[systemd-devel] systemd move processes to user.slice cgroup after updating service configuration file

[Lennart Poettering]

On Mi, 23.03.22 14:25, 吾为男子 (csrenren at qq.com) wrote:

> dear all experts,
>
> now we have such a problem:
>
> we need to update our systemd service configuration file,
>
> before updating, our service has already created some processes and
> make them attach to cgroup
> /system.slice/{our-service-name}.service/{our-service-sub-group},
> this is what we would expect,
>
> but, on some machine, sometimes, after we updating our service
> configuration file,  these processes as mentioned above,
> will be moved to /user.slice, this is what we do NOT
> expect, there is a certain probability that this will happen

Is it possible that said service invokes sudo or su or so, or in some
other way opens a PAM session? If so, this will migrate the calling
process into a per-session cgroup below user.slice.

What's the precise cgroup slice of one such occurance?

> how to prevent this action from systemd? it will be a great honor
> for me to get your help, thanks.

Don't use sudo/su from scripts. If you need to acquire privileges from
a script, use util-linux' setpriv tool. It will change privileges for
you but without opening a PAM session, and thus without cgroup
migratory effect.

Lennart

--
Lennart Poettering, Berlin