On Fri, 20.05.16 20:10, Mike Gulick (mike.gul...@mathworks.com) wrote: > Hi systemd-devel, > > I'm on Debian Jessie running the default systemd-215. I have a > daemon (running as root, controlled by systemd), whose job it is to > launch on-demand VNC servers for other users. Currently, this > daemon uses a shell command like the following to launch the vnc > server for a given $USER: > > sudo -i -u $USER /bin/sh -l -c 'cd \$HOME && /path/to/vncserver $ARGS > > The issue I'm having is that the user VNC sessions being created all > share the same systemd login session as my daemon. I can see this > by running systemd-cgls.
My recommendation would be to define this as template service in systemd, and use PAM= to make sure the invoked binary gets a PAM session (and thus a logind session) assigned. > The users of these VNC sessions would like to be able to use > "systemd-run --user --scope -p MemoryLimit=X COMMAND" to launch a > command with cgroup-based resource limiting. However without a user > session, this results in "Failed to create bus connection: > Connection refused". Note that MemoryLimit= is not supported for user services, as cgroup controller delegation is generally not safe in the traditional cgroup hierarchy. > There's too many users to create static systemd unit files, and it > doesn't seem like I can create and load .service files on the > fly. The "machinectl shell" command > (https://github.com/systemd/systemd/pull/1022) looks promising, but > unfortunately it's not in my systemd yet. I've tried searching > through this mailing list's history, but the results all were dead > ends. 215 is pretty old. Transient units are really useful only on much newer systemd versions. Sorry. > It seems like there's a lot of pieces needed to make this work > (dbus, XDG env vars, systemd --user), and all of the recommendations > say to go through pam_systemd.so. I'm not afraid of interacting > with PAM, but I don't really understand what's needed, and I can't > actually authenticate as the user because I don't know their > password (currently this daemon is root so it doesn't need a > password to switch user). PAM is how user sessions are set up on Linux, and logind (through pam_systemd) hooks into that for that. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
