Re: Adding capability control into the `run' script comparison page
Jonathan de Boyne Pollard: To anyone running the service manager and bundles from nosh version 1.28 or later on Linux: You are encouraged to look at your control group hierarchy, with a tool like "systemd-cgls /", with the "cgroup" field of the ps command, or by simply listing your /sys/fs/cgroup/ hierarchy. You are in for an interesting surprise. There are more interesting surprises in the same vein in 1.31. I've put a sneak peak of the 1.31 Guide up for you.
Re: Adding capability control into the `run' script comparison page
Guillermo: I suppose the interesting suprise is that as consequence, when a service definition gets 'imported' to nosh from a unit file (and this covers pretty much everything in the nosh-bundles* binary packages),the corresponding service gets placed in a cgroup of its own when launched by nosh's service manager: This also happens in per-user service management. /service-manager.slice/user-services@.service: └─user-services@jdebp.service ├─31423 per-user-manager ├─per-user-manager-log.slice │ └─31426 cyclog --max-file-size 32768 --max-total-size 1048576 . └─service-manager.slice ├─31427 service-manager ├─gvfs-daemon.service │ └─9305 /usr/lib/gvfs/gvfsd ├─at-spi-dbus-bus.service │ ├─9276 /usr/lib/at-spi2-core/at-spi-bus-launcher │ ├─9290 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.co... │ └─9293 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session ├─dbus-servers-log.service │ └─30089 cyclog jdebp/dbus-servers/ ├─pulseaudio.service │ └─3625 pulseaudio --exit-idle-time=-1 ├─mpd.service │ └─31592 mpd --no-daemon --stderr --stdout --verbose ./mpd.conf ├─emacs.service │ ├─6088 strace -f emacs --daemon │ └─6094 emacs --daemon ├─cyclog@.service │ ├─cyclog@pulseaudio.service │ │ └─20138 cyclog jdebp/pulseaudio/ │ └─cyclog@mpd.service │ └─18028 cyclog jdebp/mpd/ ├─simple-servers-log.service │ └─6070 cyclog jdebp/simple-servers/ └─gnome-terminal-server.service ├─9408 /usr/lib/gnome-terminal/gnome-terminal-server ├─9411 gnome-pty-helper ├─9412 zsh └─9451 sleep 6000
Re: Adding capability control into the `run' script comparison page
2016-12-07 6:26 GMT-03:00 Jean Louis: > > On Wed, Dec 07, 2016 at 09:14:00AM +, Jonathan de Boyne Pollard wrote: >> [...] >> To anyone running the service manager and bundles from nosh version 1.28 or >> later on Linux: You are encouraged to look at your control group hierarchy, >> with a tool like "systemd-cgls /", with the "cgroup" field of the ps >> command, or by simply listing your /sys/fs/cgroup/ hierarchy. You are in >> for an interesting surprise. > [...] > > Please be more detailed, I am interested, but due to not using > systemd, I ahve nothing in /sys/fs/cgroup > > What is the interesting surprise, explained? nosh 1.28 and later includes a move-to-control-group chainloading utility [1], and its systemd unit file conversion tool inserts a move-to-control-group invocation in the resulting bundle directory's scripts. I suppose the interesting suprise is that as consequence, when a service definition gets 'imported' to nosh from a unit file (and this covers pretty much everything in the nosh-bundles* binary packages), the corresponding service gets placed in a cgroup of its own when launched by nosh's service manager: test$ cat my-test-svc.service [Unit] Description=My test service [Service] User=test ExecStart=/home/test/my-test-svc-binary RestartSec=1 test$ system-control convert-systemd-units --no-systemd-quirks ./my-test-svc.service test$ ls -l my-test-svc/* my-test-svc/after: total 0 lrwxrwxrwx 1 test test 34 Dec 7 22:25 basic -> /etc/service-bundles/targets/basic my-test-svc/before: total 0 lrwxrwxrwx 1 test test 37 Dec 7 22:25 shutdown -> /etc/service-bundles/targets/shutdown my-test-svc/conflicts: total 0 my-test-svc/required-by: total 0 my-test-svc/service: total 16 -rwxr-xr-x 1 test test 105 Dec 7 22:25 restart -rwxr-xr-x 1 test test 183 Dec 7 22:25 run -rwxr-xr-x 1 test test 66 Dec 7 22:25 start -rwxr-xr-x 1 test test 65 Dec 7 22:25 stop my-test-svc/stopped-by: total 0 lrwxrwxrwx 1 test test 37 Dec 7 22:25 shutdown -> /etc/service-bundles/targets/shutdown my-test-svc/wanted-by: total 0 my-test-svc/wants: total 0 lrwxrwxrwx 1 test test 34 Dec 7 22:25 basic -> /etc/service-bundles/targets/basic test$ system-control cat ./my-test-svc start:#!/bin/nosh start:#Start file generated from ./my-test-svc.service start:true stop:#!/bin/nosh stop:#Stop file generated from ./my-test-svc.service stop:true run:#!