| Age | Commit message (Collapse) | Author |
|---|
|
subhierarchies
For priviliged units this resource control property ensures that the
processes have all controllers systemd manages enabled.
For unpriviliged services (those with User= set) this ensures that
access rights to the service cgroup is granted to the user in question,
to create further subgroups. Note that this only applies to the
name=systemd hierarchy though, as access to other controllers is not
safe for unpriviliged processes.
Delegate=yes should be set for container scopes where a systemd instance
inside the container shall manage the hierarchies below its own cgroup
and have access to all controllers.
Delegate=yes should also be set for user@.service, so that systemd
--user can run, controlling its own cgroup tree.
This commit changes machined, systemd-nspawn@.service and user@.service
to set this boolean, in order to ensure that container management will
just work, and the user systemd instance can run fine.
|
|
THis way we can remove cgroup priviliges after setup, but get them back
for the next restart, as we need it.
|
|
This causes the container to shut down cleanly when the service is
stopped.
|
|
|
|
|
|
ControlGroup= is obsolete, so let's drop it from the default nspawn unit
file.
|
|
running containers as system services
|
