From d11623e9c2b1a0413339a9475a1e308a5f5b8a4a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 2 May 2018 14:23:45 +0200 Subject: [PATCH] doc: document nore carefully that tmpfs within the cgroupfs setup shouldn't confuse statfs() checks --- doc/CGROUP_DELEGATION.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/doc/CGROUP_DELEGATION.md b/doc/CGROUP_DELEGATION.md index 412f0a5fa0e..212283fd73d 100644 --- a/doc/CGROUP_DELEGATION.md +++ b/doc/CGROUP_DELEGATION.md @@ -424,15 +424,16 @@ unified you (of course, I guess) need to provide only `/sys/fs/cgroup/` itself. cgroup tree of systemd itself is out of limits for you. It's fine to *read* from any attribute you like however. That's totally OK and welcome. -4. 🚫 When not using `CLONE_NEWCGROUP` when delegating a sub-tree to a container - payload running systemd, then don't get the idea that you can bind mount - only a sub-tree of the host's cgroup tree into the container. Part of the - cgroup API is that `/proc/$PID/cgroup` reports the cgroup path of every +4. 🚫 When not using `CLONE_NEWCGROUP` when delegating a sub-tree to a + container payload running systemd, then don't get the idea that you can bind + mount only a sub-tree of the host's cgroup tree into the container. Part of + the cgroup API is that `/proc/$PID/cgroup` reports the cgroup path of every process, and hence any path below `/sys/fs/cgroup/` needs to match what `/proc/$PID/cgroup` of the payload processes reports. What you can do safely - however, is mount the upper parts of the cgroup tree read-only or even - replace it with an intermediary `tmpfs`, as long as the path to the - delegated sub-tree remains accessible as-is. + however, is mount the upper parts of the cgroup tree read-only (or even + replace the middle bits with an intermediary `tmpfs` — but be careful not to + break the `statfs()` detection logic discussed above), as long as the path + to the delegated sub-tree remains accessible as-is. 5. ⚡ Currently, the algorithm for mapping between slice/scope/service unit naming and their cgroup paths is not considered public API of systemd, and