mirror of https://github.com/mkerrisk/man-pages
cgroups.7: Add subsection describing cgroups v2 subtree delegation
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
0e124f35c5
commit
4242dfbe4f
|
@ -1,5 +1,5 @@
|
||||||
.\" Copyright (C) 2015 Serge Hallyn <serge@hallyn.com>
|
.\" Copyright (C) 2015 Serge Hallyn <serge@hallyn.com>
|
||||||
.\" and Copyright (C) 2016 Michael Kerrisk <mtk.manpages@gmail.com>
|
.\" and Copyright (C) 2016, 2017 Michael Kerrisk <mtk.manpages@gmail.com>
|
||||||
.\"
|
.\"
|
||||||
.\" %%%LICENSE_START(VERBATIM)
|
.\" %%%LICENSE_START(VERBATIM)
|
||||||
.\" Permission is granted to make and distribute verbatim copies of this
|
.\" Permission is granted to make and distribute verbatim copies of this
|
||||||
|
@ -750,6 +750,102 @@ of a process for each notification.
|
||||||
Second, notification can be delegated to a process that lives inside
|
Second, notification can be delegated to a process that lives inside
|
||||||
a container associated with the newly empty cgroup.
|
a container associated with the newly empty cgroup.
|
||||||
.\"
|
.\"
|
||||||
|
.SS Cgroups v2 delegation
|
||||||
|
In the context of cgroups,
|
||||||
|
delegation means passing management of some subtree
|
||||||
|
of the cgroup hierarchy to a nonprivileged process.
|
||||||
|
Cgroups v1 provides support for delegation that was
|
||||||
|
accidental and not fully secure.
|
||||||
|
Cgroups v2 supports delegation by explicit design.
|
||||||
|
.PP
|
||||||
|
Some terminology is required in order to describe delegation.
|
||||||
|
A
|
||||||
|
.I delegater
|
||||||
|
is a privileged user (i.e., root) who owns a parent cgroup.
|
||||||
|
A
|
||||||
|
.I delegatee
|
||||||
|
is a nonprivileged user who will be granted the permissions needed
|
||||||
|
to manage some subhierarchy under that parent cgroup,
|
||||||
|
known as the
|
||||||
|
.IR "delegated subtree" .
|
||||||
|
.PP
|
||||||
|
To perform delegation,
|
||||||
|
the delegater makes certain directories and files writable by the delegatee,
|
||||||
|
typically by changing the ownership of the objects to be the user ID
|
||||||
|
of the delegatee.
|
||||||
|
Assuming that we want to delegate the hierarchy rooted at
|
||||||
|
.I /grp1
|
||||||
|
and that there are not yet any child cgroups under that cgroup,
|
||||||
|
the ownership of the following is changed to the user ID of the delegatee:
|
||||||
|
.TP
|
||||||
|
.IR /grp1
|
||||||
|
Changing the ownership of the root of the subtree means that any new
|
||||||
|
cgroups created under the subtree (and the files they contain)
|
||||||
|
will also be owned by the delegatee.
|
||||||
|
.TP
|
||||||
|
.IR /grp1/cgroup.procs
|
||||||
|
Changing ownership of this file means that the delegatee
|
||||||
|
can move processes into the root of the delegated subtree.
|
||||||
|
.TP
|
||||||
|
.IR /grp1/cgroup.subtree_control
|
||||||
|
Making this file owned by the delegatee is optional.
|
||||||
|
Doing so means that that the delegatee can enable controllers
|
||||||
|
(that are present in
|
||||||
|
.IR /grp1/cgroup.controllers )
|
||||||
|
in order to further redistribute resources at lower levels in the subtree.
|
||||||
|
As an alternative to changing the ownership of this file,
|
||||||
|
the delegater might instead add selected controllers to this file.
|
||||||
|
.PP
|
||||||
|
The delegater should
|
||||||
|
.I not
|
||||||
|
change the ownership of any of the controller interfaces files (e.g.,
|
||||||
|
.IR pids.max ,
|
||||||
|
.IR memory.high )
|
||||||
|
in
|
||||||
|
.IR grp1 .
|
||||||
|
Those files are used from the next level above the delegated subtree
|
||||||
|
in order to distribute resources into the subtree,
|
||||||
|
and the delegatee should not have permission to change
|
||||||
|
the resources that are distributed into the delegated subtree.
|
||||||
|
.PP
|
||||||
|
After the aforementioned steps have been performed,
|
||||||
|
the delegatee can create child cgroups within the delegated subtree
|
||||||
|
and move processes between cgroups in the subtree.
|
||||||
|
If some controllers are present in
|
||||||
|
.IR grp1/cgroup.subtree_control ,
|
||||||
|
or the ownership of that file was passed to the delegatee,
|
||||||
|
the the delegatee can also control the further redistribution
|
||||||
|
of the corresponding resources into the delegated subtree.
|
||||||
|
.PP
|
||||||
|
Some delegation
|
||||||
|
.IR "containment rules"
|
||||||
|
ensure that the delegatee can move processes between cgroups within the
|
||||||
|
delegated subtree,
|
||||||
|
but can't move processes from outside the delegated subtree into
|
||||||
|
the subtree or vice versa.
|
||||||
|
A nonprivileged process (i.e., the delegatee) can write the PID of
|
||||||
|
a "target" process into a
|
||||||
|
.IR cgroup.procs
|
||||||
|
file only if all of the following are true:
|
||||||
|
.IP * 3
|
||||||
|
The effective UID of the writer (i.e., the delegatee) matches the
|
||||||
|
real user ID or the saved set-user-ID of the target process.
|
||||||
|
.IP *
|
||||||
|
The writer has write permission on the
|
||||||
|
.I cgroup.procs
|
||||||
|
file in the destination cgroup.
|
||||||
|
.IP *
|
||||||
|
The writer has write permission on the
|
||||||
|
.I cgroup.procs
|
||||||
|
file in the common ancestor of the source and destination cgroups.
|
||||||
|
(In some cases,
|
||||||
|
the common ancestor may be the source or destination cgroup itself.)
|
||||||
|
.PP
|
||||||
|
.IR Note :
|
||||||
|
one consequence of these delegation containment rules is that the
|
||||||
|
delegater must place the first process (a process owned by the delegatee)
|
||||||
|
into the delegated subtree.
|
||||||
|
.\"
|
||||||
.SS /proc files
|
.SS /proc files
|
||||||
.TP
|
.TP
|
||||||
.IR /proc/cgroups " (since Linux 2.6.24)"
|
.IR /proc/cgroups " (since Linux 2.6.24)"
|
||||||
|
|
Loading…
Reference in New Issue