Support "run.oci.systemd.subgroup" annotation

[AkihiroSuda]

https://github.com/containers/crun/blob/a4f4fb90835bb79cd12bafb14a5b3d3f55edd7c6/crun.1.md#runocisystemdsubgroupsubgroup

run.oci.systemd.subgroup=SUBGROUP

Override the name for the systemd sub cgroup created under the systemd scope, so the final cgroup will be like:

/sys/fs/cgroup/$PATH/$SUBGROUP

When it is set to the empty string, a sub cgroup is not created.

If not specified, it defaults to container on cgroup v2, and to "" on cgroup v1.

e.g.

/sys/fs/cgroup//system.slice/foo-352700.scope/container

To avoid diversion across runc and crun, we should use "container" subgroup by default on cgroup2. (EDIT Probably we don't need to change the default: https://github.com/opencontainers/runc/issues/2448#issuecomment-636881647)

[AkihiroSuda]

@giuseppe @kolyshkin Do you think this should be in rc90 (rc11)? or rc91 (rc12)?

[giuseppe]

I am not sure it makes sense for runc. For crun I've added the /container suffix because cgroups are handled differently. crun uses systemd only to create and delegate a cgroup, that is managed by cgroupfs. crun never uses the d-bus properties for dealing with systemd cgroups. Systemd allows to write only to sub-cgroups, even when they are delegated, so adding the suffix was a forced choice.

[AkihiroSuda]

@giuseppe Thanks for clarification, I can close this issue then. Any chance to let crun follow the runc convention (no /container subgroup on v2)? If not, could you add the difference to crun documentation?

[giuseppe]

Any chance to let crun follow the runc convention (no /container subgroup on v2)? If not, could you add the difference to crun documentation?

A subgroup is required when using systemd delegation, unless the cgroup is configured with the d-bus API, that I don't really like. I will document the difference in crun.