I've noticed it's possible to set permissions and other parameters of root control group, i.e. the group which is implicitly created on mount and contains all processes.
Admin can use '.' as the group name and he/she can set group's parameters as usual. I am not sure it's a bug or feature, I've just documented current behavior on appropriate man page. Signed-off-by: Jan Safranek <[email protected]> --- doc/man/cgconfig.conf.5 | 101 +++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 100 insertions(+), 1 deletions(-) diff --git a/doc/man/cgconfig.conf.5 b/doc/man/cgconfig.conf.5 index 6ea149a..9dfd8e0 100644 --- a/doc/man/cgconfig.conf.5 +++ b/doc/man/cgconfig.conf.5 @@ -84,8 +84,16 @@ Name of the control group. It can contain only characters, which are allowed for directory names. The groups form a tree, i.e. a control group can contain zero or more subgroups. Subgroups can be specified using '/' delimiter. + +The root control group is always created automatically in all hierarchies +and it is the base of the group hierarchy. It can be explicitly specified in +.B cgconfig.conf +file by using '.' as group name. This can be used e.g. to set its permissions, +as shown in Example 5. + When the parent control group of a subgroup is not specified, then it is created automatically. + .TP .B permissions Permissions of the given control group on mounted filesystem. @@ -406,7 +414,6 @@ mkdir /mnt/cgroups/cpu/daemons/www mkdir /mnt/cgroups/cpu/daemons/ftp .fi .RE - Group .I daemons is created in both hierarchies. In @@ -427,6 +434,98 @@ hierarchy and are not controlled by .I cpuacct subsystem. +.SS Example 5 +.LP +The configuration file: +.LP +.RS +.nf +mount { +.RS +cpu = /mnt/cgroups/cpu; +cpuacct = /mnt/cgroups/cpu; +.RE +} + +group . { +.RS +perm { +.RS +task { +.RS +uid = root; +gid = operator; +.RE +} +admin { +.RS +uid = root; +gid = operator; +.RE +} +.RE +} +cpu { +} +.RE +} + +group daemons { +.RS +perm { +.RS +task { +.RS +uid = root; +gid = daemonmaster; +.RE +} +admin { +.RS +uid = root; +gid = operator; +.RE +} +.RE +} +cpu { +} +.RE +} +.RE +.fi +creates the hierarchy controlled by two subsystems with one group with some +special permissions. +It corresponds to following operations: +.LP +.RS +.nf +mkdir /mnt/cgroups/cpu +mount -t cgroup -o cpu,cpuacct cpu /mnt/cgroups/cpu + +chown root:operator /mnt/cgroups/cpu/* +chown root:operator /mnt/cgroups/cpu/tasks + +mkdir /mnt/cgroups/cpu/daemons +chown root:operator /mnt/cgroups/cpu/daemons/* +chown root:daemonmaster /mnt/cgroups/cpu/daemons/tasks +.fi +.RE + +Users, which are members of the +.I operator +group are allowed to administe the control groups, i.e. create new control +groups and can move processes between these groups without having root +priviledges. + +Members of +.I daemonmaster +group can move processes to +.I daemons +control group, but they can not move the process out of the group. Only +.I operator +or root can do that. + .SH RECOMMENDATIONS .SS Keep hierarchies separated Having multiple hierarchies is perfectly valid and can be useful ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com _______________________________________________ Libcg-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libcg-devel
