The cgroup manager (cgmanager) provides a D-Bus service allowing programs and users to administer cgroups without needing direct knowledge of or access to the cgroup filesystem. For requests from tasks in the same namespaces as the manager, the manager can directly perform the needed security checks to ensure that requests are legitimate. For other requests - such as those from a task in a container - enhanced D-Bus requests must be made, where process-, user- and group-ids are passed as SCM_CREDENTIALS, so that the kernel maps the identifiers to their global host values.
To fascilitate the use of simple D-Bus calls from all users, a 'cgroup manager proxy' (cgproxy) is automatically started when in a container. The proxy accepts standard D-Bus requests from tasks in the same namespaces as itself, and converts them to SCM-enhanced D-Bus requests which it passes on to the cgmanager.
A simple example of creating a new cgroup in which to run a cpu-intensive compile would look like:
cgm create cpuset build1 cgm movepid cpuset build1 $$ cgm setvalue cpuset build1 cpuset.cpus 1 make