Hello.

On Sat, Jun 15, 2024 at 04:49:33PM GMT, Andrei Borzenkov <arvidj...@gmail.com> 
wrote:
> ...
> Which does not really solve the problem. So, once again:
> 
> - nftables allow filtering based on cgroupv2 path
> - cgroupv2 path is resolved at the time rule is processed. It is impossible
> to configure rule for a future cgroup

Can nftables accept non-leaf cgroup? (Of a .slice unit)

> So, no mantra about one ring to rule them all is going to help here as long
> as none of the following is possible
> 
> - systemd (which puts processes in cgroups) will also add corresponding
> nftables rule that refers to this new transient cgroup

I think systemd comes with its own filtering based on BPF (see
systemd.resource-control(5), "Network Accounting and Control") or see
NFTSet= in the same section, does that solve the issue?


> - or-
> 
> - systemd allows pre-creation of cgroups and *atomic* placement of processes
> in them

systemd places process either via clone-migrate-exec or
clone(CLONE_INTO_CGROUP) idioms, so the newly exec'd process starts in
the desired cgroup.

This is utilized with the .slice unit above (but it must be "pinned"
into existence with some sibling unit).

(Migrating already running processes with their runtime state is nothing
I'd recommend.)

Michal

Reply via email to