Open arianvp opened 6 months ago
arianvp
commented
6 months ago Related: https://github.com/systemd/systemd/issues/13535
I have a feeling this is because teleport is messing with the cgroup tree itself but thus apparently isn't allowed in cgroups v2
arianvp
commented
6 months ago In general what Teleport is doing here (creating a teleport cgroup in the cgroup hierarchy) is explicitly not supported by systemd . It is really not allowed. This is because cgroups v2 should follow the single writer rule.
I think teleport should just leave the cgroup creation to pam_systemd.so and reuse the session-xx.scope cgroup that pam_systemd.so allocates for the session if pam mode is enabled?
Otherwise teleport can spawn its own .scope units through the systemd API
If teleport really insists on managing its own cgroup tree; the cgroups should be rooted under /system.slice/teleport.service and the systemd unit should set Delegate=yes I think.
See: https://systemd.io/CGROUP_DELEGATION/
if your container manager creates and manages cgroups in the system’s root cgroup you violate rule 2, as the root cgroup is managed by systemd and hence off limits to everybody else.
arianvp
commented
6 months ago This only happens when BPF session recording is enabled. If you disable it I get the desired behaviour:
% systemctl status
CGroup: /
├─init.scope
│ └─1 /usr/lib/systemd/systemd
├─system.slice
│ └─teleport-ssh-node.service
│ └─312375 /usr/bin/teleport start
└─user.slice
└─user-1016.slice
├─session-86.scope
│ ├─312400 /usr/bin/teleport exec
│ ├─312416 -zsh
│ ├─312436 systemctl status
│ └─312437 less
└─user@1016.service
└─init.scope
├─312408 /usr/lib/systemd/systemd --user
└─312409 "(sd-pam)"
systemd-logind creates a cgroup tree for each logged in user. When PAM is enabled the user session is correctly created; however the shell that teleport spawns is not in the User's cgroup tree. This means you can't set per user limits with logind.
Expected behavior (This is what SSH does).
Current behavior:
Bug details: