cgroups icon indicating copy to clipboard operation
cgroups copied to clipboard
verified publisher icon containerd

Systemd controller does not work in user space with Delegate=yes services

Open ThrosturX opened this issue 8 years ago • 0 comments

According to the documentation for Systemd units, User= units should be able to control subhierarchies under its own control group path as long as they are Delegate=. I have been unable to get this functionality to work with this package.

Consider the following unit mattdaemon.service (remember to substitute $USER with a regular non-root user):

[Unit]
Description=User space delegate test

[Service]
Type=simple
Delegate=yes
User=$USER
ExecStart=/path/to/binary/failor

Assume /path/to/binary contains a binary built with go build from the following source code:

package main

import (
        "log"
        "os"

        "github.com/containerd/cgroups"
        specs "github.com/opencontainers/runtime-spec/specs-go"
)

func main() {
        // load the cgroup for "this" process -- since we assume we run in a Delegate=yes user unit,
        // we can only control subhierarchies beneath this control group
        unitGroup, err := cgroups.Load(cgroups.Systemd, cgroups.PidPath(os.Getpid()))
        if err != nil {
                log.Panicln("Load:", err)
        }

        // create a subgroup based on cgroup.Cgroups interface
        control, err := unitGroup.New("subway", &specs.LinuxResources{})
        if err != nil {
                // Interactive authentication required
                log.Panicln("New:", err)
        }
        /* if this were a unit test, we would continue by creating a process and adding it to our sub group */
        log.Println("Success!") // Only gets printed if Unit is run by root
        _ = control             // rest of code stubbed
}

Reproduce the bug by starting the unit:

$ sudo systemctl daemon-reload
$ sudo systemctl start mattdaemon.service
$ journalctl -xafe --unit=mattdaemon.service

Journal Output

Nov 03 11:58:55 devthrostur01 failor[23042]: 2017/11/03 11:58:55 New: Interactive authentication required.
Nov 03 11:58:55 devthrostur01 systemd[1]: mattdaemon.service: main process exited, code=exited, status=2/INVALIDARGUMENT
...

We can enable the functionality by removing the User= line from the systemd unit, but this should not be necessary as per the docs (man 5 systemd.resource-control) since we have enabled Delegate=yes.

ThrosturX avatar Nov 03 '17 12:11 ThrosturX