mirror of https://github.com/mkerrisk/man-pages
cgroups.7: Soften the discussion about delegation in cgroups v1
Balbir pointed out that v1 delegation was not an accidental feature. Reported-by: Balbir Singh <bsingharora@gmail.com> Reported-by: Marcus Gelderie <redmnic@gmail.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
e366c4d48d
commit
87b18a8b63
|
@ -874,9 +874,10 @@ The default value in this file is
|
||||||
In the context of cgroups,
|
In the context of cgroups,
|
||||||
delegation means passing management of some subtree
|
delegation means passing management of some subtree
|
||||||
of the cgroup hierarchy to a nonprivileged process.
|
of the cgroup hierarchy to a nonprivileged process.
|
||||||
Cgroups v1 provides support for delegation that was
|
Cgroups v1 provides support for delegation based on file permissions
|
||||||
accidental and not fully secure.
|
in the cgroup hierarchy but with less strict containment rules than v2
|
||||||
Cgroups v2 supports delegation by explicit design.
|
(as noted below).
|
||||||
|
Cgroups v2 supports delegation with containment by explicit design.
|
||||||
.PP
|
.PP
|
||||||
Some terminology is required in order to describe delegation.
|
Some terminology is required in order to describe delegation.
|
||||||
A
|
A
|
||||||
|
@ -1087,6 +1088,7 @@ The writer has write permission on the
|
||||||
file in the nearest common ancestor of the source and destination cgroups.
|
file in the nearest common ancestor of the source and destination cgroups.
|
||||||
Note that in some cases,
|
Note that in some cases,
|
||||||
the nearest common ancestor may be the source or destination cgroup itself.
|
the nearest common ancestor may be the source or destination cgroup itself.
|
||||||
|
(This requirement is not enforced for cgroups v1 hierarchies.)
|
||||||
.IP *
|
.IP *
|
||||||
If the cgroup v2 filesystem was mounted with the
|
If the cgroup v2 filesystem was mounted with the
|
||||||
.I nsdelegate
|
.I nsdelegate
|
||||||
|
|
Loading…
Reference in New Issue