Bug#989317: systemd kill background processes after user logs out (#825394 regression)

Tue Jun 8 20:40:46 BST 2021

Am 08.06.2021 um 19:05 schrieb Matt Corallo:
> 
> 
> On 6/8/21 12:31, Michael Biebl wrote:
>> Am 08.06.2021 um 18:08 schrieb Matt Corallo:
>>> Hmmm, with set-linger and --scope I can't seem to reproduce now 
>>> either, its possible I had forgotten the --scope at some point while 
>>> testing set-linger before, sorry for the noise here.
>>>
>>> Still, based on my read of #825394, it seems like it should be the 
>>> case that you do not need set-linger and the default behavior should 
>>> be that things aren't automatically killed in the background? Is that 
>>> something that was an intentional change?
>>
>> Change to what exactly?
>>
>> I guess we need to differentiate between login and user sessions.
>> It's my understanding that KillUserProcesses= only affects a login 
>> session.
> 
> I admit I am definitely not a systemd expert (which I suppose should be 
> obvious by now :) ), so have no idea what this means, and systemd-run's 
> man page doesn't really elucidate it. Not Debian's or your problem, of 
> course, though.
> 
>> If you start a process as part of a user session (which is what 
>> systemd-run --user does), ending that user session will stop that 
>> process.
> 
> Is there an alternate way to run things that lxc should instead be 
> recommending? In my interactions with the lxc folks it seems this 
> workaround is only relevant for Debian bullseye, so maybe other distros 
> are patching systemd or changing cgroup settings such that interacting 
> with systemd isn't required.
> 
> Similar to the discussion in 825394, having daemons  spontaneously 
> killed is incredibly surprising, maybe it makes sense to enable-linger 
> by default?
> 
>  > Did you use systemd-run in buster to start your lxc containers?
>  > You need to be very explicit, otherwise I can only guess what exactly 
> you were/are doing.
> 
> No, but also didn't need to, its only with bullseye that (systemd's ?) 
> cgroup settings prevent direct calls to lxc-start, which is what makes 
> the whole thing such a mess - one cannot simply call lxc functions 
> anymore because systemd gets in the way. Using systemd for this, sadly, 
> is an excercize in puzzling through man pages and lack of documentation 
> for how to do any of this (half of the lxc docs for how to do this are 
> because I had to ask lxc maintainers how to do basic lxc things with 
> bullseye).

Antonio, Stéphane, do you have any input how we can improve the 
situation here?

A short summary: Debian bullseye switched to cgroupv2 which now makes it 
necessary to run lxc-start as unprivileged user via "systemd-run -p 
Delegate=yes".
This in turn makes the lxc processes part of the systemd --user session, 
not the login session. Which in turn requires "linger" to enable daemon 
processes to persist once a user logs out.

Maybe I missed something and linger is the only option in this case (and 
lxc's README.Debian could have a note about this). Or maybe there is a 
different way to achieve what Matt is trying to do?

Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20210608/b3f0ac86/attachment.sig>