When --pidns (since v0.5.0) is specified, RootlessKit executes the child process in a new PID namespace.
The RootlessKit child process becomes the init (PID=1).
When RootlessKit terminates, all the processes in the namespace are killed with SIGKILL.
See also pid_namespaces(7).
When --cgroupns (since v0.10.0) is specified, RootlessKit executes the child process in a new cgroup namespace.
Cgroup2 evacuation is supported since v0.13.0.
e.g., systemd-run -p Delegate=yes --user -t rootlesskit --cgroupns --pidns --evacuate-cgroup2=evac --net=slirp4netns bash
When the current process belongs to /foo group (visible under /sys/fs/cgroup/foo) and evacuation group name is like bar,
- All processes in the
/foogroup are moved to/foo/bargroup, by writing PIDs into/sys/fs/cgroup/foo/bar/cgroup.procs - As many controllers as possible are enabled for
/foo/*groups, by writing/sys/fs/cgroup/foo/cgroup.subtree_control