Adding an example of what happens on a system running systemd-shim+cgmanager and sysvinit as PID1:
root@antani:~# cat /proc/$$/cgroup 10:name=systemd:/user.slice/user-1000.slice/session-1.scope 9:perf_event:/user.slice/user-1000.slice/session-1.scope 8:net_prio:/user.slice/user-1000.slice/session-1.scope 7:net_cls:/user.slice/user-1000.slice/session-1.scope 6:freezer:/user.slice/user-1000.slice/session-1.scope 5:devices:/user.slice/user-1000.slice/session-1.scope 4:cpuset:/user.slice/user-1000.slice/session-1.scope 3:cpuacct:/user.slice/user-1000.slice/session-1.scope 2:cpu:/user.slice/user-1000.slice/session-1.scope 1:blkio:/user.slice/user-1000.slice/session-1.scope As you can see, the shell is in the current session cgroup for all controllers (su - from an ssh login). root@antani:~# cat /proc/`pidof ntpd`/cgroup 10:name=systemd:/ 9:perf_event:/ 8:net_prio:/ 7:net_cls:/ 6:freezer:/ 5:devices:/ 4:cpuset:/ 3:cpuacct:/ 2:cpu:/ 1:blkio:/ ntpd (chosen at random) being started upon boot correctly belongs to the root cgroup for all controllers. root@antani:~# service ntp restart [ ok ] Stopping NTP server: ntpd. [ ok ] Starting NTP server: ntpd. Now the expected behavior of service (and invoke-rc.d) would be starting ntpd back in the root cgroup, but... root@antani:~# cat /proc/`pidof ntpd`/cgroup 10:name=systemd:/user.slice/user-1000.slice/session-1.scope 9:perf_event:/user.slice/user-1000.slice/session-1.scope 8:net_prio:/user.slice/user-1000.slice/session-1.scope 7:net_cls:/user.slice/user-1000.slice/session-1.scope 6:freezer:/user.slice/user-1000.slice/session-1.scope 5:devices:/user.slice/user-1000.slice/session-1.scope 4:cpuset:/user.slice/user-1000.slice/session-1.scope 3:cpuacct:/user.slice/user-1000.slice/session-1.scope 2:cpu:/user.slice/user-1000.slice/session-1.scope 1:blkio:/user.slice/user-1000.slice/session-1.scope As you can see, ntpd instead ends up in the current session cgroups. This means that upon logout the session would linger in "closing" state until ntpd terminates. This has other ramifications on devices ACLs if the session belongs to a local seat (tty or X11). Manual workaround: root@antani:~# cgm movepidabs all / `pidof ntpd` root@antani:~# cat /proc/`pidof ntpd`/cgroup 10:name=systemd:/ 9:perf_event:/ 8:net_prio:/ 7:net_cls:/ 6:freezer:/ 5:devices:/ 4:cpuset:/ 3:cpuacct:/ 2:cpu:/ 1:blkio:/ Unfortunately, this can't be simply put into service and invoke-rc.d because the MovePidAbs call to cgmanager is asynchronous. Forking a process while the parent is still moving across cgroup boundaries can cause the child to end up in the old cgroups. If you need more details I'd be happy to provide them. Regards, -- Matteo Panella
signature.asc
Description: OpenPGP digital signature
