolation
6 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
8 doc/api-extensions.md | 4 ++++
9 src/lxc/api_extensions.h | 1 +
10 2 files changed, 5 insertions(+)
12 diff --git a/doc/api-extensions.md b/doc/api-extensions.md
13 index ff0df50ef..13ba41a62 100644
14 --- a/doc/api-extensions.md
15 +++ b/doc/api-extensions.md
16 @@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container.
18 Whether the seccomp notify proxy sends a long a notify fd file descriptor.
20 +## cgroup\_advanced\_isolation
22 +Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
26 Whether this LXC instance can handle idmapped mounts.
27 diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
28 index 06a4130ba..6653c7299 100644
29 --- a/src/lxc/api_extensions.h
30 +++ b/src/lxc/api_extensions.h
31 @@ -41,6 +41,7 @@ static char *api_extensions[] = {
33 "seccomp_notify_fd_active",
34 "seccomp_proxy_send_notify_fd",
35 + "cgroup_advanced_isolation",
projects / lxc.git / blob