[systemd-devel] Systemd cgroup setup issue in containers

[Lewis Gaul]

>  Wouldn't it be better to have the container inform the host via
NOTIFY_SOCKET (the Type=notify mechanism)? I believe systemd has had
support for sending readiness notifications from init to a container
manager for quite a while.

> Use the notify socket and you'll get a notification back when the
container is ready, without having to inject anything

To be clear, I'm not looking for alternative solutions for my specific
example, I was raising the general architectural issue.

On Fri, 29 Sept 2023 at 12:06, Luca Boccassi <luca.boccassi at gmail.com>
wrote:

> On Fri, 29 Sept 2023 at 12:00, Lewis Gaul <lewis.gaul at gmail.com> wrote:
> >
> > Hi systemd team,
> >
> > I've encountered an issue when running systemd inside a container using
> cgroups v2, where if a container exec process is created at the wrong
> moment during early startup then systemd will fail to move all processes
> into a child cgroup, and therefore fail to enable controllers due to the
> "no internal processes" rule introduced in cgroups v2. In other words, a
> systemd container is started and very soon after a process is created via
> e.g. 'podman exec systemd-ctr cmd', where the exec process is placed in the
> container's namespaces (although not a child of the container's PID 1).
> This is not a totally crazy thing to be doing - this was hit when testing a
> systemd container, using a container exec "probe" to check when the
> container is ready.
>
> Use the notify socket and you'll get a notification back when the
> container is ready, without having to inject anything
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230929/52e4fa14/attachment.htm>