Group isolation (separation group processes)

Question

Group isolation (separation group processes)

I have a question regarding groups, especially considering isolation.

Wikipedia states that you can use groups to isolate groups so that there are "separate namespaces for groups, so they don’t see each other, network connections or files."

I already know how to split or split memory or processor between groups, but I would like to know how groups or users can see only their own processes (for example, what should be in cgrules.conf and in cgconfig.conf).

Example:

when a user of the specified group logs into ps (or ps -aux) in his console, only his processes should be listed, and not other users / groups (as in ps -u). I know that I can do quick and dirty programming to accomplish such a thing, but I would like to know how this works with groups.

Thanks so much for your experience!

+4

linux cgroups

user1978084 Jan 14 '13 at 18:02

source share

2 answers

mart1n · Answer 1 · 2013-03-21T14:49:41+0000

Groups are not able to provide complete isolation of the namespace. What you are looking for is Linux Containers (LXC) - http://lxc.sourceforge.net/ . LXC uses cgroups to manage resources and allows you to containerize processes and isolate them from the host system. Libvirt also provides the LXC driver, which simplifies the configuration of containers and even launches the full operating system in the container.

Other sources:

M.Rez · Answer 2 · 2017-04-05T06:26:28+0000

Although lxc is a good answer for providing isolation, groups have this capability even at the cache level (if the processor supports it). Many cluster managers / resource managers such as Mesos take advantage of these features. With cgset you can set limits for IO, CPU and memory for your groups. You can find some documents in here .

Group isolation (separation group processes)

More articles: