cgroups isolation (separating groups processes)

Question

i have a question regarding cgroups, especially considering isolation.

Wikipedia states, that you can use cgroups to isolate groups, so that there are "separate namespaces for groups, so they don't see each other's processes, network connections or files".

I already know, how to share or divide memory or cpu between groups, but would like to know, how groups or users can only see their own processes for example (what has to be in cgrules.conf and in cgconfig.conf).

Example:

when a user of a specified group enters a ps (or ps -aux) in his console, only his processes should be listed, not that of other users/groups (as in ps -u). i know that i could do a quick and dirty programming appoach to accomplish a thing like this, but i'd like to know how it works with cgroups.

Thank you very much for your expertise!

Answer 1

Cgroups don't really have the capability to provide full-on namespace isolation. What you're looking for is Linux Containers (LXC) -- http://lxc.sourceforge.net/. LXC uses cgroups for resource management and allows you to containerize processes and isolate them from the host system. Libvirt also provides an LXC driver which makes it easy to set up containers and even run a full operating system in a container.

More sources:

• http://fedoraproject.org/wiki/Features/Securecontainers
• http://nigel.mcnie.name/blog/a-five-minute-guide-to-linux-containers-for-debian
• http://libvirt.org/drvlxc.html
• https://www.berrange.com/posts/2011/09/27/getting-started-with-lxc-using-libvirt/