In cgroup v2 we have protection tunables -- currently MemoryLow and MemoryMin (there will be more in future for other resources, too). The design of these protection tunables requires not only intermediate cgroups to propagate protections, but also the units at the leaf of that resource's operation to accept it (by setting MemoryLow or MemoryMin).
This makes sense from an low-level API design perspective, but it's a good idea to also have a higher-level abstraction that can, by default, propagate these resources to children recursively. In this patch, this happens by having descendants set memory.low to N if their ancestor has DefaultMemoryLow=N -- assuming they don't set a separate MemoryLow
Any affected unit can opt out of this propagation by manually setting `MemoryLow` to some value in its unit configuration. A unit can also stop further propagation by setting `DefaultMemoryLow=` with no argument. This removes further propagation in the subtree, but has no effect on the unit itself (for that, use `MemoryLow=0`).
Our use case in production is simplifying the configuration of machines which heavily rely on memory protection tunables, but currently require tweaking a huge number of unit files to make that a reality. This directive makes that significantly less fragile, and decreases the risk of misconfiguration.
After this patch is merged, I will implement DefaultMemoryMin= using the same principles.
c52db42b78 cgroup: Implement default propagation of MemoryLow with DefaultMemoryLow
docs/TRANSIENT-SETTINGS.md | 1 +
man/systemd.resource-control.xml | 4 +
src/core/cgroup.c | 58 ++++++++++++--
src/core/cgroup.h | 6 ++
src/core/dbus-cgroup.c | 7 ++
src/core/load-fragment-gperf.gperf.m4 | 1 +
src/core/load-fragment.c | 13 ++-
src/shared/bus-unit-util.c | 2 +-
src/shared/bus-util.c | 2 +-
src/systemctl/systemctl.c | 3 +
src/test/meson.build | 6 ++
src/test/test-cgroup-unit-default.c | 145 ++++++++++++++++++++++++++++++++++
test/dml-discard-empty.service | 7 ++
test/dml-discard-set-ml.service | 8 ++
test/dml-discard.slice | 5 ++
test/dml-override-empty.service | 7 ++
test/dml-override.slice | 5 ++
test/dml-passthrough-empty.service | 7 ++
test/dml-passthrough-set-dml.service | 8 ++
test/dml-passthrough-set-ml.service | 8 ++
test/dml-passthrough.slice | 5 ++
test/dml.slice | 5 ++
test/meson.build | 10 +++
23 files changed, 310 insertions(+), 13 deletions(-)