]>
Commit | Line | Data |
---|---|---|
3999ea00 FS |
1 | #!/usr/bin/env bash |
2 | # SPDX-License-Identifier: LGPL-2.1-or-later | |
3 | set -eux | |
4 | set -o pipefail | |
5 | ||
6 | # Test cgroup delegation in the unified hierarchy | |
7 | ||
8 | # shellcheck source=test/units/util.sh | |
9 | . "$(dirname "$0")"/util.sh | |
10 | ||
11 | if [[ "$(get_cgroup_hierarchy)" != unified ]]; then | |
12 | echo "Skipping $0 as we're not running with the unified cgroup hierarchy" | |
13 | exit 0 | |
14 | fi | |
15 | ||
16 | at_exit() { | |
17 | set +e | |
18 | userdel -r test | |
19 | } | |
20 | ||
21 | systemd-run --wait \ | |
22 | --unit=test-0.service \ | |
23 | --property="DynamicUser=1" \ | |
24 | --property="Delegate=" \ | |
25 | test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \ | |
26 | -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \ | |
27 | -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control | |
28 | ||
113defc7 LP |
29 | # Test if this also works for some of the more recent attrs the kernel might or might not support |
30 | for attr in cgroup.threads memory.oom.group memory.reclaim ; do | |
31 | ||
32 | if grep -q "$attr" /sys/kernel/cgroup/delegate ; then | |
33 | systemd-run --wait \ | |
34 | --unit=test-0.service \ | |
35 | --property="DynamicUser=1" \ | |
36 | --property="Delegate=" \ | |
37 | test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \ | |
38 | -w /sys/fs/cgroup/system.slice/test-0.service/"$attr" | |
39 | fi | |
40 | done | |
41 | ||
3999ea00 FS |
42 | systemd-run --wait \ |
43 | --unit=test-1.service \ | |
44 | --property="DynamicUser=1" \ | |
45 | --property="Delegate=memory pids" \ | |
46 | grep -q memory /sys/fs/cgroup/system.slice/test-1.service/cgroup.controllers | |
47 | ||
48 | systemd-run --wait \ | |
49 | --unit=test-2.service \ | |
50 | --property="DynamicUser=1" \ | |
51 | --property="Delegate=memory pids" \ | |
52 | grep -q pids /sys/fs/cgroup/system.slice/test-2.service/cgroup.controllers | |
53 | ||
54 | # "io" is not among the controllers enabled by default for all units, verify that | |
55 | grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers | |
56 | ||
57 | # Run a service with "io" enabled, and verify it works | |
58 | systemd-run --wait \ | |
59 | --unit=test-3.service \ | |
60 | --property="IOAccounting=yes" \ | |
61 | --property="Slice=system-foo-bar-baz.slice" \ | |
62 | grep -q io /sys/fs/cgroup/system.slice/system-foo.slice/system-foo-bar.slice/system-foo-bar-baz.slice/test-3.service/cgroup.controllers | |
63 | ||
64 | # We want to check if "io" is removed again from the controllers | |
65 | # list. However, PID 1 (rightfully) does this asynchronously. In order | |
66 | # to force synchronization on this, let's start a short-lived service | |
67 | # which requires PID 1 to refresh the cgroup tree, so that we can | |
68 | # verify that this all works. | |
69 | systemd-run --wait --unit=test-4.service true | |
70 | ||
71 | # And now check again, "io" should have vanished | |
72 | grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers | |
73 | ||
74 | # Check that unprivileged delegation works for scopes | |
75 | useradd test ||: | |
76 | systemd-run --uid=test \ | |
77 | --property="User=test" \ | |
78 | --property="Delegate=yes" \ | |
79 | --slice workload.slice \ | |
80 | --unit test-workload0.scope\ | |
81 | --scope \ | |
82 | test -w /sys/fs/cgroup/workload.slice/test-workload0.scope -a \ | |
83 | -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.procs -a \ | |
84 | -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.subtree_control | |
85 | ||
86 | # Verify that DelegateSubgroup= affects ownership correctly | |
87 | unit="test-subgroup-$RANDOM.service" | |
88 | systemd-run --wait \ | |
89 | --unit="$unit" \ | |
90 | --property="DynamicUser=1" \ | |
91 | --property="Delegate=pids" \ | |
92 | --property="DelegateSubgroup=foo" \ | |
93 | test -w "/sys/fs/cgroup/system.slice/$unit" -a \ | |
94 | -w "/sys/fs/cgroup/system.slice/$unit/foo" | |
95 | ||
96 | # Check that for the subgroup also attributes that aren't covered by | |
97 | # regular (i.e. main cgroup) delegation ownership rules are delegated properly | |
98 | if test -f /sys/fs/cgroup/cgroup.max.depth; then | |
99 | unit="test-subgroup-$RANDOM.service" | |
100 | systemd-run --wait \ | |
101 | --unit="$unit" \ | |
102 | --property="DynamicUser=1" \ | |
103 | --property="Delegate=pids" \ | |
104 | --property="DelegateSubgroup=zzz" \ | |
105 | test -w "/sys/fs/cgroup/system.slice/$unit/zzz/cgroup.max.depth" | |
106 | fi | |
107 | ||
9a27ef09 | 108 | # Check that the invoked process itself is also in the subgroup |
3999ea00 FS |
109 | unit="test-subgroup-$RANDOM.service" |
110 | systemd-run --wait \ | |
111 | --unit="$unit" \ | |
112 | --property="DynamicUser=1" \ | |
113 | --property="Delegate=pids" \ | |
114 | --property="DelegateSubgroup=bar" \ | |
115 | grep -q -x -F "0::/system.slice/$unit/bar" /proc/self/cgroup |