[systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
Mikhail Morfikov
mmorfikov at gmail.com
Sat Jun 15 15:00:56 UTC 2024
On 15/06/2024 4.37 pm, Andrei Borzenkov wrote:
> Not really. nftables checks the *socket* cgroup, not the *process* cgroup. The socket may have been created while process was in the old cgroup.
>
> I do not know whether kernel attempts to also move all process sockets to the new cgroup. I suspect not, but that is most certainly the question to the kernel folks.
Hmm, that would make sense.
I think I have to look for a place to ask this question, because
if it was the case and they changed the behavior, it probably would
fix the issue.
>
> See my other response about atomically placing a process to some pre-existing cgroup from the very beginning.
>
Yes, I saw it, but to be honest, at the moment I have no idea what
to do with it :)
More information about the systemd-devel
mailing list