[Pkg-sysvinit-devel] Bug#769483: /usr/sbin/service restarts daemons in the current session cgroups when not running systemd

Matteo Panella m.panella at level28.org
Wed Nov 19 23:28:52 UTC 2014 

Adding an example of what happens on a system running
systemd-shim+cgmanager and sysvinit as PID1:

root at antani:~# cat /proc/$$/cgroup
10:name=systemd:/user.slice/user-1000.slice/session-1.scope
9:perf_event:/user.slice/user-1000.slice/session-1.scope
8:net_prio:/user.slice/user-1000.slice/session-1.scope
7:net_cls:/user.slice/user-1000.slice/session-1.scope
6:freezer:/user.slice/user-1000.slice/session-1.scope
5:devices:/user.slice/user-1000.slice/session-1.scope
4:cpuset:/user.slice/user-1000.slice/session-1.scope
3:cpuacct:/user.slice/user-1000.slice/session-1.scope
2:cpu:/user.slice/user-1000.slice/session-1.scope
1:blkio:/user.slice/user-1000.slice/session-1.scope

As you can see, the shell is in the current session cgroup for
all controllers (su - from an ssh login).

root at antani:~# cat /proc/`pidof ntpd`/cgroup
10:name=systemd:/
9:perf_event:/
8:net_prio:/
7:net_cls:/
6:freezer:/
5:devices:/
4:cpuset:/
3:cpuacct:/
2:cpu:/
1:blkio:/

ntpd (chosen at random) being started upon boot correctly belongs
to the root cgroup for all controllers.

root at antani:~# service ntp restart
[ ok ] Stopping NTP server: ntpd.
[ ok ] Starting NTP server: ntpd.

Now the expected behavior of service (and invoke-rc.d) would be
starting ntpd back in the root cgroup, but...

root at antani:~# cat /proc/`pidof ntpd`/cgroup
10:name=systemd:/user.slice/user-1000.slice/session-1.scope
9:perf_event:/user.slice/user-1000.slice/session-1.scope
8:net_prio:/user.slice/user-1000.slice/session-1.scope
7:net_cls:/user.slice/user-1000.slice/session-1.scope
6:freezer:/user.slice/user-1000.slice/session-1.scope
5:devices:/user.slice/user-1000.slice/session-1.scope
4:cpuset:/user.slice/user-1000.slice/session-1.scope
3:cpuacct:/user.slice/user-1000.slice/session-1.scope
2:cpu:/user.slice/user-1000.slice/session-1.scope
1:blkio:/user.slice/user-1000.slice/session-1.scope

As you can see, ntpd instead ends up in the current session cgroups.
This means that upon logout the session would linger in "closing" state
until ntpd terminates. This has other ramifications on devices ACLs if the
session belongs to a local seat (tty or X11).

Manual workaround:

root at antani:~# cgm movepidabs all / `pidof ntpd`
root at antani:~# cat /proc/`pidof ntpd`/cgroup
10:name=systemd:/
9:perf_event:/
8:net_prio:/
7:net_cls:/
6:freezer:/
5:devices:/
4:cpuset:/
3:cpuacct:/
2:cpu:/
1:blkio:/

Unfortunately, this can't be simply put into service and invoke-rc.d
because the MovePidAbs call to cgmanager is asynchronous. Forking a process
while the parent is still moving across cgroup boundaries can cause the child
to end up in the old cgroups.

If you need more details I'd be happy to provide them.

Regards,
-- 
Matteo Panella

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-sysvinit-devel/attachments/20141120/b749afeb/attachment.sig>

More information about the Pkg-sysvinit-devel mailing list