[systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
Mikhail Morfikov
mmorfikov at gmail.com
Fri Jun 14 15:49:05 UTC 2024
On 14/06/2024 5.26 pm, Demi Marie Obenour wrote:
> On Fri, Jun 14, 2024 at 10:06:34AM +0200, Mikhail Morfikov wrote:
>> On 13/06/2024 10.27 pm, Lennart Poettering wrote:
>>> On Do, 13.06.24 21:38, Mikhail Morfikov (mmorfikov at gmail.com) wrote:
>>>
>>>> I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables)
>>>> work together, but I think I'm missing something.
>>>
>>> Is "cgrulesengd" interfering with the cgroup tree?
>>>
>>> Sorry, but that's simply not supported. cgroupv2 has a single-writer
>>> rule, i.e. every part of the tree has only a single writer, a single
>>> manager. And you must delegate a subtree to other managers if a
>>> different manager shall also manage cgroups.
>>>
>>> Hence, if you have something that just takes systemd managed processes
>>> and moves them elsewhere, it's simply not supported. Sorry, you voided
>>> your warranty.
>>>
>>> Lennart
>>>
>>> --
>>> Lennart Poettering, Berlin
>>
>> I don't need any warranty, I need a way to make this work.
>
> I don't know anything about cgrulesengd, but from your post it seems
> that it relies on scanning all processes and moving them to cgroups
> based on information about them. This isn't compatible with systemd.
> There are a few options that will work:
>
> 1. Change cgrulesengd to use systemd's D-Bus API to manage cgroups.
> 2. Run everything in a container that doesn't use systemd.
> 3. Stop using cgrulesengd, and instead use systemd units to define
> cgroups. Then use other approaches (such as wrapper scripts) to
> ensure that programs are launched in the correct systemd units.
There's no way I'm going to wrap every command in systemd's service/unit
file...
The question isn't really whether cgrulesengd + systemd is supported or
not, but why the terminal apps have issues. GUI apps work well and the
network packets of all the GUI apps can be matched in nftables based on
the cgroup path. So the setup works well except for the terminal apps.
More information about the systemd-devel
mailing list