Re: Systemd, cgrupsv2, cgrulesengd, and nftables

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On Fr, 14.06.24 10:06, Mikhail Morfikov (mmorfikov@xxxxxxxxx) wrote:

> > --
> > Lennart Poettering, Berlin
>
> I don't need any warranty, I need a way to make this work.

Yeah, but this is the wrong forum to ask for help then. What you are
doing is strictly against how systemd and cgroup2 is designed. I mean,
do what you want, but this is not supported, you are on your own.

> I'm not sure whether I understand the "single-writer rule", so correct me if I'm
> wrong. I don't want to write pids to systemd services using cgrulesengd. I just
> want to create my own cgroup tree, for instance
> /sys/fs/cgroup/morfikownia/ and I

Yeah, that's not how this works. On systemd systems the top of the
cgroup tree is managed by systemd. if you want to manage your own
cgroups, then ask for a delegated subtree, and do your stuff there,
but don't interfere with the top of tree, you'll step on systemd's
feet then, and systemd will run over your feet all the time.

> want to place there all the processes managed by cgrulesengd (via the
> /etc/cgrules.conf file). So systemd won't be touching anything inside
> /sys/fs/cgroup/morfikownia/ and cgrulesengd won't be touching anything in the
> rest of the cgroup tree -- is this "single-writer rule" ?

Yeah, sorry, that's not how this works.

> > And you must delegate a subtree to other managers if a
> > different manager shall also manage cgroups.
>
> How can this be done?

There are so many docs around about this, you read them:

https://systemd.io/CGROUP_DELEGATION

Lennart

--
Lennart Poettering, Berlin