On Thu, Mar 08, 2012 at 08:11:11AM +0100, Tollef Fog Heen wrote: > > There are also complications to using cgroups, in that suddenly any service > > that needs to be able to spawn long-running processes that outlive the > > service has to start caring about cgroups - both so that they survive the > > service being shut down from the outside, and so that the supervisor knows > > not to count these processes as evidence that the service is still running.
> Yes, they need to start a new PAM session. I don't think this is > particularly surprising, but I can well imagine there's code out there > that does not do this. On the other hand, apart from login tools such > as sshd (which already use PAM), I don't think there's many services > where this is something they need. ICBW, though. The sshd process that supervises the user's session is not part of the pam session. It *must* sit outside of it, to ensure proper teardown. And this process should persist across restarts of the sshd service. So killing all processes in the ssh service's cgroup, and relying on PAM to let user sessions survive, would be the wrong answer. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120308194033.gb28...@virgil.dodds.net
