diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2018-01-02 18:02:20 +0100 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2018-01-10 00:32:18 +0100 |
| commit | 0735069bf341a1e9d336aa57f33d2d7603a9a669 (patch) | |
| tree | 10be00e1a6083a372813b8815ad8b6060d3a435a /man7/cgroups.7 | |
| parent | e5bd7e6598e6873172a487332fa80d2d348f9e78 (diff) | |
| download | man-pages-0735069bf341a1e9d336aa57f33d2d7603a9a669.tar.gz | |
cgroups.7: Minor tweak to text on v2 delegation
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7/cgroups.7')
| -rw-r--r-- | man7/cgroups.7 | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/man7/cgroups.7 b/man7/cgroups.7 index 52971e6e57..af67306de6 100644 --- a/man7/cgroups.7 +++ b/man7/cgroups.7 @@ -862,25 +862,25 @@ To perform delegation, the delegater makes certain directories and files writable by the delegatee, typically by changing the ownership of the objects to be the user ID of the delegatee. -Assuming that we want to delegate the hierarchy rooted at -.I /grp1 +Assuming that we want to delegate the hierarchy rooted at (say) +.I /dlgt_grp and that there are not yet any child cgroups under that cgroup, the ownership of the following is changed to the user ID of the delegatee: .TP -.IR /grp1 +.IR /dlgt_grp Changing the ownership of the root of the subtree means that any new cgroups created under the subtree (and the files they contain) will also be owned by the delegatee. .TP -.IR /grp1/cgroup.procs +.IR /dlgt_grp/cgroup.procs Changing the ownership of this file means that the delegatee can move processes into the root of the delegated subtree. .TP -.IR /grp1/cgroup.subtree_control +.IR /dlgt_grp/cgroup.subtree_control Making this file owned by the delegatee is optional. Doing so means that that the delegatee can enable controllers (that are present in -.IR /grp1/cgroup.controllers ) +.IR /dlgt_grp/cgroup.controllers ) in order to further redistribute resources at lower levels in the subtree. As an alternative to changing the ownership of this file, the delegater might instead add selected controllers to this file. @@ -891,7 +891,7 @@ change the ownership of any of the controller interfaces files (e.g., .IR pids.max , .IR memory.high ) in -.IR grp1 . +.IR dlgt_grp . Those files are used from the next level above the delegated subtree in order to distribute resources into the subtree, and the delegatee should not have permission to change @@ -901,7 +901,7 @@ After the aforementioned steps have been performed, the delegatee can create child cgroups within the delegated subtree and move processes between cgroups in the subtree. If some controllers are present in -.IR grp1/cgroup.subtree_control , +.IR dlgt_grp/cgroup.subtree_control , or the ownership of that file was passed to the delegatee, the delegatee can also control the further redistribution of the corresponding resources into the delegated subtree. @@ -932,8 +932,10 @@ the common ancestor may be the source or destination cgroup itself.) .PP .IR Note : one consequence of these delegation containment rules is that the -delegater must place the first process (a process owned by the delegatee) -into the delegated subtree. +unprivileged delegatee can't place the first process into +the delegated subtree; +instead, the delegater must place the first process +(a process owned by the delegatee) into the delegated subtree. .\" .SH CGROUPS V2 THREAD MODE Among the restrictions imposed by cgroups v2 that were not present |