Hey, can somebody please explain to me why processes from lxc CLI kinda “escape” to user.slice (or to be more precise the app.slice inside user.slice) even when they were started as a child process from a service belonging to the system.slice?
This causes our lxc processes getting killed by systemd (PID 1), when we’re using an SSH session for the root user. When the last SSH session has ended, systemd waits 10 seconds and then sends SIGTERM to any leftover processes of inside user-0.slice.
Is there any way to keep lxc processes under the system.slice where they started from? Why are they “escaping” at all? Is this some kind of snap feature?
Note: This does not affect the LXD daemon.
Environment: Ubuntu 22.04 with LXD 5.0.1
Also you said this doesn’t affect LXD, but you’ve marked it as LXD category, so is this only with the lxc-* commands or do you mean the lxc client command for LXD?
This affects the command line client for LXD which is named lxc. So i mean commands like lxc init or lxc list. I will provide an example for our system daemon running the client as soon as possible.
Run systemctl daemon-reload && systemctl start lister.service to start the service.
Repeatedly check the output from systemctl --user status and systemctl status lister.service to catch a running lxc list process.
You will notice that lxc list will never appear in the process tree of lister.service (like I would expect), but always in user@0.service.
Although I’d wish there would be some explanation from the maintainers, it seems that this behavior is not specific to LXD, but rather to all snap-packaged applications.
I’d like to make clear that auto-moving a process to user.slice can cause problems with systemd sessions cleanups. When the last session for a user ends, systemd (by default) kills all remaining processes from its user.slice. Which is an absolute bummer if you want to use lxc commands inside a service running at system.slice.
In case somebody else has this problem: You can disable systemd session cleanup for a specific user by running loginctl enable-linger $user.