[SOLVED] Systemd cgroup slice user override does not work

Systemd cgroup slice user override does not work

While trying to implement resource limitation (Debian 12) for all users except root user i faced that user-0.slice MemoryMax does not override user.slice MemoryMax parameter.

root@:/etc/systemd/system.control# tree .
├── user-0.slice.d
│   └── 50-MemoryMax.conf
└── user.slice.d
    └── 50-MemoryMax.conf

user.slice.d/50-MemoryMax.conf (5GB)

[Slice]
MemoryMax=5368709120

user-0.slice.d/50-MemoryMax.conf

[Slice]
MemoryMax=infinity

root@:/etc/systemd/system.control# systemctl  status user-0.slice
● user-0.slice - User Slice of UID 0
     Loaded: loaded
    Drop-In: /usr/lib/systemd/system/user-.slice.d
             └─10-defaults.conf
             /etc/systemd/system.control/user-0.slice.d
             └─50-MemoryMax.conf
     Active: active since Wed 2025-03-12 15:48:51 UTC; 6min ago
       Docs: man:user@.service(5)
      Tasks: 13 (limit: 84525)
     Memory: 27.0M (available: 4.7G)
        CPU: 10.458s
     CGroup: /user.slice/user-0.slice
             ├─session-1.scope
             │ ├─672 "sshd: root@notty"
             │ ├─752 fish -c /usr/lib/openssh/sftp-server
             │ └─768 /usr/lib/openssh/sftp-server
             ├─session-7.scope
             │ ├─10980 "sshd: root@pts/1"
             │ ├─11338 -fish
             │ ├─22233 bash
             │ ├─25322 systemctl status user-0.slice
             │ └─25323 pager
             ├─session-8.scope
             │ ├─11257 "sshd: root@notty"
             │ ├─11633 fish -c /usr/lib/openssh/sftp-server
             │ └─11646 /usr/lib/openssh/sftp-server
             └─user@0.service
               └─init.scope
                 ├─703 /lib/systemd/systemd --user
                 └─706 "(sd-pam)"

Mar 12 15:48:52 systemd[703]: Listening on gpg-agent-extra.socket - GnuPG cryptographic agent and passphrase cache (restricted).
Mar 12 15:48:52 systemd[703]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
Mar 12 15:48:52 systemd[703]: Listening on gpg-agent.socket - GnuPG cryptographic agent and passphrase cache.
Mar 12 15:48:52 systemd[703]: Listening on pk-debconf-helper.socket - debconf communication socket.
Mar 12 15:48:52 systemd[703]: Listening on dbus.socket - D-Bus User Message Bus Socket.
Mar 12 15:48:52 systemd[703]: Reached target sockets.target - Sockets.
Mar 12 15:48:52 systemd[703]: Reached target basic.target - Basic System.
Mar 12 15:48:52 systemd[703]: Reached target default.target - Main User Target.
Mar 12 15:48:52 systemd[703]: Startup finished in 587ms.
Mar 12 15:48:52 sshd[672]: pam_env(sshd:session): deprecated reading of user environment enabled

I still see 4.7 GB for root available, but expect unlimited

Solution

Infinite value is the same as empty value and results in the same value as parent.

P.S. Child cannot set limits higher than parent (I struggled to understand it)