mirror of https://github.com/mkerrisk/man-pages
cgroups.7: Soften the discussion about delegation in cgroups v1
Balbir pointed out that v1 delegation was not an accidental feature. Reported-by: Balbir Singh <bsingharora@gmail.com> Reported-by: Marcus Gelderie <redmnic@gmail.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
e366c4d48d
commit
87b18a8b63
|
@ -874,9 +874,10 @@ The default value in this file is
|
|||
In the context of cgroups,
|
||||
delegation means passing management of some subtree
|
||||
of the cgroup hierarchy to a nonprivileged process.
|
||||
Cgroups v1 provides support for delegation that was
|
||||
accidental and not fully secure.
|
||||
Cgroups v2 supports delegation by explicit design.
|
||||
Cgroups v1 provides support for delegation based on file permissions
|
||||
in the cgroup hierarchy but with less strict containment rules than v2
|
||||
(as noted below).
|
||||
Cgroups v2 supports delegation with containment by explicit design.
|
||||
.PP
|
||||
Some terminology is required in order to describe delegation.
|
||||
A
|
||||
|
@ -1087,6 +1088,7 @@ The writer has write permission on the
|
|||
file in the nearest common ancestor of the source and destination cgroups.
|
||||
Note that in some cases,
|
||||
the nearest common ancestor may be the source or destination cgroup itself.
|
||||
(This requirement is not enforced for cgroups v1 hierarchies.)
|
||||
.IP *
|
||||
If the cgroup v2 filesystem was mounted with the
|
||||
.I nsdelegate
|
||||
|
|
Loading…
Reference in New Issue