Re: [systemd-devel] Delegate v1 cgroup controller permissions
On Do, 11.07.19 09:57, Michal Koutný (mkou...@suse.com) wrote: > On Thu, Jun 20, 2019 at 02:19:34PM +0200, Lennart Poettering > wrote: > > Sorry, but there is not, it's not safe, as documented. > > The doc [1] says: > > Think twice before delegating cgroup v1 controllers to less privileged > > containers. It’s not safe, you basically allow your containers to > > freeze the system with that and worse. > > My search-fu is not strong enough and I'm interested in the details. > What controller settings can have such ramifications on the rest of the > system? the rt ones for example. Further further details, ping Tejun Heo. Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Delegate v1 cgroup controller permissions
On Thu, Jun 20, 2019 at 02:19:34PM +0200, Lennart Poettering wrote: > Sorry, but there is not, it's not safe, as documented. The doc [1] says: > Think twice before delegating cgroup v1 controllers to less privileged > containers. It’s not safe, you basically allow your containers to > freeze the system with that and worse. My search-fu is not strong enough and I'm interested in the details. What controller settings can have such ramifications on the rest of the system? Thanks, Michal [1] https://systemd.io/CGROUP_DELEGATION ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Delegate v1 cgroup controller permissions
On Mi, 19.06.19 17:33, John Lane (syst...@jelmail.com) wrote: > > I have a service which runs as an unprivileged user (User=foo) with > delegated cgroup (Delegate=true) that wants to use the "memory" and > "cpu" controllers. Systemd is using the hybrid mode with both v1 and v2 > cgroups, and the controllers are assigned to the v1 groups. > > Before I can use the "cpu" or "memory" cgroups I have to force the > permissions of them because the delegated permissions are only applied > in the unified hierarchy. > > Doing this requires root which is a problem because we don't want to > give this service root permissions. > > I have read https://systemd.io/CGROUP_DELEGATION and note that the > hybrid mode "is a stopgap" and "has no future" but I am forced to use it > because the distros that we have to use (fedora) are set up that way (I > have yet to see any system use the unified v2 mode exclusively). So I'm > having to bother with hybrid mode even though I don't have enough free > time ;) > > I have read in the same article that delegation "won’t pass ownership of > the legacy controller hierarchies" and "think twice before delegating > cgroup v1 controllers to less privileged containers." > > I get that it isn't the preferred mechanism with systemd but we just > want to manage access to resources (cpu and memory) allocated to > subtasks from within our application. > > So is there a way to tell systemd (or some other way) to set the v1 > cgroup permissions so they are usable by the delegated user without > having to give the user process root privileges ? Sorry, but there is not, it's not safe, as documented. You are of course welcome to ignore that it's not safe, and chmod away anyway, but you are on your own if you do, we don't provide any functionality to do that for you, sorry! (And this not going to change anymore, cgroupsv1 is on its way out, and in cgroupsv2 all this is safe and you get access to the controllers as much as you want already) Sorry, Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Delegate v1 cgroup controller permissions
I have a service which runs as an unprivileged user (User=foo) with delegated cgroup (Delegate=true) that wants to use the "memory" and "cpu" controllers. Systemd is using the hybrid mode with both v1 and v2 cgroups, and the controllers are assigned to the v1 groups. Before I can use the "cpu" or "memory" cgroups I have to force the permissions of them because the delegated permissions are only applied in the unified hierarchy. Doing this requires root which is a problem because we don't want to give this service root permissions. I have read https://systemd.io/CGROUP_DELEGATION and note that the hybrid mode "is a stopgap" and "has no future" but I am forced to use it because the distros that we have to use (fedora) are set up that way (I have yet to see any system use the unified v2 mode exclusively). So I'm having to bother with hybrid mode even though I don't have enough free time ;) I have read in the same article that delegation "won’t pass ownership of the legacy controller hierarchies" and "think twice before delegating cgroup v1 controllers to less privileged containers." I get that it isn't the preferred mechanism with systemd but we just want to manage access to resources (cpu and memory) allocated to subtasks from within our application. So is there a way to tell systemd (or some other way) to set the v1 cgroup permissions so they are usable by the delegated user without having to give the user process root privileges ? pEpkey.asc Description: application/pgp-keys ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel