Problem: Device containment via systemd DeviceAllow and DevicePolicy can't be enforced by the flux user systemd instance because device containment is implemented in cgroupsv2 by loading bpf programs and attaching them to the cgroup, which requires CAP_BPF and CAP_SYS_ADMIN. There is therefore no support in systemd for delegating the handling of these properties to systemd user instances.
For details see discussion in flux-framework/flux-core#7546.
The IMP exec helper (provided by flux-core) will fill in the Device Containment section of the IMP's "resource owner options" input by reading DeviceAllow and DevicePolicy from the current cgroup. The IMP will need to read this section of its input, compose and load a suitable bpf program and attach it to the cgroup before launching the job shell.
Problem: Device containment via systemd
DeviceAllowandDevicePolicycan't be enforced by thefluxuser systemd instance because device containment is implemented in cgroupsv2 by loading bpf programs and attaching them to the cgroup, which requiresCAP_BPFandCAP_SYS_ADMIN. There is therefore no support in systemd for delegating the handling of these properties to systemd user instances.For details see discussion in flux-framework/flux-core#7546.
The IMP exec helper (provided by flux-core) will fill in the Device Containment section of the IMP's "resource owner options" input by reading
DeviceAllowandDevicePolicyfrom the current cgroup. The IMP will need to read this section of its input, compose and load a suitable bpf program and attach it to the cgroup before launching the job shell.