** Description changed: An unprivileged `cgcreate` fails under cgroups v2 with a `nsdelegate` mount (as is default under Ubuntu 24.04.2 LTS). + + Summary: This unprivileged `cgcreate` of `foo` should work but does not: + + $ systemd-run --scope --user --shell --property=Delegate=true + Running as unit: run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope; invocation ID: a29cc81c4ea944ee82d23773e61eeeaa + + $ cgcreate -g pids:user.slice/user-1000.slice/[email protected]/app.slice/run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo + cgcreate: can't create cgroup user.slice/user-1000.slice/[email protected]/app.slice/run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo: Cgroup, requested group parameter does not exist + + I can create the `foo` cgroup just fine if I use an unprivileged + `mkdir`: + + $ mkdir + /sys/fs/cgroup/user.slice/user-1000.slice/[email protected]/app.slice/run- + radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo + + Surely if I can use `mkdir` I should be able to use `cgcreate`. Details showing the failure of unprivileged `cgcreate`: $ mount | grep cgroup cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot) Systemd can create a new cgroup unprivileged: $ systemd-run --scope --user --shell --property=Delegate=true Running as unit: run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope; invocation ID: a29cc81c4ea944ee82d23773e61eeeaa $ echo $$ 312950 $ cat /proc/$$/cgroup 0::/user.slice/user-1000.slice/[email protected]/app.slice/run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope I can enable `pids` in my current cgroup: $ cgset -r cgroup.subtree_control=+pids user.slice/user-1000.slice/[email protected]/app.slice/run- radcbd24f67b041b9b73c3bbbfcbfbfe0.scope $ cgget -n -v -r cgroup.subtree_control user.slice/user-1000.slice/[email protected]/app.slice/run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope pids I can put processes into the current cgroup: $ sleep 999 & [1] 313028 $ cgclassify -g pids:user.slice/user-1000.slice/[email protected]/app.slice/run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope 313028 $ cgget -n -v -r cgroup.procs user.slice/user-1000.slice/[email protected]/app.slice/run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope 312950 313028 313044 I cannot use unprivileged `cgcreate` to create a subgroup `foo` of the current cgroup: $ cgcreate -g pids:user.slice/user-1000.slice/[email protected]/app.slice/run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo cgcreate: can't create cgroup user.slice/user-1000.slice/[email protected]/app.slice/run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo: Cgroup, requested group parameter does not exist Privileged (root) `cgcreate` works fine: # cgcreate -a idallen:idallen -g pids:user.slice/user-1000.slice/[email protected]/app.slice/run- radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo # ls -l /sys/fs/cgroup/user.slice/user-1000.slice/[email protected]/app.slice/run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo total 0 drwxr-xr-x 2 idallen idallen 0 Feb 24 04:08 ./ drwxr-xr-x 3 idallen idallen 0 Feb 24 04:08 ../ -r--r--r-- 1 idallen idallen 0 Feb 24 04:08 cgroup.controllers -r--r--r-- 1 idallen idallen 0 Feb 24 04:08 cgroup.events -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 cgroup.freeze --w------- 1 idallen idallen 0 Feb 24 04:08 cgroup.kill -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 cgroup.max.depth -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 cgroup.max.descendants -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 cgroup.pressure -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 cgroup.procs -r--r--r-- 1 idallen idallen 0 Feb 24 04:08 cgroup.stat -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 cgroup.subtree_control -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 cgroup.threads -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 cgroup.type -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 cpu.pressure -r--r--r-- 1 idallen idallen 0 Feb 24 04:08 cpu.stat -r--r--r-- 1 idallen idallen 0 Feb 24 04:08 cpu.stat.local -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 io.pressure -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 