git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Fri, 13 Jun 2025 08:29:01 +0000 (10:29 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Fri, 11 Jul 2025 16:17:04 +0000 (18:17 +0200)
commit	0fc45c8d20ad46ab9be0d8f29b16e606e0dd44ca
tree	f89ee36f1ba5ca1c67b2cb7c7cca280f61325ce1	tree \| snapshot
parent	3cfa7826d281d27a7aba3fe4c08bdcf54ddfb89b	commit \| diff

vmspawn: substantially beef up cgroup logic, to match more closely what nspawn does

This beefs up the cgroup logic, adding --slice=, --property= to vmspawn
the same way it already exists in nspawn.

There are a bunch of differences though: we don't delegate the cgroup
access in the allocated unit (since qemu wouldn't need that), and we do
registration via varlink not dbus. Hence, while this follows a similar
logic now, it differs in a lot of details.

This makes in particular one change: when invoked on the command line
we'll only add the qemu instance to the allocated scope, not the vmspawn
process itself (this follows more closely how nspawn does this where
only the container payload has its scope, not nspawn itself). This is
quite tricky to implement: unlike in nspawn we have auxiliary services
to start, with depencies to the scope. This means we need to start the
scope early, so that we know the scope's name. But the command line to
invoke is only assembled from the data we learn about the auxiliary
services, hence much later. To addres we'll now fork off the child that
eventually will become early, then move it to a scope, prepare the
cmdline and then very late send the cmdline (and the fds we want to
pass) to the prepared child, which then execs it.

man/systemd-vmspawn.xml		diff \| blob \| blame \| history
src/vmspawn/vmspawn-scope.c		diff \| blob \| blame \| history
src/vmspawn/vmspawn-scope.h		diff \| blob \| blame \| history
src/vmspawn/vmspawn.c		diff \| blob \| blame \| history