From a931ad47a8623163a29d898224d8a8c1177ffdaf Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 5 Nov 2014 17:57:23 +0100 Subject: core: introduce new Delegate=yes/no property controlling creation of cgroup subhierarchies For priviliged units this resource control property ensures that the processes have all controllers systemd manages enabled. For unpriviliged services (those with User= set) this ensures that access rights to the service cgroup is granted to the user in question, to create further subgroups. Note that this only applies to the name=systemd hierarchy though, as access to other controllers is not safe for unpriviliged processes. Delegate=yes should be set for container scopes where a systemd instance inside the container shall manage the hierarchies below its own cgroup and have access to all controllers. Delegate=yes should also be set for user@.service, so that systemd --user can run, controlling its own cgroup tree. This commit changes machined, systemd-nspawn@.service and user@.service to set this boolean, in order to ensure that container management will just work, and the user systemd instance can run fine. --- src/core/execute.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/core/execute.h') diff --git a/src/core/execute.h b/src/core/execute.h index c45dde53a6..b16a24d0c6 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -207,6 +207,7 @@ struct ExecParameters { bool selinux_context_net; CGroupControllerMask cgroup_supported; const char *cgroup_path; + bool cgroup_delegate; const char *runtime_prefix; const char *unit_id; usec_t watchdog_usec; @@ -244,6 +245,7 @@ int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_r int exec_context_load_environment(const ExecContext *c, const char *unit_id, char ***l); bool exec_context_may_touch_console(ExecContext *c); +bool exec_context_maintains_privileges(ExecContext *c); void exec_status_start(ExecStatus *s, pid_t pid); void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status); -- cgit v1.2.3-54-g00ecf