This document assumes that the cgroup v2 hierarchy is mouted at /sys/fs/cgroup.
Systemd only allows managing following controllers by non-root users: memory pids.
This can be avoided by
enabling controller delegation.
Verify that the delegation is enabled:
$ cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllersThe needed controllers are cpu memory io . Follow the guide above if any of them are missing.
Start new shell in a new systemd slice:
$ systemd-run --user -p Delegate=yes --slice=my.slice --shellDo not close this shell.
Inside this shell, examine the current cgroup:
$ cat /proc/self/cgroup
0::/user.slice/user-1000.slice/[email protected]/my.slice/run-u690.service
# cd to my.slice
$ cd /sys/fs/cgroup/$(cat /proc/self/cgroup | cut -d ':' -f 3)/..
$ cat cgroup.subtree_control
cpu io memory pids
$ mkdir cgexec-rs-testingSet up environment variables.
# PARENT_CGROUP will be required when running the server
export PARENT_CGROUP=/sys/fs/cgroup/user.slice/user-1000.slice/[email protected]/my.slice
export TARGET_CGROUP=$PARENT_CGROUP/cgexec-rs-testingTo manually create a cgroup using root account:
$ export PARENT_CGROUP=/sys/fs/cgroup/my-parent
$ export TARGET_CGROUP=$PARENT_CGROUP/cgexec-rs-testing
$ mkdir $PARENT_CGROUPVerify that cgroup.subtree_control and
cgroup.controllers contain all required controllers.
If some are missing, add them:
$ echo '+cpu +memory +io' > cgroup.subtree_control
$ cat cgroup.subtree_control
cpu io memoryFinally add a target cgroup folder.
$ mkdir $TARGET_CGROUPVerify that cgroup.controllers is correct.
https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html https://systemd.io/CGROUP_DELEGATION/ https://wiki.archlinux.org/title/cgroups https://www.redhat.com/sysadmin/cgroups-part-four https://linux.die.net/man/1/cgexec https://github.com/libcgroup/libcgroup