[systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
Andrei Borzenkov
arvidjaar at gmail.com
Sat Jun 15 06:15:33 UTC 2024
On 14.06.2024 18:49, Mikhail Morfikov wrote:
> On 14/06/2024 5.26 pm, Demi Marie Obenour wrote:
>> On Fri, Jun 14, 2024 at 10:06:34AM +0200, Mikhail Morfikov wrote:
>>> On 13/06/2024 10.27 pm, Lennart Poettering wrote:
>>>> On Do, 13.06.24 21:38, Mikhail Morfikov (mmorfikov at gmail.com) wrote:
>>>>
>>>>> I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables)
>>>>> work together, but I think I'm missing something.
>>>>
>>>> Is "cgrulesengd" interfering with the cgroup tree?
>>>>
>>>> Sorry, but that's simply not supported. cgroupv2 has a single-writer
>>>> rule, i.e. every part of the tree has only a single writer, a single
>>>> manager. And you must delegate a subtree to other managers if a
>>>> different manager shall also manage cgroups.
>>>>
>>>> Hence, if you have something that just takes systemd managed processes
>>>> and moves them elsewhere, it's simply not supported. Sorry, you voided
>>>> your warranty.
>>>>
>>>> Lennart
>>>>
>>>> --
>>>> Lennart Poettering, Berlin
>>>
>>> I don't need any warranty, I need a way to make this work.
>>
>> I don't know anything about cgrulesengd, but from your post it seems
>> that it relies on scanning all processes and moving them to cgroups
>> based on information about them. This isn't compatible with systemd.
>> There are a few options that will work:
>>
>> 1. Change cgrulesengd to use systemd's D-Bus API to manage cgroups.
>> 2. Run everything in a container that doesn't use systemd.
>> 3. Stop using cgrulesengd, and instead use systemd units to define
>> cgroups. Then use other approaches (such as wrapper scripts) to
>> ensure that programs are launched in the correct systemd units.
>
>
> There's no way I'm going to wrap every command in systemd's service/unit
> file...
>
> The question isn't really whether cgrulesengd + systemd is supported or
> not, but why the terminal apps have issues. GUI apps work well and the
> network packets of all the GUI apps can be matched in nftables based on
> the cgroup path. So the setup works well except for the terminal apps.
It is still unclear why you are asking this on systemd list. From your
description it sounds like a race condition between cgrulesengd and
netfilter. GUI apps generally are "heavier" and take more time to
startup which may explain it. The best place to ask would be
cgrulesengd. If you have any evidence that systemd somehow interferes
here, you did not present them.
Otherwise there is such project as
https://github.com/mk-fg/systemd-cgroup-nftables-policy-manager
which dynamically adds nftables rules to match systemd cgroups (well, in
principle it can match anything). It could be combined with "systemd-run
--scope" or similar to place commands in specific scopes that will be
matched by netfilter.
More information about the systemd-devel
mailing list