On Fri, Jun 14, 2024 at 10:06:34AM +0200, Mikhail Morfikov wrote: > On 13/06/2024 10.27 pm, Lennart Poettering wrote: > > On Do, 13.06.24 21:38, Mikhail Morfikov (mmorfikov@xxxxxxxxx) wrote: > > > > > I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables) > > > work together, but I think I'm missing something. > > > > Is "cgrulesengd" interfering with the cgroup tree? > > > > Sorry, but that's simply not supported. cgroupv2 has a single-writer > > rule, i.e. every part of the tree has only a single writer, a single > > manager. And you must delegate a subtree to other managers if a > > different manager shall also manage cgroups. > > > > Hence, if you have something that just takes systemd managed processes > > and moves them elsewhere, it's simply not supported. Sorry, you voided > > your warranty. > > > > Lennart > > > > -- > > Lennart Poettering, Berlin > > I don't need any warranty, I need a way to make this work. I don't know anything about cgrulesengd, but from your post it seems that it relies on scanning all processes and moving them to cgroups based on information about them. This isn't compatible with systemd. There are a few options that will work: 1. Change cgrulesengd to use systemd's D-Bus API to manage cgroups. 2. Run everything in a container that doesn't use systemd. 3. Stop using cgrulesengd, and instead use systemd units to define cgroups. Then use other approaches (such as wrapper scripts) to ensure that programs are launched in the correct systemd units. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Attachment:
signature.asc
Description: PGP signature
