summaryrefslogtreecommitdiff
path: root/src/core/service.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-11-05 17:57:23 +0100
committerLennart Poettering <lennart@poettering.net>2014-11-05 18:49:14 +0100
commita931ad47a8623163a29d898224d8a8c1177ffdaf (patch)
tree34741242cc98bf038f3b57058e4b283b0d53b275 /src/core/service.c
parentc962cb68d5754690cbe924a0d0b4251053217783 (diff)
core: introduce new Delegate=yes/no property controlling creation of cgroup subhierarchies
For priviliged units this resource control property ensures that the processes have all controllers systemd manages enabled. For unpriviliged services (those with User= set) this ensures that access rights to the service cgroup is granted to the user in question, to create further subgroups. Note that this only applies to the name=systemd hierarchy though, as access to other controllers is not safe for unpriviliged processes. Delegate=yes should be set for container scopes where a systemd instance inside the container shall manage the hierarchies below its own cgroup and have access to all controllers. Delegate=yes should also be set for user@.service, so that systemd --user can run, controlling its own cgroup tree. This commit changes machined, systemd-nspawn@.service and user@.service to set this boolean, in order to ensure that container management will just work, and the user systemd instance can run fine.
Diffstat (limited to 'src/core/service.c')
-rw-r--r--src/core/service.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/src/core/service.c b/src/core/service.c
index f27e63eb9a..6a27e8f67d 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1000,6 +1000,7 @@ static int service_spawn(
exec_params.confirm_spawn = UNIT(s)->manager->confirm_spawn;
exec_params.cgroup_supported = UNIT(s)->manager->cgroup_supported;
exec_params.cgroup_path = path;
+ exec_params.cgroup_delegate = s->cgroup_context.delegate;
exec_params.runtime_prefix = manager_get_runtime_prefix(UNIT(s)->manager);
exec_params.unit_id = UNIT(s)->id;
exec_params.watchdog_usec = s->watchdog_usec;