[systemd-devel] Cgroup limits for user processes

Lennart Poettering lennart at poettering.net
Fri Apr 24 09:35:33 PDT 2015

On Wed, 18.02.15 12:48, Mikhail Morfikov (mmorfikov at gmail.com) wrote:

Sorry for the late reply, still working on keeping up with the piles
of mail that queued up.

> What is the best way to set cgroup limits for user processes? I mean the
> individual processes. I know that you can set limits for user.slice, but
> how to set limits for, let's say, firefox?

We simply do not support this right now. Unprivileged users do not get
access to the cgroup properties of the various controllers right
now, simply because this is unsafe. 

We can open this up one day, bit by bit but this requires some kernel
work, and an OK from Tejun that this is safe.

> BTW, one more thing. Is there a way to set a mark for network packets
> using unit services? I really need this feature, but I couldn't find
> any useful information on this subject.

Daniel is working on adding native support for this via the net_cls
cgroup controller, but in the process he noticed that the kernel
support for this is actually quite broken, and there's work now going
on to fix the kernel first.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list