[systemd-devel] Regression in v40? User session inside a unit.

[Colin Guthrie]

Hi,

Not sure if this is an intended regression or not but a user reported a
problem to me recently which I thought was a little strange. It's maybe
been fixed already in newer versions (we were in a beta semi-freeze and
I've been on holiday so not updated to v43 yet but will do soon).

Anyway the problem was the unit was run as root (no User=) but that
ultimately ran a perl script that then invoked su to switch to the
apache user. While this is obviously not needed (better to use
User=apache), it did result in the user session cgroup
(name=systemd:/user/apache/c59) overriding the unit cgroup
(name=systemd:/system/zoneminder.service) and thus systemd could no
longer "see" the processes the service started (and thus didn't kill
them on systemctl stop zoneminder.service)

If using su is all that is needed to "escape" the unit cgroup, then it
could be a little bit ambiguous for a user trying to find all processes
started by a given service.

Hopefully, this has been fixed already, or perhaps documented somewhere
I missed (I didn't see it in
http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups)

Perhaps user sessions should be kept under name=logind cgroup tree
rather than reusing name=systemd? That would avoid the problem (although
it could still mean that such spawed processes get killed off if some
config options like kill-session-processes=1 are set I guess, but that
would be the same as currently I suppose).

Col


-- 

Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/