Cgroups without root?

I am implementing a simple virtualization using cgroups v2. I was able to make a non-root user mount the filesystem in it’s sandbox via namespaces and mapping UID/GID to root via Clone syscall, but I can’t make this user to create/manipulate cgroups even within it’s own group, even of it’s own processes.

Is it supported? Is it possible that non-root user sets cgroup limits to it’s own processes without sudo? Is there a code snippet I could look at?

I’m not the most comfortable with these concepts, but IIRC Podman allow an unprivileged user to manage the limitions on the containers it starts without the need of root at all with it’s rootless mode. But to use this, you need to enable cgroups delegation at systemd level.

It may worth take a look and try some things after enable delegation :

cgroup v2 | Rootless Containers

Control Group APIs and Delegation (

non-root users can use cgroups but only if a privileged user has created them entries and chown-ed them so that the user can create sub-entries or modify the limits.