From a931ad47a8623163a29d898224d8a8c1177ffdaf Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 5 Nov 2014 17:57:23 +0100 Subject: core: introduce new Delegate=yes/no property controlling creation of cgroup subhierarchies For priviliged units this resource control property ensures that the processes have all controllers systemd manages enabled. For unpriviliged services (those with User= set) this ensures that access rights to the service cgroup is granted to the user in question, to create further subgroups. Note that this only applies to the name=systemd hierarchy though, as access to other controllers is not safe for unpriviliged processes. Delegate=yes should be set for container scopes where a systemd instance inside the container shall manage the hierarchies below its own cgroup and have access to all controllers. Delegate=yes should also be set for user@.service, so that systemd --user can run, controlling its own cgroup tree. This commit changes machined, systemd-nspawn@.service and user@.service to set this boolean, in order to ensure that container management will just work, and the user systemd instance can run fine. --- man/systemd.resource-control.xml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'man/systemd.resource-control.xml') diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 968b328dd9..218946d4ee 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -394,6 +394,20 @@ along with systemd; If not, see . + + Delegate= + + + Turns on delegation of further resource control + partitioning to processes of the unit. For unpriviliged + services (i.e. those using the User= + setting) this allows processes to create a subhierarchy + beneath its control group path. For priviliged services and + scopes this ensures the processes will have all control + group controllers enabled. + + + -- cgit v1.2.3-54-g00ecf