I am in the process of adding automated cgroup v2 testing to libcgroup and ran into an unsatisfactory user experience when using cgroup v2 and cgroup namespaces. I used lxc to create a container on a cgroup v2 system. lxc uses cgroup namespaces to remap /sys/fs/cgroup/mycontainer/ on the host to /sys/fs/cgroup/ within the container. Within the container, I then created a cgroup - /sys/fs/cgroup/MyCgroup/ and placed a long-running process in it. (Note that as part of the container creation, there are other cgroups in /sys/fs/cgroup/.) I then used cgdelete to recursively delete the MyCgroup/ folder. In recursive mode, cgdelete will move processes from a child cgroup to its parent. But this fails on a cgroup v2 system in a cgroup namespace because the root cgroup is a non-leaf cgroup. A couple questions/thoughts: * As outlined above, the behavior of the "root" cgroup in a cgroup namespace on a v2 system differs from the behavior of the unnamespaced root cgroup. At best this is inconsistent; at worst, this may leak information to an unethical program. Any ideas how we can make the behavior more consistent for the user and libcgroup? * I will likely add a flag to cgdelete to simply kill processes in a cgroup rather than try and move them to the parent cgroup. Moving processes to the parent cgroup is somewhat challenging even in a cgroup v1 system due to permissions, etc. tl;dr - I can't move a process to the root cgroup within a cgroup v2 cgroup namespace because its "root" is a non-leaf cgroup Thanks. Tom
