[systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
Michal Koutný
mkoutny at suse.com
Mon Jun 17 15:20:01 UTC 2024
Hello.
On Sat, Jun 15, 2024 at 04:49:33PM GMT, Andrei Borzenkov <arvidjaar at gmail.com> wrote:
> ...
> Which does not really solve the problem. So, once again:
>
> - nftables allow filtering based on cgroupv2 path
> - cgroupv2 path is resolved at the time rule is processed. It is impossible
> to configure rule for a future cgroup
Can nftables accept non-leaf cgroup? (Of a .slice unit)
> So, no mantra about one ring to rule them all is going to help here as long
> as none of the following is possible
>
> - systemd (which puts processes in cgroups) will also add corresponding
> nftables rule that refers to this new transient cgroup
I think systemd comes with its own filtering based on BPF (see
systemd.resource-control(5), "Network Accounting and Control") or see
NFTSet= in the same section, does that solve the issue?
> - or-
>
> - systemd allows pre-creation of cgroups and *atomic* placement of processes
> in them
systemd places process either via clone-migrate-exec or
clone(CLONE_INTO_CGROUP) idioms, so the newly exec'd process starts in
the desired cgroup.
This is utilized with the .slice unit above (but it must be "pinned"
into existence with some sibling unit).
(Migrating already running processes with their runtime state is nothing
I'd recommend.)
Michal
More information about the systemd-devel
mailing list