shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-10-27 18:55:40 +03:00
Code

doc: recommend GetUnitByControlGroup() in the docs

Browse Source
This commit is contained in:
Lennart Poettering 2018-04-25 13:36:06 +02:00
parent 267dd427da
commit 3ee9b2f6e7
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/CGROUP_DELEGATION.md
View File

@ -431,7 +431,17 @@ unified you (of course, I guess) need to provide only `/sys/fs/cgroup/` itself.
replace it with an intermediary `tmpfs`, as long as the path to the replace it with an intermediary `tmpfs`, as long as the path to the
delegated sub-tree remains accessible as-is. delegated sub-tree remains accessible as-is.
5. ⚡ Think twice before delegating cgroupsv1 controllers to less privileged 5. ⚡ Currently, the algorithm for mapping between slice/scope/service unit
naming and their cgroup paths is not considered public API of systemd, and
may change in future versions. This means: it's best to avoid implementing a
local logic of translating cgroup paths to slice/scope/service names in your
program, or vice versa — it's likely going to break sooner or later. Use the
appropriate D-Bus API calls for that instead, so that systemd translates
this for you. (Specifically: each Unit object has a `ControlGroup` property
to get the cgroup for a unit. The method `GetUnitByControlGroup()` may be
used to get the unit for a cgroup.)
6. ⚡ Think twice before delegating cgroupsv1 controllers to less privileged
containers. It's not safe, you basically allow your containers to freeze the containers. It's not safe, you basically allow your containers to freeze the
system with that and worse. Delegation is a strongpoint of cgroupsv2 though, system with that and worse. Delegation is a strongpoint of cgroupsv2 though,
and there it's safe to treat delegation boundaries as privilege boundaries. and there it's safe to treat delegation boundaries as privilege boundaries.