man: document "Delegate=" a bit more

This case is a bit surprising, even if logical if one understands how the parser works. Let's be more explicit. Follow-up for 7b3693e4e4.
2025-09-17 21:45:36 +03:00 · 2023-03-14 12:27:37 +01:00
parent 3a36d19938
commit 449172f943
2 changed files with 20 additions and 18 deletions
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -96,8 +96,8 @@
      system.slice                       user.slice
        /       \                          /      \
       /         \                        /        \
-      /           \              user@0.service   user@1000.service
+      /           \              user@42.service  user@1000.service
-     /             \             Delegate=yes     Delegate=yes
+     /             \             Delegate=        Delegate=yes
 a.service       b.slice                             /        \
 CPUWeight=20   DisableControllers=cpu              /          \
                 /  \                      app.slice      session.slice
@@ -115,7 +115,9 @@ CPUWeight=20   DisableControllers=cpu              /          \
        <filename>user@1000.service</filename>. Assuming that there is no futher configuration of resources
        or delegation below slices <filename>app.slice</filename> or <filename>session.slice</filename>, the
        <option>cpu</option> controller would not be enabled for units in those slices and CPU resources
-        would be further allocated using other mechanisms, e.g. based on nice levels.</para>
+        would be further allocated using other mechanisms, e.g. based on nice levels. The manager for user
        42 has delegation enabled without any controllers, i.e. it can manipulate its subtree of the cgroup
        hierarchy, but without resource control.</para>
        <para>In the slice <filename>system.slice</filename>, CPU resources are split 1:6 for service
        <filename>a.service</filename>, and 5:6 for slice <filename>b.slice</filename>, because slice
@@ -1153,19 +1155,19 @@ DeviceAllow=/dev/loop-control
          <para>When enabled the service manager will refrain from manipulating control groups or moving
          processes below the unit's control group, so that a clear concept of ownership is established: the
-          control group tree above the unit's control group (i.e. towards the root control group) is owned
+          control group tree at the level of the unit's control group and above (i.e. towards the root
-          and managed by the service manager of the host, while the control group tree below the unit's
+          control group) is owned and managed by the service manager of the host, while the control group
-          control group is owned and managed by the unit itself.</para>
+          tree below the unit's control group is owned and managed by the unit itself.</para>
-          <para>Takes either a boolean argument or a list of control group controller names. If true,
+          <para>Takes either a boolean argument or a (possibly empty) list of control group controller names.
-          delegation is turned on, and all supported controllers are enabled for the unit, making them
+          If true, delegation is turned on, and all supported controllers are enabled for the unit, making
-          available to the unit's processes for management. If false, delegation is turned off entirely (and
+          them available to the unit's processes for management. If false, delegation is turned off entirely
-          no additional controllers are enabled). If set to a list of controllers, delegation is turned on,
+          (and no additional controllers are enabled). If set to a list of controllers, delegation is turned
-          and the specified controllers are enabled for the unit. Note that additional controllers other than
+          on, and the specified controllers are enabled for the unit. Assigning the empty string will enable
          the ones specified might be made available as well, depending on configuration of the containing
          slice unit or other units contained in it. Note that assigning the empty string will enable
          delegation, but reset the list of controllers, and all assignments prior to this will have no
-          effect. Defaults to false.</para>
+          effect. Note that additional controllers other than the ones specified might be made available as
          well, depending on configuration of the containing slice unit or other units contained in it.
          Defaults to false.</para>
          <para>Note that controller delegation to less privileged code is only safe on the unified control
          group hierarchy. Accordingly, access to the specified controllers will not be granted to
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -3978,12 +3978,12 @@ int config_parse_delegate(
                return 0;
        }
-        /* We either accept a boolean value, which may be used to turn on delegation for all controllers, or turn it
+        /* We either accept a boolean value, which may be used to turn on delegation for all controllers, or
-         * off for all. Or it takes a list of controller names, in which case we add the specified controllers to the
+         * turn it off for all. Or it takes a list of controller names, in which case we add the specified
-         * mask to delegate. */
+         * controllers to the mask to delegate. Delegate= enables delegation without any controllers. */
        if (isempty(rvalue)) {
-                /* An empty string resets controllers and set Delegate=yes. */
+                /* An empty string resets controllers and sets Delegate=yes. */
                c->delegate = true;
                c->delegate_controllers = 0;
                return 0;