-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow Configurability of cgroup Slice Path #36304
Comments
UPDATE: The following suggestion won't solve the issue as the cgroup hierarchy would be kept the same. This means the With the current implementation, multiple agent environments might be problematic if they use the same mount path (defined by Example of multiple agents same cgroup2 mount path errorHow to reproduce: Start both agents on the same machine. After they are all set, close one and try to SSH into the remaining one. Start both agents on the same machine:
Close agent-1, keeping only agent-2 running. Then, try to SSH into agent-2:
Agent 2 logs:
Check the
Looking at the mount and cgroupv2 docs, there doesn't seem to be any limitation to duplicating those hierarchies (as they will be the same). @programmerq Do you think it would be enough for users to set their Sample setupAgent 1 config:
Agent 2 config:
SSH on both agents:
Check on the
|
Note that creating cgroups in the cgroup v2 tree outside of systemd is not really supported. The kernel requires a single writer for the whole cgroup tree. https://systemd.io/CGROUP_DELEGATION/ Ideally teleport would create its own See also this comment: #39501 (comment) |
Expected behavior:
Users should have the ability to customize the cgroup slice path for processes initiated by
teleport exec
to allow diverse operational requirements and security policies to be met.Current behavior:
As per the implementation in
lib/cgroup/cgroup.go#L391
, the cgroup slice for shell sessions and child processes started byteleport exec
is hardcoded to/teleport
. This does not accommodate environments with multiple Teleport agents where distinct cgroup slice paths are necessary for proper traffic filtering and security enforcement.Bug details:
Possible Workarounds?
The text was updated successfully, but these errors were encountered: