From: Lennart Poettering Date: Wed, 2 May 2018 12:23:45 +0000 (+0200) Subject: doc: document nore carefully that tmpfs within the cgroupfs setup shouldn't confuse... X-Git-Tag: v239~305^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d11623e9c2b1a0413339a9475a1e308a5f5b8a4a;p=thirdparty%2Fsystemd.git doc: document nore carefully that tmpfs within the cgroupfs setup shouldn't confuse statfs() checks --- diff --git a/doc/CGROUP_DELEGATION.md b/doc/CGROUP_DELEGATION.md index 412f0a5fa0e..212283fd73d 100644 --- a/doc/CGROUP_DELEGATION.md +++ b/doc/CGROUP_DELEGATION.md @@ -424,15 +424,16 @@ unified you (of course, I guess) need to provide only `/sys/fs/cgroup/` itself. cgroup tree of systemd itself is out of limits for you. It's fine to *read* from any attribute you like however. That's totally OK and welcome. -4. 🚫 When not using `CLONE_NEWCGROUP` when delegating a sub-tree to a container - payload running systemd, then don't get the idea that you can bind mount - only a sub-tree of the host's cgroup tree into the container. Part of the - cgroup API is that `/proc/$PID/cgroup` reports the cgroup path of every +4. 🚫 When not using `CLONE_NEWCGROUP` when delegating a sub-tree to a + container payload running systemd, then don't get the idea that you can bind + mount only a sub-tree of the host's cgroup tree into the container. Part of + the cgroup API is that `/proc/$PID/cgroup` reports the cgroup path of every process, and hence any path below `/sys/fs/cgroup/` needs to match what `/proc/$PID/cgroup` of the payload processes reports. What you can do safely - however, is mount the upper parts of the cgroup tree read-only or even - replace it with an intermediary `tmpfs`, as long as the path to the - delegated sub-tree remains accessible as-is. + however, is mount the upper parts of the cgroup tree read-only (or even + replace the middle bits with an intermediary `tmpfs` — but be careful not to + break the `statfs()` detection logic discussed above), as long as the path + to the delegated sub-tree remains accessible as-is. 5. ⚡ Currently, the algorithm for mapping between slice/scope/service unit naming and their cgroup paths is not considered public API of systemd, and