Re: systemd put it uinder a custom slice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/11/2019 09:20, Lennart Poettering wrote:
> On Fr, 01.11.19 08:59, Bhasker C V (bhasker@xxxxxxxxxxxxx) wrote:
>
>>> systemd owns the cgroup tree, only subtrees for which delegation is
>>> explicitly turned on can be managed by other programs, for example for
>>> the purpose of container managers.
>>>
>>> Thus, creating cgroups manually, directly via cgcreate at the top of
>>> the tree is explicitly not supported.
>>>
>>> Use systemd's own concepts, i.e. slice units, direct cgroup access
>>> bypassing systemd at the top of the tree is explicitly not supported.
>> a) Does this mean that running systemd-nspawn from command-line (via
>> scripts) does not give the user any control over cgroups ? if that is
>> possible please can you help explaning a bit more ?
> on cgroupsv1 nspawn delegates access to a subtree of the name=systemd
> hierarchy to its payload (i.e. none of the other controllers). This is
> the only thing that is relatively safe to do.
>
> on cgroupsv2 nspawn delegates access to a subtree of the full tree,
> including any controllers, as on cgroupsv2 controller delegation is
> finally safe.
>
>> b) What is the use of --slice= option in systemd-nspawn ? if I can pass
>> a slice name, I derive that it should be possible (by some means) to
>> create the slice name with some command ?
> You can specify any slice you want, systemd will start it as needed
> on behalf of the nspawn container.

I am really sorry but I am still not able to get this working with a
'name' in slice. Is there a naming convention to be used for the name
passed-on to  --slice=. I could not understand this from the man page.

$ sudo systemd-nspawn  -jbD ./a  --slice=test
Spawning container a on /tmp/a.
Press ^] three times within 1s to kill container.
Failed to register machine: Invalid unit name 'test'
Parent died too early$ sudo systemd-nspawn  -jbD ./a 
--slice=machine.slice/test
Spawning container a on /tmp/a.
Press ^] three times within 1s to kill container.
Failed to register machine: Invalid unit name 'machine.slice/test'
Parent died too early

$ systemd-nspawn --version
systemd 241 (241)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP
+LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS
+KMOD -IDN2 +IDN +PCRE2 default-hierarchy=hybrid

$ sudo systemd-nspawn  -jbD ./a  --slice=/machine.slice/test
Spawning container a on /tmp/a.
Press ^] three times within 1s to kill container.
Failed to register machine: Invalid unit name '/machine.slice/test'
Parent died too early$

>
> Key is: systemd owns the cgroup tree from the top, and delegation of
> subtrees is the only safe and supported way how other software can
> write to the cgroup tree, and then only in the subtree they got
> delegated.
>
> Lennart
>
> --
> Lennart Poettering, Berlin


-- 
Bhasker C V
Secure Mails: http://keys.gnupg.net/pks/lookup?op=get&search=0x4D05FEEC54E47413
Registered Linux User: #306349 

_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux