Re: How to stop child cgroup caused by PAMName=

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On Do, 06.02.25 08:25, Dluhosch, Michael (michael.dluhosch@xxxxxxxxxx) wrote:

> Hello,
>
>
> I want a service which executes 'startFoo.sh' exactly like a user 'Foo' would experience it. This is my current approach:
>
> [Service]
> ExecStart=/usr/bin/startFoo.sh
>
> User=Foo
>
> PAMName=login
>
>
> And it seems to work just fine. But I can't figure out how to stop
> this service and all of its childs in a clean way. According to the
> systemd.exec documentation this service will start a 'session scope'
> CGroup but it does not mention how to stop this when the service
> stops.

Well, the whole session concept is about disconnecting lifecycles of
the login manager and the sessions they spawn a bit (i.e. that the
sessions can be killed independently of the session manager and can be
tracked separately from it).

> So far I found this workaround:
>
> I add a
>
> ExecStop=/usr/bin/stopFoo.sh
>
> to the main service which does that:
>
> #!/bin/bash
> systemctl stop $(systemctl status $(pidof <anyProcessNameInsideTheChildCGroup>) | grep user.*slice | grep -o session.*scope)
>
> Is there a clean solution to accomplish something like this?

Well, a service can register as many sessions as it wants,
simultaneously or serially, everything is allowed, hence there is no
direct 1:1 connection between service and scope and what you are
asking for is not necessarily available.

I guess you could theoretically bind the lifetime of your session
object to the lifetime of the allocating service via BindsTo= but we
currently have no way to request that in a friendly way.

That said, why is this even an issue? note that logind tracks the
primary process of a session as its "leader" and binds the session's
lifetime to that leader process lifetime. Except of course you are
using some distro that turns KillUserProcesses= off, which disables
this logic for compat with legacy.

Lennart

--
Lennart Poettering, Berlin