[systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
Andrei Borzenkov
arvidjaar at gmail.com
Sat Jun 15 12:27:05 UTC 2024
On 15.06.2024 14:02, Mikhail Morfikov wrote:
>
> But there's no curl pids in /sys/fs/cgroup/user.slice/user-1000.slice/user at 1000.service/cgroup.procs .
> To be more specific, there's no pids at all in this cgroup.procs file. The curl pids are under
>
> # cat /sys/fs/cgroup/morfikownia/user/curl/pids.current
> 1
>
> # cat /sys/fs/cgroup/morfikownia/user/curl/cgroup.procs
> 44907
>
> And this cgroup path (morfikownia/user/curl/) is permitted in nftables, and
> yet packets sometimes are visible like they had user.slice/user-1000.slice/user at 1000.service/
> path set. Why?
Because curl starts in this hierarchy and attempts network connection
before your daemon moves curl into different cgroup. It is just as good
stab in the dark as any other.
More information about the systemd-devel
mailing list