memory.pressure -r--r--r-- 1 idallen idallen 0 Feb 24 04:08 pids.current -r--r--r-- 1 idallen idallen 0 Feb 24 04:08 pids.events -rw-r--r-- 1 idallen idallen 0 Feb 24 04:08 pids.max -r--r--r-- 1 idallen idallen 0 Feb 24 04:08 pids.peak I can also use unprivileged `mkdir` no problem: $ rmdir /sys/fs/cgroup/user.slice/user-1000.slice/[email protected]/app.slice/run- radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo $ mkdir /sys/fs/cgroup/user.slice/user-1000.slice/[email protected]/app.slice/run- radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo $ ls -l /sys/fs/cgroup/user.slice/user-1000.slice/[email protected]/app.slice/run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo total 0 drwxr-xr-x 2 idallen idallen 0 Feb 24 04:12 ./ drwxr-xr-x 3 idallen idallen 0 Feb 24 04:12 ../ -r--r--r-- 1 idallen idallen 0 Feb 24 04:12 cgroup.controllers -r--r--r-- 1 idallen idallen 0 Feb 24 04:12 cgroup.events -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 cgroup.freeze --w------- 1 idallen idallen 0 Feb 24 04:12 cgroup.kill -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 cgroup.max.depth -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 cgroup.max.descendants -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 cgroup.pressure -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 cgroup.procs -r--r--r-- 1 idallen idallen 0 Feb 24 04:12 cgroup.stat -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 cgroup.subtree_control -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 cgroup.threads -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 cgroup.type -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 cpu.pressure -r--r--r-- 1 idallen idallen 0 Feb 24 04:12 cpu.stat -r--r--r-- 1 idallen idallen 0 Feb 24 04:12 cpu.stat.local -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 io.pressure -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 memory.pressure -r--r--r-- 1 idallen idallen 0 Feb 24 04:12 pids.current -r--r--r-- 1 idallen idallen 0 Feb 24 04:12 pids.events -rw-r--r-- 1 idallen idallen 0 Feb 24 04:12 pids.max -r--r--r-- 1 idallen idallen 0 Feb 24 04:12 pids.peak $ cgget -n -v -r cgroup.controllers user.slice/user-1000.slice/[email protected]/app.slice/run-radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo - pids + pids $ rmdir /sys/fs/cgroup/user.slice/user-1000.slice/[email protected]/app.slice/run- radcbd24f67b041b9b73c3bbbfcbfbfe0.scope/foo I can't use unprivileged `cgcreate` to create anything at the same level as my current cgroup: $ cgcreate -g pids:user.slice/user-1000.slice/[email protected]/app.slice/run-my.scope cgcreate: can't create cgroup user.slice/user-1000.slice/[email protected]/app.slice/run-my.scope: Cgroup, requested group parameter does not exist But `mkdir` works fine, as does using privilege (root, not shown) to do it: $ mkdir /sys/fs/cgroup/user.slice/user-1000.slice/[email protected]/app.slice/run- my.scope $ cgget -n -v -r cgroup.controllers user.slice/user-1000.slice/[email protected]/app.slice/run-my.scope cpu memory pids $ rmdir /sys/fs/cgroup/user.slice/user-1000.slice/[email protected]/app.slice/run- my.scope Unprivileged `cgcreate` does not work. P.S. Here on `bugs.launchpad.net/ubuntu` I tried to set the "In what package" box to `cgroup-tools` which is where `cgcreate` is located, but you won't let me, claiming: "cgroup-tools" does not exist in Ubuntu. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: cgroup-tools 2.0.2-2build1 ProcVersionSignature: Ubuntu 6.8.0-53.55-generic 6.8.12 Uname: Linux 6.8.0-53-generic x86_64 ApportVersion: 2.28.1-0ubuntu3.3 Architecture: amd64 CasperMD5CheckResult: unknown CloudArchitecture: x86_64 CloudBuildName: server CloudID: nocloud CloudName: unknown CloudPlatform: nocloud CloudSerial: 20240423 CloudSubPlatform: seed-dir (/var/lib/cloud/seed/nocloud) Date: Mon Feb 24 04:28:19 2025 SourcePackage: libcgroup UpgradeStatus: No upgrade log present (probably fresh install)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099883 Title: cgroups V2: unprivileged cgcreate fails with nsdelegate mount To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcgroup/+bug/2099883/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
