Hello Tejun,
Here is my attempt to document dgroup v2 delegation using 'nsdelegate'.
Could you please take a look at the text and let me know if anything
needs fixing:
Cgroups v2 delegation: nsdelegate and cgroup namespaces
Starting with Linux 4.13, there is a second way to perform cgroup
delegation. This is done by mounting the cgroup v2 filesystem
with the nsdelegate mount option:
$ mount -t cgroup2 -o nsdelegate none /sys/fs/cgroup/unified
The effect of this option is to cause cgroup namespaces to auto‐
matically become delegation boundaries. More specifically, the
following restrictions apply for processes inside the cgroup
namespace:
* Writes to controller interface files in the root directory will
fail with the error EPERM. Processes inside the cgroup names‐
pace can still write to delegatable files such as cgroup.procs
and cgroup.subtree_control, and can create subhierarchy under‐
neath the root directory of the cgroup namespace.
* Attempts to migrate processes across the namespace boundary are
denied (with the error ENOENT). Processes inside the cgroup
namespace can still (subject to the containment rules described
below) move processes between cgroups within the subhierarchy
under the namespace root.
The ability to define cgroup namespaces as delegation boundaries
makes cgroup namespaces more useful. To understand why, suppose
that we already have one cgroup hierarchy that has been delegated
to a nonprivileged user, cecilia, using the older delegation tech‐
nique described above. Suppose further that cecilia wanted to
further delegate a subhierarchy under the existing delegated hier‐
archy. (For example, the delegated hierarchy might be associated
with an unprivileged container run by cecilia.) Even if a cgroup
namespace was employed, because both hierarchies are owned by the
unprivileged user cecilia, the following illegitimate actions
could be performed:
* A process in the inferior hierarchy could change the resource
controller settings in the root directory of the that hierar‐
chy. (These resource controller settings are intended to allow
control to be exercised from the parent cgroup; a process
inside the child cgroup should not be allowed to modify them.)
* A process inside the inferior hierarchy could move processes
into and out of the inferior hierarchy if the cgroups in the
superior hierarchy were somehow visible.
Employing the nsdelegate mount option prevents both of these pos‐
sibilities.
The nsdelegate mount option only has an effect when performed in
the initial mount namespace; in other mount namespaces, the option
is silently ignored.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe cgroups" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
