a8

分支 (10)

标签 (4)

管理

管理

a8

a7

a23

a8-sw

a8.8

a8.5

a23-dev

a8.4

a8.2

master

v8.8

systemd-239-74.0.2

systemd-239-74.0.1

systemd-239-58.0.5

systemd
/
20003-core-introduce-cgroup-full-dele...

From f25124fabe1ed973840291d46549af6e1c5fad56 Mon Sep 17 00:00:00 2001
From: "zhongling.h" <zhongling.h@alibaba-inc.com>
Date: Fri, 4 Aug 2023 10:08:16 +0800
Subject: [PATCH] core: introduce cgroup full delegation for compability

While using systemd-219, users can set 'delegate=y' to claim the
possession of cgroup settings. By then, users are able to write raw
values under /sys/fs/cgroup to adjust cgroup settings and systemd
won't touch these values any longer.

However, this is likely to be an undefined behaviour for systemd-219.
Upon releasing systemd-239, a documentation of cgroup delegation was
added,
https://github.com/systemd/systemd/commit/e30eaff3a32523b09d61af67fc999f1f62f4e0cb.
It states that:

Only sub-trees can be delegated (though whoever decides to request a
sub-tree can delegate sub-sub-trees further to somebody else if they
like it).'

Which is quite different from what people understand the delegation of
systemd-219. Currently, whether a unit is delegated or not, systemd always
possesses any cgroup it created, only ignoring the sub-tree ones
according to delegation settings.

This behaviour change causes confusion if users switch from systemd-219 to
systemd-239. As a result, we introduce 'FullDelegation', a feature that
brings what users are already familiar with to systemd-239. If users set
'FullDelegation=yes' in /etc/systemd/system.conf, they can control raw
values under /sys/fs/cgroup without worrying systemd touching these
values, which is the same as what they expected with systemd-219.

---
 src/core/cgroup.c       | 16 ++++++++++++++++
 src/core/main.c         |  4 ++++
 src/core/manager.h      |  1 +
 src/core/system.conf.in |  1 +
 4 files changed, 22 insertions(+)

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index ea92aa6f7b..17e3b90e37 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -1692,6 +1692,15 @@ static int unit_create_cgroup(
         /* Keep track that this is now realized */
         u->cgroup_realized = true;
         u->cgroup_realized_mask = target_mask;
+
+        // While realizing cgroup, we don't realize delegated cgroup, therefore, target_mask
+        // doesn't contain delegated cgroup controller bit, and u->cgroup_realized_mask will
+        // not contain delegated cgroup controller bit as well. This unit will be in a state
+        // as if delegated cgroup is not set, which is not expected.
+        // If this is not present, delegated cgroup will be set every 2 systemctl daemon-reload
+        if (u->manager->full_delegation && unit_cgroup_delegate(u))
+                u->cgroup_realized_mask |= unit_get_delegate_mask(u);
+
         u->cgroup_enabled_mask = enable_mask;
         u->cgroup_bpf_state = needs_bpf ? UNIT_CGROUP_BPF_ON : UNIT_CGROUP_BPF_OFF;

@@ -1921,6 +1930,10 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) {
         needs_bpf = unit_get_needs_bpf(u);

         target_mask &= ~CGROUP_MASK_DEVICES;
+
+        if (u->manager->full_delegation && unit_cgroup_delegate(u))
+                target_mask ^= u->cgroup_realized_mask;
+
         if (unit_has_mask_realized(u, target_mask, enable_mask, needs_bpf))
                 return 0;

@@ -2883,6 +2896,9 @@ int unit_reset_ip_accounting(Unit *u) {
 void unit_invalidate_cgroup(Unit *u, CGroupMask m) {
         assert(u);

+        if (u->manager->full_delegation)
+                m ^= unit_get_delegate_mask(u); // don't invalidate delegated cgroup
+
         if (!UNIT_HAS_CGROUP_CONTEXT(u))
                 return;

diff --git a/src/core/main.c b/src/core/main.c
index 546bf0d870..68daf07077 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -142,6 +142,7 @@ static bool reexec_jmp_can = false;
 static bool reexec_jmp_inited = false;
 static sigjmp_buf reexec_jmp_buf;
 static bool arg_default_cpuset_clone_children = false;
+static bool arg_full_delegation = false;

 static int parse_configuration(const struct rlimit *saved_rlimit_nofile,
                                const struct rlimit *saved_rlimit_memlock);
@@ -768,6 +769,8 @@ static int parse_config_file(void) {
                 { "Manager", "DefaultTasksMax",           config_parse_tasks_max,        0, &arg_default_tasks_max                 },
                 { "Manager", "CtrlAltDelBurstAction",     config_parse_emergency_action, 0, &arg_cad_burst_action                  },
 		{ "Manager", "DefaultCPUSetCloneChildren",config_parse_bool,             0, &arg_default_cpuset_clone_children     },
+                { "Manager", "FullDelegation",            config_parse_bool,             0, &arg_full_delegation                   },
+
                 {}
         };

@@ -817,6 +820,7 @@ static void set_manager_defaults(Manager *m) {
         m->default_memory_accounting = arg_default_memory_accounting;
         m->default_tasks_accounting = arg_default_tasks_accounting;
         m->default_tasks_max = arg_default_tasks_max;
+        m->full_delegation = arg_full_delegation;

         manager_set_default_rlimits(m, arg_default_rlimit);
         manager_environment_add(m, NULL, arg_default_environment);
diff --git a/src/core/manager.h b/src/core/manager.h
index 98d381bc5b..91f2c05afe 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -297,6 +297,7 @@ struct Manager {
         bool default_blockio_accounting;
         bool default_tasks_accounting;
         bool default_ip_accounting;
+        bool full_delegation;

         uint64_t default_tasks_max;
         usec_t default_timer_accuracy_usec;
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 2f6852a89f..6c84a55401 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -67,3 +67,4 @@ DefaultLimitCORE=0:infinity
 #DefaultLimitRTTIME=
 #IPAddressAllow=
 #IPAddressDeny=
+#FullDelegation=no
--
2.39.3