Skip to content

Commit c2389c3

Browse files
vbattsvbatts
authored
Merge pull request #1123 from frasertweedale/cgroup-ownership
specify cgroup ownership semantics
2 parents a3c33d6 + f4ef391 commit c2389c3

1 file changed

Lines changed: 45 additions & 0 deletions

File tree

config-linux.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -196,6 +196,51 @@ For example, to run a new process in an existing container without updating limi
196196

197197
Runtimes MAY attach the container process to additional cgroup controllers beyond those necessary to fulfill the `resources` settings.
198198

199+
### Cgroup ownership
200+
201+
Runtimes MAY, according to the following rules, change (or cause to
202+
be changed) the owner of the container's cgroup to the host uid that
203+
maps to the value of `process.user.uid` in the [container
204+
namespace](glossary.md#container-namespace); that is, the user that
205+
will execute the container process.
206+
207+
Runtimes SHOULD NOT change the ownership of container cgroups when
208+
cgroups v1 is in use. Cgroup delegation is not secure in cgroups
209+
v1.
210+
211+
A runtime SHOULD NOT change the ownership of a container cgroup
212+
unless it will also create a new cgroup namespace for the container.
213+
Typically this occurs when the `linux.namespaces` array contains an
214+
object with `type` equal to `"cgroup"` and `path` unset.
215+
216+
Runtimes SHOULD change the cgroup ownership if and only if the
217+
cgroup filesystem is to be mounted read/write; that is, when the
218+
configuration's `mounts` array contains an object where:
219+
220+
- The `source` field is equal to `"cgroup"`
221+
- The `destination` field is equal to `"/sys/fs/cgroup"`
222+
- The `options` field does not contain the value `"ro"`
223+
224+
If the configuration does not specify such a mount, the runtime
225+
SHOULD NOT change the cgroup ownership.
226+
227+
A runtime that changes the cgroup ownership SHOULD only change the
228+
ownership of the container's cgroup directory and files within that
229+
directory that are listed in `/sys/kernel/cgroup/delegate` (see
230+
`cgroups(7)` for details about this file). If the
231+
`/sys/kernel/cgroup/delegate` file does not exist, the runtime MUST
232+
fall back to using the following list of files:
233+
234+
```
235+
cgroup.procs
236+
cgroup.subtree_control
237+
cgroup.threads
238+
```
239+
240+
The runtime SHOULD NOT change the ownership of any other files.
241+
Changing other files may allow the container to elevate its own
242+
resource limits or perform other unwanted behaviour.
243+
199244
### Example
200245

201246
```json

0 commit comments

Comments
 (0)