The cgroup.freeze file can be used to prevent execution of any process in cgroup. Among other things I can imagine that this would be useful for doing a postmortem of a hack by preventing any cover up from the moment the cell was frozen. Freezing the entire machine could be used as emergency measure if there is a suspicion that a significant amount of cells have been hacked. If this turns out to not be the case, it would be possible to unfreeze the machine without having to do a cold start of a cluster that may not even be able to do a cold start anymore due to cyclic dependencies or empty caches.
The
cgroup.freezefile can be used to prevent execution of any process in cgroup. Among other things I can imagine that this would be useful for doing a postmortem of a hack by preventing any cover up from the moment the cell was frozen. Freezing the entire machine could be used as emergency measure if there is a suspicion that a significant amount of cells have been hacked. If this turns out to not be the case, it would be possible to unfreeze the machine without having to do a cold start of a cluster that may not even be able to do a cold start anymore due to cyclic dependencies or empty caches.