# info > CGROUP_NAMESPACES

---
type: CommandReference
command: cgroup_namespaces
mode: man
section: 7
source: man-pages
---

## Quick Reference
- `unshare -Cm bash` — Start a shell in new cgroup and mount namespaces
- `echo $$ > /sys/fs/cgroup/freezer/sub/cgroup.procs` — Move current shell into a freezer cgroup
- `cat /proc/self/cgroup | grep freezer` — Display own cgroup membership relative to namespace root
- `mount --make-rslave / && umount /sys/fs/cgroup/freezer && mount -t cgroup -o freezer freezer /sys/fs/cgroup/freezer` — Remount freezer cgroup filesystem to correct namespace view
- `mkdir -p /sys/fs/cgroup/freezer/sub2` — Create a child freezer cgroup
- Use `clone(2)` or `unshare(2)` with `CLONE_NEWCGROUP` to create a new cgroup namespace

## Name
cgroup_namespaces - overview of Linux cgroup namespaces

## Synopsis
Cgroup namespaces virtualize the view of a process's cgroups as seen via `/proc/[pid]/cgroup` and `/proc/[pid]/mountinfo`. Each namespace has its own set of cgroup root directories — the process's current cgroup directories become these roots when the namespace is created with `clone(2)` or `unshare(2)` and the `CLONE_NEWCGROUP` flag. When reading `/proc/[pid]/cgroup`, the paths shown are relative to the reading process's cgroup root; if the target process is outside that root, the path includes `../` entries for each ancestor level.  
After creating a new cgroup namespace, the `/proc/self/mountinfo` entry for the cgroup filesystem may still reflect the original namespace; a remount inside the new namespace is required to display the correct root.

## Examples
shell
# (as superuser in the initial cgroup namespace)
# Create child cgroup and place a long-running process in it
mkdir -p /sys/fs/cgroup/freezer/sub2
sleep 10000 &
echo $! > /sys/fs/cgroup/freezer/sub2/cgroup.procs

# Create another child cgroup and put current shell into it
mkdir -p /sys/fs/cgroup/freezer/sub
echo $$ > /sys/fs/cgroup/freezer/sub/cgroup.procs
cat /proc/self/cgroup | grep freezer
# Output: 7:freezer:/sub

# Start a new shell in new cgroup and mount namespaces
PS1="sh2# " unshare -Cm bash

# Inside the new shell, check membership of self, PID 1, and the background process
sh2# cat /proc/self/cgroup | grep freezer
7:freezer:/
sh2# cat /proc/1/cgroup | grep freezer
7:freezer:/..
sh2# cat /proc/20124/cgroup | grep freezer
7:freezer:/../sub2

# mountinfo still shows old root; remount to fix
sh2# cat /proc/self/mountinfo | grep freezer
155 145 0:32 /.. /sys/fs/cgroup/freezer ...
sh2# mount --make-rslave /
sh2# umount /sys/fs/cgroup/freezer
sh2# mount -t cgroup -o freezer freezer /sys/fs/cgroup/freezer
sh2# cat /proc/self/mountinfo | grep freezer
155 145 0:32 / /sys/fs/cgroup/freezer rw,relatime ...
## Notes
- Requires a kernel configured with `CONFIG_CGROUPS`.
- Namespaces are a Linux-specific feature.
- Purposes of cgroup namespaces:
  - **Prevent information leaks**: stop container processes from seeing ancestor cgroup directory paths outside the container.
  - **Ease container migration**: isolate containers from knowledge of full cgroup pathnames, avoiding path conflicts on the target system.
  - **Better confinement**: combined with proper remounts, processes cannot modify ancestor cgroup files because those directories are invisible in the namespace.

## See Also
[unshare(1)](http://localhost/phpMan.php/man/unshare/1/markdown), [clone(2)](http://localhost/phpMan.php/man/clone/2/markdown), [setns(2)](http://localhost/phpMan.php/man/setns/2/markdown), [unshare(2)](http://localhost/phpMan.php/man/unshare/2/markdown), [proc(5)](http://localhost/phpMan.php/man/proc/5/markdown), [cgroups(7)](http://localhost/phpMan.php/man/cgroups/7/markdown), [credentials(7)](http://localhost/phpMan.php/man/dentials/7/markdown), [namespaces(7)](http://localhost/phpMan.php/man/namespaces/7/markdown), [user_namespaces(7)](http://localhost/phpMan.php/man/usernamespaces/7/markdown)