cgroup: Add support for ProtectControlGroups= private and strict - systemd

diff options

author	Ryan Wilson <ryantimwilson@meta.com>	2024-10-18 20:41:09 +0200
committer	Ryan Wilson <ryantimwilson@meta.com>	2024-10-28 16:37:36 +0100
commit	cd58b5a13537fc89b669ff9232ba2206214c9fa1 (patch)
tree	e5dd41b7cf691378b2023deb37042721dba70cfd /presets
parent	core: Refactor ProtectControlGroups= to use enum vs bool (diff)
download	systemd-cd58b5a13537fc89b669ff9232ba2206214c9fa1.tar.xz systemd-cd58b5a13537fc89b669ff9232ba2206214c9fa1.zip

cgroup: Add support for ProtectControlGroups= private and strict

This commit adds two settings private and strict to the ProtectControlGroups= property. Private will unshare the cgroup namespace and mount a read-write private cgroup2 filesystem at /sys/fs/cgroup. Strict does the same except the mount is read-only. Since the unit is running in a cgroup namespace, the new root of /sys/fs/cgroup is the unit's own cgroup. We also add a new dbus property ProtectControlGroupsEx which accepts strings instead of boolean. This will allow users to use private/strict via dbus and systemd-run in addition to service files. Note private and strict fall back to no and yes respectively if the kernel doesn't support cgroup2 or system is not using unified hierarchy. Fixes: #34634

Diffstat (limited to 'presets')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: