github.com/rootless-containers/rootlesskit/v2@v2.3.4/docs/process.md

github.com/rootless-containers/rootlesskit/v2@v2.3.4/docs/process.md (about)

     1  ## PID Namespace
     2  
     3  When `--pidns` (since v0.5.0) is specified, RootlessKit executes the child process in a new PID namespace.
     4  The RootlessKit child process becomes the init (PID=1).
     5  When RootlessKit terminates, all the processes in the namespace are killed with `SIGKILL`.
     6  
     7  See also [`pid_namespaces(7)`](http://man7.org/linux/man-pages/man7/pid_namespaces.7.html).
     8  
     9  ## Cgroup Namespace
    10  When `--cgroupns` (since v0.10.0) is specified, RootlessKit executes the child process in a new cgroup namespace.
    11  
    12  ### Cgroup2 evacuation
    13  Cgroup2 evacuation is supported since v0.13.0.
    14  
    15  e.g., `systemd-run -p Delegate=yes --user -t rootlesskit --cgroupns --pidns --evacuate-cgroup2=evac --net=slirp4netns bash`
    16  
    17  When the current process belongs to `/foo` group (visible under `/sys/fs/cgroup/foo`) and evacuation group name is like `bar`,
    18  - All processes in the `/foo` group are moved to `/foo/bar` group, by writing PIDs into `/sys/fs/cgroup/foo/bar/cgroup.procs`
    19  - As many controllers as possible are enabled for `/foo/*` groups, by writing `/sys/fs/cgroup/foo/cgroup.subtree_control`