The latest version of the Linux kernel has moved to a security model that is similar to pyr8âs object capabilities model. Itâs known as âControl Groupsâ and contains two components: control groups and namespaces.
Using control groups and namespaces, the Linux kernel makes physical kernel resources visible to process and available for allocation and use during program execution. For example, programs allocate memory during execution and the memory must be managed by the kernel, so during process initialization the Linux kernel uses a memory namespace to control the memory allocations visible to the new process.
Together, Linuxâs control groups and namespaces form a very capability-like API and pyr8 exposes that API to users, who want to write software to perform resource management on pyr8 programs.
In a typical pyr8 deployment, only a small number of processes have the control group API enabled. It can be enabled by passing the --with-cgroup flag as shown.
Processes that need to manage cgroups for other processes and partition resources for a physical system need to be run with CAP_SYS_ADMIN, typically by running them as root.