[systemd-devel] Delegate v1 cgroup controller permissions

[John Lane]

I have a service which runs as an unprivileged user (User=foo) with
delegated cgroup (Delegate=true) that wants to use the "memory" and
"cpu" controllers. Systemd is using the hybrid mode with both v1 and v2
cgroups, and the controllers are assigned to the v1 groups.

Before I can use the "cpu" or "memory" cgroups I have to force the
permissions of them because the delegated permissions are only applied
in the unified hierarchy.

Doing this requires root which is a problem because we don't want to
give this service root permissions.

I have read https://systemd.io/CGROUP_DELEGATION and note that the
hybrid mode "is a stopgap" and "has no future" but I am forced to use it
because the distros that we have to use (fedora) are set up that way (I
have yet to see any system use the unified v2 mode exclusively). So I'm
having to bother with hybrid mode even though I don't have enough free
time ;)

I have read in the same article that delegation "won’t pass ownership of
the legacy controller hierarchies" and "think twice before delegating
cgroup v1 controllers to less privileged containers."

I get that it isn't the preferred mechanism with systemd but we just
want to manage access to resources (cpu and memory) allocated to
subtasks from within our application.

So is there a way to tell systemd (or some other way) to set the v1
cgroup permissions so they are usable by the delegated user without
having to give the user process root privileges ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 16919 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20190619/14b6d26c/attachment-0001.key>