On So, 09.09.18 09:31, Daniel J Walsh (dwalsh@xxxxxxxxxx) wrote: > Has anyone looked at supporting pam_cgfs.so in Fedora. > > This question was asked here. > > https://github.com/containers/libpod/issues/1429 I am not sure what pam_cgfs.so precisely does, but do note that on systemd systems (which includes Fedora) systemd is the owner of the cgroup tree, and the only means by which other components may manage their own subtrees is through cgroup delegation (which includes delegation to less privileged users), which you can request from systemd. You can request cgroup delegation from the system service manager, for which you need to be privileged (but you can request it on behalf of an unprivileged user). You can also request cgroup delegation from your private user service manager instance, for which you do not need to be privileged. The APIs for requesting cgroup delegation from the system service manager or your user service manager is the same, the only difference is whether you do so through the system or user dbus bus. Note that on cgroupsv1 delegation of *controllers* (i.e. "cpu", "cpuset", "memory", "blkio", …) to unprivileged processes is not safe (this is a kernel limitation) and systemd won't do it hence. On cgroupsv2 it is safe however, and hence you will get "memory" and "tasks" delegated by default (though not "cpu" by default as the runtime impact of that is still too high). Do note however, that Docker is blocking us from switching Fedora over to cgroupsv2 though, as there is still no working support for cgroupsv2 in Docker, nor support for requested cgroup tree delegation from systemd. It's a shame that Docker is hindering us from making the switch, but it is how it is. Docker currently bypasses systemd entirely when it comes to cgroupsv2 and considers itself to be owner of the cgroup tree which is a mess on cgroupsv1 (though you have a chance of getting away with it) and doesn't work at all on cgroupsv2. Or in other words: if you are looking for a way to get your own per-user delegated cgroup subtree, simply ask systemd for it by setting Delegate=yes in your service unit file, or by asking for a scope unit to be registered, also with Delegate=yes set. Nothing else is supported. Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
