Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Systemd controller does not work in user space with Delegate=yes services #33

Open
ThrosturX opened this issue Nov 3, 2017 · 0 comments
Open

Systemd controller does not work in user space with Delegate=yes services #33

ThrosturX opened this issue Nov 3, 2017 · 0 comments

Comments

@ThrosturX
Copy link

ThrosturX commented Nov 3, 2017
edited
Loading

According to the documentation for Systemd units, User= units should be able to control subhierarchies under its own control group path as long as they are Delegate=. I have been unable to get this functionality to work with this package.

Consider the following unit mattdaemon.service (remember to substitute $USER with a regular non-root user):

[Unit]
Description=User space delegate test

[Service]
Type=simple
Delegate=yes
User=$USER
ExecStart=/path/to/binary/failor

Assume /path/to/binary contains a binary built with go build from the following source code:

package main

import (
        "log"
        "os"

        "github.com/containerd/cgroups"
        specs "github.com/opencontainers/runtime-spec/specs-go"
)

func main() {
        // load the cgroup for "this" process -- since we assume we run in a Delegate=yes user unit,
        // we can only control subhierarchies beneath this control group
        unitGroup, err := cgroups.Load(cgroups.Systemd, cgroups.PidPath(os.Getpid()))
        if err != nil {
                log.Panicln("Load:", err)
        }

        // create a subgroup based on cgroup.Cgroups interface
        control, err := unitGroup.New("subway", &specs.LinuxResources{})
        if err != nil {
                // Interactive authentication required
                log.Panicln("New:", err)
        }
        /* if this were a unit test, we would continue by creating a process and adding it to our sub group */
        log.Println("Success!") // Only gets printed if Unit is run by root
        _ = control             // rest of code stubbed
}

Reproduce the bug by starting the unit:

$ sudo systemctl daemon-reload
$ sudo systemctl start mattdaemon.service
$ journalctl -xafe --unit=mattdaemon.service

Journal Output

Nov 03 11:58:55 devthrostur01 failor[23042]: 2017/11/03 11:58:55 New: Interactive authentication required.
Nov 03 11:58:55 devthrostur01 systemd[1]: mattdaemon.service: main process exited, code=exited, status=2/INVALIDARGUMENT
...

We can enable the functionality by removing the User= line from the systemd unit, but this should not be necessary as per the docs (man 5 systemd.resource-control) since we have enabled Delegate=yes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ThrosturX