core: introduce new Delegate=yes/no property controlling creation of cgroup subhierarchies

For priviliged units this resource control property ensures that the
processes have all controllers systemd manages enabled.

For unpriviliged services (those with User= set) this ensures that
access rights to the service cgroup is granted to the user in question,
to create further subgroups. Note that this only applies to the
name=systemd hierarchy though, as access to other controllers is not
safe for unpriviliged processes.

Delegate=yes should be set for container scopes where a systemd instance
inside the container shall manage the hierarchies below its own cgroup
and have access to all controllers.

Delegate=yes should also be set for user@.service, so that systemd
--user can run, controlling its own cgroup tree.

This commit changes machined, systemd-nspawn@.service and user@.service
to set this boolean, in order to ensure that container management will
just work, and the user systemd instance can run fine.

2 files changed, 2 insertions, 0 deletions

diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index 574d0deaf..dec2ce7df 100644
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -15,6 +15,7 @@ KillMode=mixed
 Type=notify
 RestartForceExitStatus=133
 SuccessExitStatus=133
+Delegate=yes
 
 [Install]
 WantedBy=multi-user.target
diff --git a/units/user@.service.in b/units/user@.service.in
index 8091ce1a0..1e21d51aa 100644
--- a/units/user@.service.in
+++ b/units/user@.service.in
@@ -16,3 +16,4 @@ Type=notify
 ExecStart=-@rootlibexecdir@/systemd --user
 Slice=user-%i.slice
 KillMode=mixed
+Delegate=yes