[systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables

[Mikhail Morfikov]

On 13/06/2024 10.27 pm, Lennart Poettering wrote:
> On Do, 13.06.24 21:38, Mikhail Morfikov (mmorfikov at gmail.com) wrote:
> 
>> I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables)
>> work together, but I think I'm missing something.
> 
> Is "cgrulesengd" interfering with the cgroup tree?
> 
> Sorry, but that's simply not supported. cgroupv2 has a single-writer
> rule, i.e. every part of the tree has only a single writer, a single
> manager. And you must delegate a subtree to other managers if a
> different manager shall also manage cgroups.
> 
> Hence, if you have something that just takes systemd managed processes
> and moves them elsewhere, it's simply not supported. Sorry, you voided
> your warranty.
> 
> Lennart
> 
> --
> Lennart Poettering, Berlin

I don't need any warranty, I need a way to make this work.

I'm not sure whether I understand the "single-writer rule", so correct me if I'm
wrong. I don't want to write pids to systemd services using cgrulesengd. I just
want to create my own cgroup tree, for instance /sys/fs/cgroup/morfikownia/ and I
want to place there all the processes managed by cgrulesengd (via the
/etc/cgrules.conf file). So systemd won't be touching anything inside
/sys/fs/cgroup/morfikownia/ and cgrulesengd won't be touching anything in the
rest of the cgroup tree -- is this "single-writer rule" ?

> And you must delegate a subtree to other managers if a
> different manager shall also manage cgroups.

How can this be done?