Merge pull request #1768 from giuseppe/drop-default-systemd-sub-cgroup

flouthoc · web-flow · commit f9fd70505d94 · 2025-09-04T08:32:39.000-07:00
cgroup: do not create a sub-cgroup by default
diff --git a/crun.1 b/crun.1
@@ -577,27 +577,29 @@ chown -R the_user.the_user /sys/fs/cgroup/systemd
 .EE
 
 .SH \fBrun.oci.systemd.subgroup=SUBGROUP\fR
-Override the name for the systemd sub cgroup created under the systemd
-scope, so the final cgroup will be like:
+This configuration option allows you to define a sub-cgroup that will
+be created under a systemd-managed cgroup for your container.
+
+.PP
+When SUBGROUP is specified, the complete cgroup path will follow this
+structure:
 
 .EX
 /sys/fs/cgroup/$PATH/$SUBGROUP
 .EE
 
 .PP
-When it is set to the empty string, a sub cgroup is not created.
-
-.PP
-If not specified, it defaults to \fBcontainer\fR on cgroup v2, and to \fB""\fR
-on cgroup v1.
-
-.PP
-e.g.
+If \fBSUBGROUP\fR is set to \fBcontainer\fR, a typical path could be:
 
 .EX
-/sys/fs/cgroup//system.slice/foo-352700.scope/container
+/sys/fs/cgroup/system.slice/foo-352700.scope/container
 .EE
 
+.PP
+If \fBSUBGROUP\fR is set to an empty string, no sub-cgroup will be
+created.  By default, this option is not configured, meaning no
+sub-cgroup is created unless explicitly set.
+
 .SH \fBrun.oci.delegate-cgroup=DELEGATED-CGROUP\fR
 If the \fBrun.oci.systemd.subgroup\fR annotation is specified, yet another
 sub-cgroup is created and the container process is moved here.
diff --git a/crun.1.md b/crun.1.md
@@ -489,24 +489,25 @@ chown -R the_user.the_user /sys/fs/cgroup/systemd
 
 ## `run.oci.systemd.subgroup=SUBGROUP`
 
-Override the name for the systemd sub cgroup created under the systemd
-scope, so the final cgroup will be like:
+This configuration option allows you to define a sub-cgroup that will
+be created under a systemd-managed cgroup for your container.
+
+When SUBGROUP is specified, the complete cgroup path will follow this
+structure:
 
 ```
 /sys/fs/cgroup/$PATH/$SUBGROUP
 ```
 
-When it is set to the empty string, a sub cgroup is not created.
-
-If not specified, it defaults to `container` on cgroup v2, and to `""`
-on cgroup v1.
-
-e.g.
-
+If `SUBGROUP` is set to `container`, a typical path could be:
 ```
-/sys/fs/cgroup//system.slice/foo-352700.scope/container
+/sys/fs/cgroup/system.slice/foo-352700.scope/container
 ```
 
+If `SUBGROUP` is set to an empty string, no sub-cgroup will be
+created.  By default, this option is not configured, meaning no
+sub-cgroup is created unless explicitly set.
+
 ## `run.oci.delegate-cgroup=DELEGATED-CGROUP`
 
 If the `run.oci.systemd.subgroup` annotation is specified, yet another
diff --git a/src/libcrun/cgroup-systemd.c b/src/libcrun/cgroup-systemd.c
@@ -1987,7 +1987,7 @@ find_systemd_subgroup (string_map *annotations)
       return annotation;
     }
 
-  return "container";
+  return NULL;
 }
 
 static int

Original file line number	Diff line number	Diff line change
`@@ -1987,7 +1987,7 @@ find_systemd_subgroup (string_map *annotations)`
`1987`	`1987`	`return annotation;`
`1988`	`1988`	`}`
`1989`	`1989`
`1990`		`- return "container";`
	`1990`	`+ return NULL;`
`1991`	`1991`	`}`
`1992`	`1992`
`1993`	`1993`	`static int`