[PATCH v2] cgroup/cpuset: Clarify the delegation rules of partition

[PATCH v2] cgroup/cpuset: Clarify the delegation rules of partition

[Waiman Long]

Creation of remote partition is currently not allowed without privilege.
On the other hand, creation of local partition is allowed without
privilege as long as its parent is also a partition root.

The current setup allows a delegator to delegate an exclusive set of
CPUs to the delegatee by making the root of a delegated sub-hierarchy
a partition root. The delegatee is then allowed to create a local
sub-partition underneath it if necessary. Creation of a remote
partition is not currently allowed across delegation boundary without
privilege. Clarify the partition delegation rules by stating the current
behavior in cgroup-v2.rst file.

Signed-off-by: Waiman Long <longman@redhat.com>
---
 Documentation/admin-guide/cgroup-v2.rst | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/Documentation/admin-guide/cgroup-v2.rst b/Documentation/admin-guide/cgroup-v2.rst
index 6efd0095ed99..5b4ebde6fffe 100644
--- a/Documentation/admin-guide/cgroup-v2.rst
+++ b/Documentation/admin-guide/cgroup-v2.rst
@@ -2599,8 +2599,7 @@ Cpuset Interface Files
 
   cpuset.cpus.partition
 	A read-write single value file which exists on non-root
-	cpuset-enabled cgroups.  This flag is owned by the parent cgroup
-	and is not delegatable.
+	cpuset-enabled cgroups.
 
 	It accepts only the following input values when written to.
 
@@ -2708,6 +2707,15 @@ Cpuset Interface Files
 	their parent is switched back to a partition root with a proper
 	value in "cpuset.cpus" or "cpuset.cpus.exclusive".
 
+	This file is owned by the parent cgroup and is not delegatable.
+	The delegator can delegate an exclusive set of CPUs to the
+	delegatee by making the root of a delegated sub-hierarchy a
+	partition root. The delegatee is then allowed to create a local
+	sub-partition underneath it if needed. The delegator should
+	not set "cpuset.cpus.exclusive" at the root without making it
+	a partition root as the creation of remote partition is not
+	allowed without privilege.
+
 	Poll and inotify events are triggered whenever the state of
 	"cpuset.cpus.partition" changes.  That includes changes caused
 	by write to "cpuset.cpus.partition", cpu hotplug or other
-- 
2.53.0

Re: [PATCH v2] cgroup/cpuset: Clarify the delegation rules of partition

[Michal Koutný]

[-- Attachment #1: Type: text/plain, Size: 1355 bytes --]

On Tue, Apr 28, 2026 at 02:09:35PM -0400, Waiman Long <longman@redhat.com> wrote:
> Creation of remote partition is currently not allowed without privilege.
> On the other hand, creation of local partition is allowed without
> privilege as long as its parent is also a partition root.
> 
> The current setup allows a delegator to delegate an exclusive set of
> CPUs to the delegatee by making the root of a delegated sub-hierarchy
> a partition root. The delegatee is then allowed to create a local
> sub-partition underneath it if necessary. Creation of a remote
> partition is not currently allowed across delegation boundary without
> privilege. Clarify the partition delegation rules by stating the current
> behavior in cgroup-v2.rst file.
> 
> Signed-off-by: Waiman Long <longman@redhat.com>
> ---
>  Documentation/admin-guide/cgroup-v2.rst | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)

After Tejun pointed out that other generic paragraph:
| This means that the controller interface files - anything which
| doesn't start with "cgroup." are owned by the parent rather than the
| cgroup itself.

I think the extra words may only increase confusion (and constrain
generic changes). So it was a good exercise but nothing needs to be
necessarily changed regarding this behaivor or its docs.

Michal

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 265 bytes --]

Re: [PATCH v2] cgroup/cpuset: Clarify the delegation rules of partition

[Waiman Long]

On 4/30/26 3:46 PM, Michal Koutný wrote:
> On Tue, Apr 28, 2026 at 02:09:35PM -0400, Waiman Long <longman@redhat.com> wrote:
>> Creation of remote partition is currently not allowed without privilege.
>> On the other hand, creation of local partition is allowed without
>> privilege as long as its parent is also a partition root.
>>
>> The current setup allows a delegator to delegate an exclusive set of
>> CPUs to the delegatee by making the root of a delegated sub-hierarchy
>> a partition root. The delegatee is then allowed to create a local
>> sub-partition underneath it if necessary. Creation of a remote
>> partition is not currently allowed across delegation boundary without
>> privilege. Clarify the partition delegation rules by stating the current
>> behavior in cgroup-v2.rst file.
>>
>> Signed-off-by: Waiman Long <longman@redhat.com>
>> ---
>>   Documentation/admin-guide/cgroup-v2.rst | 12 ++++++++++--
>>   1 file changed, 10 insertions(+), 2 deletions(-)
> After Tejun pointed out that other generic paragraph:
> | This means that the controller interface files - anything which
> | doesn't start with "cgroup." are owned by the parent rather than the
> | cgroup itself.
>
> I think the extra words may only increase confusion (and constrain
> generic changes). So it was a good exercise but nothing needs to be
> necessarily changed regarding this behaivor or its docs.

That is fine. This doc change is optional and I agree that we may want 
more flexibility in case we change the behavior in the future.

Cheers,
Longman