/bin/nosh run:#Run file generated from ./my-test-svc.service run:#My test service run:move-to-control-group my-test-svc.service run:setuidgid test run:/home/test/my-test-svc-binary restart:#!/bin/sh restart:#Restart file generated from ./my-test-svc.service restart:sleep 1 restart:exec true # ignore script arguments root# mkdir /sys/fs/cgroup/systemd root# mount -t cgroup -o rw,nosuid,nodev,noexec,name=systemd systemd /sys/fs/cgroup/systemd root# system-control start ./my-test-svc test$ service-status my-test-svc my-test-svc: State : running since 2016-12-07 22:35:37 -0300; 7m 48s ago Main PID: 1499 Started: exit 0 Config : enabled test$ ps -eo pid,ppid,euser,cgroup,args PID PPID EUSERCGROUP COMMAND [...] 1446 1 root - service-manager 1499 1446 test 6:name=systemd:/my-test-svc /home/test/my-test-svc-binary Process 'my-test-svc-binary' is in cgroup 'my-test-svc.service' and its parent process (PID 1446) is a process supervisor, as expected. test$ ls -l /sys/fs/cgroup/systemd total 0 drwxr-xr-x 2 root root 0 Dec 7 22:13 basic.target -rw-r--r-- 1 root root 0 Dec 7 22:06 cgroup.clone_children -rw-r--r-- 1 root root 0 Dec 7 22:06 cgroup.procs -r--r--r-- 1 root root 0 Dec 7 22:06 cgroup.sane_behavior drwxr-xr-x 2 root root 0 Dec 7 22:13 local-fs-pre.target drwxr-xr-x 2 root root 0 Dec 7 22:13 local-fs.target drwxr-xr-x 2 root root 0 Dec 7 22:35 my-test-svc.service -rw-r--r-- 1 root root 0 Dec 7 22:06 notify_on_release -rw-r--r-- 1 root root 0 Dec 7 22:06 release_agent drwxr-xr-x 2 root root 0 Dec 7 22:13 swapauto.target drwxr-xr-x 2 root root 0 Dec 7 22:13 swaplate.target drwxr-xr-x 2 root root 0 Dec 7 22:13 sysinit.target -rw-r--r-- 1 root root 0 Dec 7 22:06 tasks (/sys/fs/cgroup itself is a tmpfs on my machine) G. [1] http://jdebp.eu/Softwares/nosh/guide/move-to-control-group.html
Re: Adding capability control into the `run' script comparison page
Casper Ti. Vector: But I do think the capability argument has its validity: chainloading is, at this time, not well known to normal users, which is why many systemd supporters compulsorily identify cgroup support with systemd with few people opposing. Therefore I suggest to add some examples of capacility control (eg. one example for ulimit, plus one example for cgroup) into the comparison page, or an independent page. Such "systemd supporters" don't actually know systemd. * http://jdebp.eu./FGA/linux-control-groups-are-not-jobs.html To anyone running the service manager and bundles from nosh version 1.28 or later on Linux: You are encouraged to look at your control group hierarchy, with a tool like "systemd-cgls /", with the "cgroup" field of the ps command, or by simply listing your /sys/fs/cgroup/ hierarchy. You are in for an interesting surprise.
Re: Adding capability control into the `run' script comparison page
Many thanks :) On Tue, Dec 06, 2016 at 12:53:14AM +, Jonathan de Boyne Pollard wrote: > * http://jdebp.eu./Softwares/nosh/guide.html -- My current OpenPGP key: RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19) 7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C
Re: Adding capability control into the `run' script comparison page
Casper Ti. Vector: the docs are in tarballs on jdebp.eu * http://jdebp.eu./Softwares/nosh/guide.html
Re: Adding capability control into the `run' script comparison page
Sorry, my fault. I read the page in a hurry, and thought the page did not contain ulimit when the reply said capability control was not involved in your page. Impatience is really a sin :( Nevertheless, if you do plan to create a separate page for cgroup support, I think a brief introduction of chainloading with reference to already employed capability control chainloaders (ulimit, user/group...) in the init script comparison page would, to some extent, prepare the impatient reader for the contents to come. On Mon, Dec 05, 2016 at 09:31:20AM +, Jonathan de Boyne Pollard wrote: > An irony here is that the page *already contains* two entire sets of > examples that set memory resource limits, using daemontools, > daemontools-encore, freedt, perp, s6, and nosh tools. -- My current OpenPGP key: RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19) 7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C
Re: Adding capability control into the `run' script comparison page
Casper Ti. Vector: one example for ulimit An irony here is that the page *already contains* two entire sets of examples that set memory resource limits, using daemontools, daemontools-encore, freedt, perp, s6, and nosh tools.