core: add DelegateSubgroup= setting

This implements a minimal subset of #24961, but in a lot more restrictive way: we only allow one level of subcgroup (as that's enough to address the no-processes in inner cgroups rule), and does not change anything about threaded cgroup logic or similar, or make any of this new behaviour mandatory. All this does is this: all non-control processes we invoke for a unit we'll invoke in a subgroup by the specified name. We'll later port all our current services that use cgroup delegation over to this, i.e. user@.service, systemd-nspawn@.service and systemd-udevd.service.
author: Lennart Poettering <lennart@poettering.net> 2023-04-21 18:22:35 +0200
committer: Lennart Poettering <lennart@poettering.net> 2023-04-27 12:18:32 +0200
commit: a8b993dc11319292c54b301f3faffc4a05ab5ec1 (patch)
tree: a5397671b291b436283716adee1ea3668c405714 /man
parent: 1a56b0c05dc14fa91f0de24f230d9b9f35cc5b05 (diff)
download: systemd-a8b993dc11319292c54b301f3faffc4a05ab5ec1.tar.gz
2 files changed, 56 insertions, 4 deletions
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index e462c60636..f2e892671a 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -2713,6 +2713,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly s DelegateSubgroup = '...';
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b CPUAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUWeight = ...;
@@ -3942,6 +3944,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="DelegateSubgroup"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUWeight"/>
@@ -4544,6 +4548,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       memory controller is reached. It will take into consideration limits on all parent slices, other than the
       limits set on the unit itself.</para>
 
+      <para><varname>DelegateSubgroup</varname> contains the cgroup subgroup to place invoked unit processes
+      in. As configured by the option of the same name in unit files. This is set to the empty string when it
+      does not apply or no subgroup has been configured.</para>
+
       <para><varname>RuntimeDirectorySymlink</varname>, <varname>StateDirectorySymlink</varname>,
       <varname>CacheDirectorySymlink</varname> and  <varname>LogsDirectorySymlink</varname> respectively
       implement the destination parameter of the unit files settings <varname>RuntimeDirectory</varname>,
@@ -4715,6 +4723,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly s DelegateSubgroup = '...';
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b CPUAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUWeight = ...;
@@ -5936,6 +5946,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="DelegateSubgroup"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUWeight"/>
@@ -6588,6 +6600,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly s DelegateSubgroup = '...';
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b CPUAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUWeight = ...;
@@ -7655,6 +7669,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="DelegateSubgroup"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUWeight"/>
@@ -8434,6 +8450,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly s DelegateSubgroup = '...';
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b CPUAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUWeight = ...;
@@ -9473,6 +9491,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="DelegateSubgroup"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUWeight"/>
@@ -10111,6 +10131,8 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly s DelegateSubgroup = '...';
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b CPUAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUWeight = ...;
@@ -10456,6 +10478,8 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="DelegateSubgroup"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUWeight"/>
@@ -10656,6 +10680,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly s DelegateSubgroup = '...';
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b CPUAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUWeight = ...;
@@ -11051,6 +11077,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="DelegateSubgroup"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUWeight"/>
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index f4e4a492a0..610c11feb3 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -1148,10 +1148,11 @@ DeviceAllow=/dev/loop-control
         <term><varname>Delegate=</varname></term>
 
         <listitem>
-          <para>Turns on delegation of further resource control partitioning to processes of the unit. Units where this
-          is enabled may create and manage their own private subhierarchy of control groups below the control group of
-          the unit itself. For unprivileged services (i.e. those using the <varname>User=</varname> setting) the unit's
-          control group will be made accessible to the relevant user.</para>
+          <para>Turns on delegation of further resource control partitioning to processes of the unit. Units
+          where this is enabled may create and manage their own private subhierarchy of control groups below
+          the control group of the unit itself. For unprivileged services (i.e. those using the
+          <varname>User=</varname> setting) the unit's control group will be made accessible to the relevant
+          user.</para>
 
           <para>When enabled the service manager will refrain from manipulating control groups or moving
           processes below the unit's control group, so that a clear concept of ownership is established: the
@@ -1189,6 +1190,29 @@ DeviceAllow=/dev/loop-control
       </varlistentry>
 
       <varlistentry>
+        <term><varname>DelegateSubgroup=</varname></term>
+
+        <listitem>
+          <para>Place unit processes in the specified subgroup of the unit's control group. Takes a valid
+          control group name (not a path!) as parameter, or an empty string to turn this feature
+          off. Defaults to off. The control group name must be usable as filename and avoid conflicts with
+          the kernel's control group attribute files (i.e. <filename>cgroup.procs</filename> is not an
+          acceptable name, since the kernel exposes a native control group attribute file by that name). This
+          option has no effect unless control group delegation is turned on via <varname>Delegate=</varname>,
+          see above. Note that this setting only applies to "main" processes of a unit, i.e. for services to
+          <varname>ExecStart=</varname>, but not for <varname>ExecReload=</varname> and similar. If
+          delegation is enabled, the latter are always placed inside a subgroup named
+          <filename>.control</filename>. The specified subgroup is automatically created (and potentially
+          ownership is passed to the unit's configured user/group) when a process is started in it.</para>
+
+          <para>This option is useful to avoid manually moving the invoked process into a subgroup after it
+          has been started. Since no processes should live in inner nodes of the control group tree it's
+          almost always necessary to run the main ("supervising") process of a unit that has delegation
+          turned on in a subgroup.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><varname>DisableControllers=</varname></term>
 
         <listitem>
author	Lennart Poettering <lennart@poettering.net>	2023-04-21 18:22:35 +0200
committer	Lennart Poettering <lennart@poettering.net>	2023-04-27 12:18:32 +0200
commit	a8b993dc11319292c54b301f3faffc4a05ab5ec1 (patch)
tree	a5397671b291b436283716adee1ea3668c405714 /man
parent	1a56b0c05dc14fa91f0de24f230d9b9f35cc5b05 (diff)
download	systemd-a8b993dc11319292c54b301f3faffc4a05ab5ec1.tar.gz