On 14.06.2024 18:49, Mikhail Morfikov wrote:
On 14/06/2024 5.26 pm, Demi Marie Obenour wrote:
On Fri, Jun 14, 2024 at 10:06:34AM +0200, Mikhail Morfikov wrote:
On 13/06/2024 10.27 pm, Lennart Poettering wrote:
On Do, 13.06.24 21:38, Mikhail Morfikov (mmorfikov@xxxxxxxxx) wrote:
I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables)
work together, but I think I'm missing something.
Is "cgrulesengd" interfering with the cgroup tree?
Sorry, but that's simply not supported. cgroupv2 has a single-writer
rule, i.e. every part of the tree has only a single writer, a single
manager. And you must delegate a subtree to other managers if a
different manager shall also manage cgroups.
Hence, if you have something that just takes systemd managed processes
and moves them elsewhere, it's simply not supported. Sorry, you voided
your warranty.
Lennart
--
Lennart Poettering, Berlin
I don't need any warranty, I need a way to make this work.
I don't know anything about cgrulesengd, but from your post it seems
that it relies on scanning all processes and moving them to cgroups
based on information about them. This isn't compatible with systemd.
There are a few options that will work:
1. Change cgrulesengd to use systemd's D-Bus API to manage cgroups.
2. Run everything in a container that doesn't use systemd.
3. Stop using cgrulesengd, and instead use systemd units to define
cgroups. Then use other approaches (such as wrapper scripts) to
ensure that programs are launched in the correct systemd units.
There's no way I'm going to wrap every command in systemd's service/unit
file...
The question isn't really whether cgrulesengd + systemd is supported or
not, but why the terminal apps have issues. GUI apps work well and the
network packets of all the GUI apps can be matched in nftables based on
the cgroup path. So the setup works well except for the terminal apps.
It is still unclear why you are asking this on systemd list. From your
description it sounds like a race condition between cgrulesengd and
netfilter. GUI apps generally are "heavier" and take more time to
startup which may explain it. The best place to ask would be
cgrulesengd. If you have any evidence that systemd somehow interferes
here, you did not present them.
Otherwise there is such project as
https://github.com/mk-fg/systemd-cgroup-nftables-policy-manager
which dynamically adds nftables rules to match systemd cgroups (well, in
principle it can match anything). It could be combined with "systemd-run
--scope" or similar to place commands in specific scopes that will be
matched by netfilter.
