Skip to content

cgroupv2与nftables配合无效 #231

New issue
New issue
Open
Open
cgroupv2与nftables配合无效#231
@awebears

Description

@awebears
awebears
opened on Aug 14, 2025

贴一下服务层级和nftables规则,在玩客云上cgroupv2在nftables中无法匹配规则,在oec上则能很好的运行

root@onecloud:~# systemctl status
● onecloud
    State: running
    Units: 832 loaded (incl. loaded aliases)
     Jobs: 0 queued
   Failed: 0 units
    Since: Thu 1970-01-01 00:00:07 UTC; 55 years 7 months ago
  systemd: 252.38-1~deb12u1
   CGroup: /
           ├─init.scope
           │ └─1 /sbin/init
           ├─system.slice
           │ ├─AdGuardHome.service
           │ │ └─1831 /root/AdGuardHome/AdGuardHome -s run
           │ ├─NetworkManager.service
           │ │ └─585 /usr/sbin/NetworkManager --no-daemon
           │ ├─chrony.service
           │ │ ├─778 /usr/sbin/chronyd -F 1
           │ │ └─779 /usr/sbin/chronyd -F 1
           │ ├─cron.service
           │ │ └─488 /usr/sbin/cron -f
           │ ├─dbus.service
           │ │ └─494 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
           │ ├─rng-tools-debian.service
           │ │ └─679 /usr/sbin/rngd -r /dev/hwrng
           │ ├─rpcbind.service
           │ │ └─442 /sbin/rpcbind -f -w
           │ ├─rsyslog.service
           │ │ └─502 /usr/sbin/rsyslogd -n -iNONE
           │ ├─ssh.service
           │ │ └─781 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
           │ ├─system-getty.slice
           │ │ └─getty@tty1.service
           │ │   └─1057 /sbin/agetty -o "-p -- \\u" --noclear - linux
           │ ├─system-serial\x2dgetty.slice
           │ │ └─serial-getty@ttyAML0.service
           │ │   └─1059 /sbin/agetty -o "-p -- \\u" --keep-baud 115200,57600,38400,9600 - linux
           │ ├─systemd-journald.service
           │ │ └─436 /lib/systemd/systemd-journald
           │ ├─systemd-logind.service
           │ │ └─511 /lib/systemd/systemd-logind
           │ ├─systemd-resolved.service
           │ │ └─1863 /lib/systemd/systemd-resolved
           │ ├─systemd-udevd.service
           │ │ └─udev
           │ │   └─284 /lib/systemd/systemd-udevd
           │ ├─unattended-upgrades.service
           │ │ └─771 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
           │ ├─vnstat.service
           │ │ └─774 /usr/sbin/vnstatd -n
           │ └─wpa_supplicant.service
           │   └─587 /sbin/wpa_supplicant -u -s -O "DIR=/run/wpa_supplicant GROUP=netdev"
           └─user.slice
             └─user-0.slice
               ├─session-4.scope
               │ ├─1127 "sshd: root@pts/0"
               │ ├─1388 -bash
               │ ├─1877 systemctl status
               │ └─1878 pager
               ├─session-6.scope
               │ ├─1401 "sshd: root@notty"
               │ └─1640 /usr/lib/openssh/sftp-server
               └─user@0.service
                 └─init.scope
                   ├─1130 /lib/systemd/systemd --user
                   └─1131 "(sd-pam)"

这是nftables规则

root@onecloud:~# nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
                socket cgroupv2 level 2 "system.slice/AdGuardHome.service" counter packets 0 bytes 0
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
                socket cgroupv2 level 2 "system.slice/AdGuardHome.service" counter packets 0 bytes 0
        }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions