agent: support systemd cgroup for kata agent

1. Implemented a rust module for operating cgroups through systemd with the help of zbus (src/agent/rustjail/src/cgroups/systemd). 2. Add support for optional cgroup configuration through fs and systemd at agent (src/agent/rustjail/src/container.rs). 3. Described the usage and supported properties of the agent systemd cgroup (docs/design/agent-systemd-cgroup.md). Fixes: #4336 Signed-off-by: Yuan-Zhuo <yuanzhuo0118@outlook.com>
2025-04-28 03:42:09 +00:00 · 2022-10-25 13:57:09 +08:00 · 2022-10-25 13:57:09 +08:00 · d7bb4b5512
commit d7bb4b5512
parent a151d8ee50
31 changed files with 4546 additions and 148 deletions
--- a/docs/design/README.md
+++ b/docs/design/README.md
@ -8,6 +8,7 @@ Kata Containers design documents:
 - [VSocks](VSocks.md)
 - [VCPU handling](vcpu-handling.md)
 - [Host cgroups](host-cgroups.md)
 - [Agent systemd cgroup](agent-systemd-cgroup.md)
 - [`Inotify` support](inotify.md)
 - [Metrics(Kata 2.0)](kata-2-0-metrics.md)
 - [Design for Kata Containers `Lazyload` ability with `nydus`](kata-nydus-design.md)
--- a/docs/design/agent-systemd-cgroup.md
+++ b/docs/design/agent-systemd-cgroup.md
@ -0,0 +1,84 @@
 # Systemd Cgroup for Agent
 As we know, we can interact with cgroups in two ways, **`cgroupfs`** and **`systemd`**. The former is achieved by reading and writing cgroup `tmpfs` files under `/sys/fs/cgroup` while the latter is done by configuring a transient unit by requesting systemd. Kata agent uses **`cgroupfs`** by default, unless you pass the parameter `--systemd-cgroup`.
 ## usage
 For systemd, kata agent configures cgroups according to the following `linux.cgroupsPath` format standard provided by `runc` (`[slice]:[prefix]:[name]`). If you don't provide a valid `linux.cgroupsPath`, kata agent will treat it as `"system.slice:kata_agent:<container-id>"`. 
 > Here slice is a systemd slice under which the container is placed. If empty, it defaults to system.slice, except when cgroup v2 is used and rootless container is created, in which case it defaults to user.slice.
 >
 > Note that slice can contain dashes to denote a sub-slice (e.g. user-1000.slice is a correct notation, meaning a `subslice` of user.slice), but it must not contain slashes (e.g. user.slice/user-1000.slice is invalid).
 >
 > A slice of `-` represents a root slice.
 >
 > Next, prefix and name are used to compose the unit name, which is `<prefix>-<name>.scope`, unless name has `.slice` suffix, in which case prefix is ignored and the name is used as is.
 ## supported properties
 The kata agent will translate the parameters in the `linux.resources` of `config.json` into systemd unit properties, and send it to systemd for configuration. Since systemd supports limited properties, only the following parameters in `linux.resources` will be applied. We will simply treat hybrid mode as legacy mode by the way.
 - CPU
  - v1
  | runtime spec resource | systemd property name |
  | --------------------- | --------------------- |
  | `cpu.shares`          | `CPUShares`           |
  - v2
  | runtime spec resource      | systemd property name      |
  | -------------------------- | -------------------------- |
  | `cpu.shares`               | `CPUShares`                |
  | `cpu.period`               | `CPUQuotaPeriodUSec`(v242) |
  | `cpu.period` & `cpu.quota` | `CPUQuotaPerSecUSec`       |
 - MEMORY
  - v1
  | runtime spec resource | systemd property name |
  | --------------------- | --------------------- |
  | `memory.limit`        | `MemoryLimit`         |
  - v2
  | runtime spec resource          | systemd property name |
  | ------------------------------ | --------------------- |
  | `memory.low`                   | `MemoryLow`           |
  | `memory.max`                   | `MemoryMax`           |
  | `memory.swap` & `memory.limit` | `MemorySwapMax`       |
 - PIDS
  | runtime spec resource | systemd property name |
  | --------------------- | --------------------- |
  | `pids.limit `         | `TasksMax`            |
 - CPUSET
  | runtime spec resource | systemd property name      |
  | --------------------- | -------------------------- |
  | `cpuset.cpus`         | `AllowedCPUs`(v244)        |
  | `cpuset.mems`         | `AllowedMemoryNodes`(v244) |
 ## Systemd Interface
 `session.rs` and `system.rs` in `src/agent/rustjail/src/cgroups/systemd/interface` are automatically generated by `zbus-xmlgen`, which is is an accompanying tool provided by `zbus` to generate Rust code from `D-Bus XML interface descriptions`. The specific commands to generate these two files are as follows: 
 ```shell
 // system.rs
 zbus-xmlgen --system org.freedesktop.systemd1 /org/freedesktop/systemd1
 // session.rs
 zbus-xmlgen --session org.freedesktop.systemd1 /org/freedesktop/systemd1
 ```
 The current implementation of `cgroups/systemd` uses `system.rs` while `session.rs` could be used to build rootless containers in the future.
 ## references
 - [runc - systemd cgroup driver](https://github.com/opencontainers/runc/blob/main/docs/systemd.md)
 - [systemd.resource-control  — Resource control unit settings](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html)
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
@ -47,6 +47,71 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c5d78ce20460b82d3fa150275ed9d55e21064fc7951177baacf86a145c4a4b1f"
 [[package]]
 name = "async-broadcast"
 version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6d26004fe83b2d1cd3a97609b21e39f9a31535822210fe83205d2ce48866ea61"
 dependencies = [
 "event-listener",
 "futures-core",
 "parking_lot 0.12.1",
 ]
 [[package]]
 name = "async-channel"
 version = "1.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e14485364214912d3b19cc3435dde4df66065127f05fa0d75c712f36f12c2f28"
 dependencies = [
 "concurrent-queue",
 "event-listener",
 "futures-core",
 ]
 [[package]]
 name = "async-executor"
 version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "871f9bb5e0a22eeb7e8cf16641feb87c9dc67032ccf8ff49e772eb9941d3a965"
 dependencies = [
 "async-task",
 "concurrent-queue",
 "fastrand",
 "futures-lite",
 "once_cell",
 "slab",
 ]
 [[package]]
 name = "async-io"
 version = "1.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "83e21f3a490c72b3b0cf44962180e60045de2925d8dff97918f7ee43c8f637c7"
 dependencies = [
 "autocfg",
 "concurrent-queue",
 "futures-lite",
 "libc",
 "log",
 "once_cell",
 "parking",
 "polling",
 "slab",
 "socket2",
 "waker-fn",
 "winapi",
 ]
 [[package]]
 name = "async-lock"
 version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e97a171d191782fba31bb902b14ad94e24a68145032b7eedf871ab0bc0d077b6"
 dependencies = [
 "event-listener",
 ]
 [[package]]
 name = "async-recursion"
 version = "0.3.2"
@ -58,6 +123,12 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "async-task"
 version = "4.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7a40729d2133846d9ed0ea60a8b9541bccddab49cd30f0715a1da672fe9a2524"
 [[package]]
 name = "async-trait"
 version = "0.1.56"
@ -95,6 +166,12 @@ dependencies = [
 "serde",
 ]
 [[package]]
 name = "bit-vec"
 version = "0.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@ -135,6 +212,12 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8"
 [[package]]
 name = "cache-padded"
 version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1db59621ec70f09c5e9b597b220c7a2b43611f4710dc03ceb8748637775692c"
 [[package]]
 name = "capctl"
 version = "0.2.1"
@ -247,6 +330,15 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
 [[package]]
 name = "concurrent-queue"
 version = "1.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "af4780a44ab5696ea9e28294517f1fffb421a83a25af521333c838635509db9c"
 dependencies = [
 "cache-padded",
 ]
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.3"
@ -307,6 +399,17 @@ dependencies = [
 "once_cell",
 ]
 [[package]]
 name = "derivative"
 version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "derive-new"
 version = "0.5.9"
@ -318,12 +421,53 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "dirs"
 version = "4.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ca3aa72a6f96ea37bbc5aa912f6788242832f75369bdfdadcb0e38423f100059"
 dependencies = [
 "dirs-sys",
 ]
 [[package]]
 name = "dirs-sys"
 version = "0.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1b1d1d91c932ef41c0f2663aa8b0ca0342d444d842c06914aa0a7e352d0bada6"
 dependencies = [
 "libc",
 "redox_users",
 "winapi",
 ]
 [[package]]
 name = "either"
 version = "1.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
 [[package]]
 name = "enumflags2"
 version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e75d4cd21b95383444831539909fbb14b9dc3fdceb2a6f5d36577329a1f55ccb"
 dependencies = [
 "enumflags2_derive",
 "serde",
 ]
 [[package]]
 name = "enumflags2_derive"
 version = "0.7.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f58dc3c5e468259f19f2d46304a6b28f1c3d034442e14b322d2b850e36f6d5ae"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "errno"
 version = "0.2.8"
@ -345,6 +489,12 @@ dependencies = [
 "libc",
 ]
 [[package]]
 name = "event-listener"
 version = "2.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
 [[package]]
 name = "fail"
 version = "0.5.0"
@ -435,6 +585,21 @@ version = "0.3.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc4045962a5a5e935ee2fdedaa4e08284547402885ab326734432bed5d12966b"
 [[package]]
 name = "futures-lite"
 version = "1.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7694489acd39452c77daa48516b894c153f192c3578d5a839b62c58099fcbf48"
 dependencies = [
 "fastrand",
 "futures-core",
 "futures-io",
 "memchr",
 "parking",
 "pin-project-lite",
 "waker-fn",
 ]
 [[package]]
 name = "futures-macro"
 version = "0.3.21"
@ -1002,9 +1167,9 @@ dependencies = [
 [[package]]
 name = "once_cell"
-version = "1.12.0"
+version = "1.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7709cef83f0c1f58f666e746a08b21e0085f7440fa6a29cc194d68aac97a4225"
+checksum = "e82dad04139b71a90c080c8463fe0dc7902db5192d939bd0950f074d014339e1"
 [[package]]
 name = "opentelemetry"
@ -1026,12 +1191,28 @@ dependencies = [
 "tokio-stream",
 ]
 [[package]]
 name = "ordered-stream"
 version = "0.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "44630c059eacfd6e08bdaa51b1db2ce33119caa4ddc1235e923109aa5f25ccb1"
 dependencies = [
 "futures-core",
 "pin-project-lite",
 ]
 [[package]]
 name = "os_str_bytes"
 version = "6.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "21326818e99cfe6ce1e524c2a805c189a99b5ae555a35d19f9a284b427d86afa"
 [[package]]
 name = "parking"
 version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "427c3892f9e783d91cc128285287e70a59e206ca452770ece88a76f7a3eddd72"
 [[package]]
 name = "parking_lot"
 version = "0.11.2"
@ -1159,12 +1340,37 @@ version = "0.3.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1df8c4ec4b0627e53bdf214615ad287367e482558cf84b109250b37464dc03ae"
 [[package]]
 name = "polling"
 version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ab4609a838d88b73d8238967b60dd115cc08d38e2bbaf51ee1e4b695f89122e2"
 dependencies = [
 "autocfg",
 "cfg-if 1.0.0",
 "libc",
 "log",
 "wepoll-ffi",
 "winapi",
 ]
 [[package]]
 name = "ppv-lite86"
 version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eb9f9e6e233e5c4a35559a617bf40a4ec447db2e84c20b55a6f83167b7e57872"
 [[package]]
 name = "proc-macro-crate"
 version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eda0fc3b0fb7c975631757e14d9049da17374063edb6ebbcbc54d880d4fe94e9"
 dependencies = [
 "once_cell",
 "thiserror",
 "toml",
 ]
 [[package]]
 name = "proc-macro-error"
 version = "1.0.4"
@ -1434,6 +1640,17 @@ dependencies = [
 "bitflags",
 ]
 [[package]]
 name = "redox_users"
 version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b"
 dependencies = [
 "getrandom 0.2.7",
 "redox_syscall",
 "thiserror",
 ]
 [[package]]
 name = "regex"
 version = "1.5.6"
@ -1499,6 +1716,7 @@ version = "0.1.0"
 dependencies = [
 "anyhow",
 "async-trait",
 "bit-vec",
 "capctl",
 "caps",
 "cfg-if 0.1.10",
@ -1526,6 +1744,7 @@ dependencies = [
 "tempfile",
 "test-utils",
 "tokio",
 "zbus",
 ]
 [[package]]
@ -1580,6 +1799,17 @@ dependencies = [
 "serde",
 ]
 [[package]]
 name = "serde_repr"
 version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1fe39d9fbb0ebf5eb2c7cb7e2a47e4f462fad1379f1166b8ae49ad9eae89a7ca"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "serial_test"
 version = "0.5.1"
@ -1602,6 +1832,21 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "sha1"
 version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1da05c97445caa12d05e848c4a4fcbbea29e748ac28f7e80e9b010392063770"
 dependencies = [
 "sha1_smol",
 ]
 [[package]]
 name = "sha1_smol"
 version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ae1a47186c03a32177042e55dbc5fd5aee900b8e0069a8d70fba96a9375cd012"
 [[package]]
 name = "sharded-slab"
 version = "0.1.4"
@ -1700,6 +1945,12 @@ dependencies = [
 "winapi",
 ]
 [[package]]
 name = "static_assertions"
 version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
 [[package]]
 name = "strsim"
 version = "0.10.0"
@ -2048,6 +2299,16 @@ dependencies = [
 "tempfile",
 ]
 [[package]]
 name = "uds_windows"
 version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ce65604324d3cce9b966701489fbd0cf318cb1f7bd9dd07ac9a4ee6fb791930d"
 dependencies = [
 "tempfile",
 "winapi",
 ]
 [[package]]
 name = "unicode-ident"
 version = "1.0.1"
@ -2099,6 +2360,12 @@ dependencies = [
 "tokio-vsock",
 ]
 [[package]]
 name = "waker-fn"
 version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d5b2c62b4012a3e1eca5a7e077d13b3bf498c4073e33ccd58626607748ceeca"
 [[package]]
 name = "wasi"
 version = "0.9.0+wasi-snapshot-preview1"
@ -2171,6 +2438,15 @@ version = "0.2.81"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be"
 [[package]]
 name = "wepoll-ffi"
 version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d743fdedc5c64377b5fc2bc036b01c7fd642205a0d96356034ae3404d49eb7fb"
 dependencies = [
 "cc",
 ]
 [[package]]
 name = "which"
 version = "4.2.5"
@ -2255,3 +2531,93 @@ name = "windows_x86_64_msvc"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680"
 [[package]]
 name = "zbus"
 version = "2.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2d8f1a037b2c4a67d9654dc7bdfa8ff2e80555bbefdd3c1833c1d1b27c963a6b"
 dependencies = [
 "async-broadcast",
 "async-channel",
 "async-executor",
 "async-io",
 "async-lock",
 "async-recursion",
 "async-task",
 "async-trait",
 "byteorder",
 "derivative",
 "dirs",
 "enumflags2",
 "event-listener",
 "futures-core",
 "futures-sink",
 "futures-util",
 "hex",
 "lazy_static",
 "nix 0.23.1",
 "once_cell",
 "ordered-stream",
 "rand 0.8.5",
 "serde",
 "serde_repr",
 "sha1",
 "static_assertions",
 "tracing",
 "uds_windows",
 "winapi",
 "zbus_macros",
 "zbus_names",
 "zvariant",
 ]
 [[package]]
 name = "zbus_macros"
 version = "2.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1f8fb5186d1c87ae88cf234974c240671238b4a679158ad3b94ec465237349a6"
 dependencies = [
 "proc-macro-crate",
 "proc-macro2",
 "quote",
 "regex",
 "syn",
 ]
 [[package]]
 name = "zbus_names"
 version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "41a408fd8a352695690f53906dc7fd036be924ec51ea5e05666ff42685ed0af5"
 dependencies = [
 "serde",
 "static_assertions",
 "zvariant",
 ]
 [[package]]
 name = "zvariant"
 version = "3.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b794fb7f59af4105697b0449ba31731ee5dbb3e773a17dbdf3d36206ea1b1644"
 dependencies = [
 "byteorder",
 "enumflags2",
 "libc",
 "serde",
 "static_assertions",
 "zvariant_derive",
 ]
 [[package]]
 name = "zvariant_derive"
 version = "3.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dd58d4b6c8e26d3dd2149c8c40c6613ef6451b9885ff1296d1ac86c388351a54"
 dependencies = [
 "proc-macro-crate",
 "proc-macro2",
 "quote",
 "syn",
 ]
--- a/src/agent/rustjail/Cargo.toml
+++ b/src/agent/rustjail/Cargo.toml
@ -33,6 +33,8 @@ futures = "0.3.17"
 async-trait = "0.1.31"
 inotify = "0.9.2"
 libseccomp = { version = "0.3.0", optional = true }
 zbus = "2.3.0"
 bit-vec= "0.6.3"
 [dev-dependencies]
 serial_test = "0.5.0"
--- a/src/agent/rustjail/src/cgroups/fs/mod.rs
+++ b/src/agent/rustjail/src/cgroups/fs/mod.rs
@ -32,6 +32,7 @@ use protocols::agent::{
    BlkioStats, BlkioStatsEntry, CgroupStats, CpuStats, CpuUsage, HugetlbStats, MemoryData,
    MemoryStats, PidsStats, ThrottlingData,
 };
 use std::any::Any;
 use std::collections::HashMap;
 use std::fs;
 use std::path::Path;
@ -193,6 +194,79 @@ impl CgroupManager for Manager {
        Ok(result)
    }
    fn update_cpuset_path(&self, guest_cpuset: &str, container_cpuset: &str) -> Result<()> {
        if guest_cpuset.is_empty() {
            return Ok(());
        }
        info!(sl!(), "update_cpuset_path to: {}", guest_cpuset);
        let h = cgroups::hierarchies::auto();
        let root_cg = h.root_control_group();
        let root_cpuset_controller: &CpuSetController = root_cg.controller_of().unwrap();
        let path = root_cpuset_controller.path();
        let root_path = Path::new(path);
        info!(sl!(), "root cpuset path: {:?}", &path);
        let container_cpuset_controller: &CpuSetController = self.cgroup.controller_of().unwrap();
        let path = container_cpuset_controller.path();
        let container_path = Path::new(path);
        info!(sl!(), "container cpuset path: {:?}", &path);
        let mut paths = vec![];
        for ancestor in container_path.ancestors() {
            if ancestor == root_path {
                break;
            }
            paths.push(ancestor);
        }
        info!(sl!(), "parent paths to update cpuset: {:?}", &paths);
        let mut i = paths.len();
        loop {
            if i == 0 {
                break;
            }
            i -= 1;
            // remove cgroup root from path
            let r_path = &paths[i]
                .to_str()
                .unwrap()
                .trim_start_matches(root_path.to_str().unwrap());
            info!(sl!(), "updating cpuset for parent path {:?}", &r_path);
            let cg = new_cgroup(cgroups::hierarchies::auto(), r_path);
            let cpuset_controller: &CpuSetController = cg.controller_of().unwrap();
            cpuset_controller.set_cpus(guest_cpuset)?;
        }
        if !container_cpuset.is_empty() {
            info!(
                sl!(),
                "updating cpuset for container path: {:?} cpuset: {}",
                &container_path,
                container_cpuset
            );
            container_cpuset_controller.set_cpus(container_cpuset)?;
        }
        Ok(())
    }
    fn get_cgroup_path(&self, cg: &str) -> Result<String> {
        if cgroups::hierarchies::is_cgroup2_unified_mode() {
            let cg_path = format!("/sys/fs/cgroup/{}", self.cpath);
            return Ok(cg_path);
        }
        // for cgroup v1
        Ok(self.paths.get(cg).map(|s| s.to_string()).unwrap())
    }
    fn as_any(&self) -> Result<&dyn Any> {
        Ok(self)
    }
 }
 fn set_network_resources(
@ -981,75 +1055,6 @@ impl Manager {
            cgroup: new_cgroup(cgroups::hierarchies::auto(), cpath),
        })
    }
    pub fn update_cpuset_path(&self, guest_cpuset: &str, container_cpuset: &str) -> Result<()> {
        if guest_cpuset.is_empty() {
            return Ok(());
        }
        info!(sl!(), "update_cpuset_path to: {}", guest_cpuset);
        let h = cgroups::hierarchies::auto();
        let root_cg = h.root_control_group();
        let root_cpuset_controller: &CpuSetController = root_cg.controller_of().unwrap();
        let path = root_cpuset_controller.path();
        let root_path = Path::new(path);
        info!(sl!(), "root cpuset path: {:?}", &path);
        let container_cpuset_controller: &CpuSetController = self.cgroup.controller_of().unwrap();
        let path = container_cpuset_controller.path();
        let container_path = Path::new(path);
        info!(sl!(), "container cpuset path: {:?}", &path);
        let mut paths = vec![];
        for ancestor in container_path.ancestors() {
            if ancestor == root_path {
                break;
            }
            paths.push(ancestor);
        }
        info!(sl!(), "parent paths to update cpuset: {:?}", &paths);
        let mut i = paths.len();
        loop {
            if i == 0 {
                break;
            }
            i -= 1;
            // remove cgroup root from path
            let r_path = &paths[i]
                .to_str()
                .unwrap()
                .trim_start_matches(root_path.to_str().unwrap());
            info!(sl!(), "updating cpuset for parent path {:?}", &r_path);
            let cg = new_cgroup(cgroups::hierarchies::auto(), r_path);
            let cpuset_controller: &CpuSetController = cg.controller_of().unwrap();
            cpuset_controller.set_cpus(guest_cpuset)?;
        }
        if !container_cpuset.is_empty() {
            info!(
                sl!(),
                "updating cpuset for container path: {:?} cpuset: {}",
                &container_path,
                container_cpuset
            );
            container_cpuset_controller.set_cpus(container_cpuset)?;
        }
        Ok(())
    }
    pub fn get_cg_path(&self, cg: &str) -> Option<String> {
        if cgroups::hierarchies::is_cgroup2_unified_mode() {
            let cg_path = format!("/sys/fs/cgroup/{}", self.cpath);
            return Some(cg_path);
        }
        // for cgroup v1
        self.paths.get(cg).map(|s| s.to_string())
    }
 }
 // get the guest's online cpus.
--- a/src/agent/rustjail/src/cgroups/mock.rs
+++ b/src/agent/rustjail/src/cgroups/mock.rs
@ -11,6 +11,7 @@ use anyhow::Result;
 use cgroups::freezer::FreezerState;
 use libc::{self, pid_t};
 use oci::LinuxResources;
 use std::any::Any;
 use std::collections::HashMap;
 use std::string::String;
@ -53,6 +54,18 @@ impl CgroupManager for Manager {
    fn get_pids(&self) -> Result<Vec<pid_t>> {
        Ok(Vec::new())
    }
    fn update_cpuset_path(&self, _: &str, _: &str) -> Result<()> {
        Ok(())
    }
    fn get_cgroup_path(&self, _: &str) -> Result<String> {
        Ok("".to_string())
    }
    fn as_any(&self) -> Result<&dyn Any> {
        Ok(self)
    }
 }
 impl Manager {
@ -63,12 +76,4 @@ impl Manager {
            cpath: cpath.to_string(),
        })
    }
    pub fn update_cpuset_path(&self, _: &str, _: &str) -> Result<()> {
        Ok(())
    }
    pub fn get_cg_path(&self, _: &str) -> Option<String> {
        Some("".to_string())
    }
 }
--- a/src/agent/rustjail/src/cgroups/mod.rs
+++ b/src/agent/rustjail/src/cgroups/mod.rs
@ -4,8 +4,10 @@
 //
 use anyhow::{anyhow, Result};
 use core::fmt::Debug;
 use oci::LinuxResources;
 use protocols::agent::CgroupStats;
 use std::any::Any;
 use cgroups::freezer::FreezerState;
@ -38,4 +40,22 @@ pub trait Manager {
    fn set(&self, _container: &LinuxResources, _update: bool) -> Result<()> {
        Err(anyhow!("not supported!"))
    }
    fn update_cpuset_path(&self, _: &str, _: &str) -> Result<()> {
        Err(anyhow!("not supported!"))
    }
    fn get_cgroup_path(&self, _: &str) -> Result<String> {
        Err(anyhow!("not supported!"))
    }
    fn as_any(&self) -> Result<&dyn Any> {
        Err(anyhow!("not supported!"))
    }
 }
 impl Debug for dyn Manager + Send + Sync {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        write!(f, "CgroupManager")
    }
 }
--- a/src/agent/rustjail/src/cgroups/systemd.rs
+++ b/src/agent/rustjail/src/cgroups/systemd.rs
@ -1,10 +0,0 @@
 // Copyright (c) 2019 Ant Financial
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 use crate::cgroups::Manager as CgroupManager;
 pub struct Manager {}
 impl CgroupManager for Manager {}
--- a/src/agent/rustjail/src/cgroups/systemd/cgroups_path.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/cgroups_path.rs
@ -0,0 +1,95 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 use anyhow::{anyhow, Result};
 use super::common::{DEFAULT_SLICE, SCOPE_SUFFIX, SLICE_SUFFIX};
 use std::string::String;
 #[derive(Serialize, Deserialize, Debug, Clone)]
 pub struct CgroupsPath {
    pub slice: String,
    pub prefix: String,
    pub name: String,
 }
 impl CgroupsPath {
    pub fn new(cgroups_path_str: &str) -> Result<Self> {
        let path_vec: Vec<&str> = cgroups_path_str.split(':').collect();
        if path_vec.len() != 3 {
            return Err(anyhow!("invalid cpath: {:?}", cgroups_path_str));
        }
        Ok(CgroupsPath {
            slice: if path_vec[0].is_empty() {
                DEFAULT_SLICE.to_string()
            } else {
                path_vec[0].to_owned()
            },
            prefix: path_vec[1].to_owned(),
            name: path_vec[2].to_owned(),
        })
    }
    // ref: https://github.com/opencontainers/runc/blob/main/docs/systemd.md
    // return: (parent_slice, unit_name)
    pub fn parse(&self) -> Result<(String, String)> {
        Ok((
            parse_parent(self.slice.to_owned())?,
            get_unit_name(self.prefix.to_owned(), self.name.to_owned()),
        ))
    }
 }
 fn parse_parent(slice: String) -> Result<String> {
    if !slice.ends_with(SLICE_SUFFIX) || slice.contains('/') {
        return Err(anyhow!("invalid slice name: {}", slice));
    } else if slice == "-.slice" {
        return Ok(String::new());
    }
    let mut slice_path = String::new();
    let mut prefix = String::new();
    for subslice in slice.trim_end_matches(SLICE_SUFFIX).split('-') {
        if subslice.is_empty() {
            return Err(anyhow!("invalid slice name: {}", slice));
        }
        slice_path = format!("{}/{}{}{}", slice_path, prefix, subslice, SLICE_SUFFIX);
        prefix = format!("{}{}-", prefix, subslice);
    }
    slice_path.remove(0);
    Ok(slice_path)
 }
 fn get_unit_name(prefix: String, name: String) -> String {
    if name.ends_with(SLICE_SUFFIX) {
        name
    } else if prefix.is_empty() {
        format!("{}{}", name, SCOPE_SUFFIX)
    } else {
        format!("{}-{}{}", prefix, name, SCOPE_SUFFIX)
    }
 }
 #[cfg(test)]
 mod tests {
    use super::CgroupsPath;
    #[test]
    fn test_cgroup_path_parse() {
        let slice = "system.slice";
        let prefix = "kata_agent";
        let name = "123";
        let cgroups_path =
            CgroupsPath::new(format!("{}:{}:{}", slice, prefix, name).as_str()).unwrap();
        assert_eq!(slice, cgroups_path.slice.as_str());
        assert_eq!(prefix, cgroups_path.prefix.as_str());
        assert_eq!(name, cgroups_path.name.as_str());
        let (parent_slice, unit_name) = cgroups_path.parse().unwrap();
        assert_eq!(format!("{}", slice), parent_slice);
        assert_eq!(format!("{}-{}.scope", prefix, name), unit_name);
    }
 }
--- a/src/agent/rustjail/src/cgroups/systemd/common.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/common.rs
@ -0,0 +1,17 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 pub const DEFAULT_SLICE: &str = "system.slice";
 pub const SLICE_SUFFIX: &str = ".slice";
 pub const SCOPE_SUFFIX: &str = ".scope";
 pub const UNIT_MODE: &str = "replace";
 pub type Properties<'a> = Vec<(&'a str, zbus::zvariant::Value<'a>)>;
 #[derive(Serialize, Deserialize, Debug, Clone)]
 pub enum CgroupHierarchy {
    Legacy,
    Unified,
 }
--- a/src/agent/rustjail/src/cgroups/systemd/dbus_client.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/dbus_client.rs
@ -0,0 +1,126 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 use std::vec;
 use super::common::CgroupHierarchy;
 use super::common::{Properties, SLICE_SUFFIX, UNIT_MODE};
 use super::interface::system::ManagerProxyBlocking as SystemManager;
 use anyhow::{Context, Result};
 use zbus::zvariant::Value;
 pub trait SystemdInterface {
    fn start_unit(
        &self,
        pid: i32,
        parent: &str,
        unit_name: &str,
        cg_hierarchy: &CgroupHierarchy,
    ) -> Result<()>;
    fn set_properties(&self, unit_name: &str, properties: &Properties) -> Result<()>;
    fn stop_unit(&self, unit_name: &str) -> Result<()>;
    fn get_version(&self) -> Result<String>;
    fn unit_exist(&self, unit_name: &str) -> Result<bool>;
    fn add_process(&self, pid: i32, unit_name: &str) -> Result<()>;
 }
 #[derive(Serialize, Deserialize, Debug, Clone)]
 pub struct DBusClient {}
 impl DBusClient {
    fn build_proxy(&self) -> Result<SystemManager<'static>> {
        let connection = zbus::blocking::Connection::system()?;
        let proxy = SystemManager::new(&connection)?;
        Ok(proxy)
    }
 }
 impl SystemdInterface for DBusClient {
    fn start_unit(
        &self,
        pid: i32,
        parent: &str,
        unit_name: &str,
        cg_hierarchy: &CgroupHierarchy,
    ) -> Result<()> {
        let proxy = self.build_proxy()?;
        // enable CPUAccounting & MemoryAccounting & (Block)IOAccounting by default
        let mut properties: Properties = vec![
            ("CPUAccounting", Value::Bool(true)),
            ("DefaultDependencies", Value::Bool(false)),
            ("MemoryAccounting", Value::Bool(true)),
            ("TasksAccounting", Value::Bool(true)),
            ("Description", Value::Str("kata-agent container".into())),
            ("PIDs", Value::Array(vec![pid as u32].into())),
        ];
        match *cg_hierarchy {
            CgroupHierarchy::Legacy => properties.push(("IOAccounting", Value::Bool(true))),
            CgroupHierarchy::Unified => properties.push(("BlockIOAccounting", Value::Bool(true))),
        }
        if unit_name.ends_with(SLICE_SUFFIX) {
            properties.push(("Wants", Value::Str(parent.into())));
        } else {
            properties.push(("Slice", Value::Str(parent.into())));
            properties.push(("Delegate", Value::Bool(true)));
        }
        proxy
            .start_transient_unit(unit_name, UNIT_MODE, &properties, &[])
            .with_context(|| format!("failed to start transient unit {}", unit_name))?;
        Ok(())
    }
    fn set_properties(&self, unit_name: &str, properties: &Properties) -> Result<()> {
        let proxy = self.build_proxy()?;
        proxy
            .set_unit_properties(unit_name, true, properties)
            .with_context(|| format!("failed to set unit properties {}", unit_name))?;
        Ok(())
    }
    fn stop_unit(&self, unit_name: &str) -> Result<()> {
        let proxy = self.build_proxy()?;
        proxy
            .stop_unit(unit_name, UNIT_MODE)
            .with_context(|| format!("failed to stop unit {}", unit_name))?;
        Ok(())
    }
    fn get_version(&self) -> Result<String> {
        let proxy = self.build_proxy()?;
        let systemd_version = proxy
            .version()
            .with_context(|| "failed to get systemd version".to_string())?;
        Ok(systemd_version)
    }
    fn unit_exist(&self, unit_name: &str) -> Result<bool> {
        let proxy = self.build_proxy()?;
        Ok(proxy.get_unit(unit_name).is_ok())
    }
    fn add_process(&self, pid: i32, unit_name: &str) -> Result<()> {
        let proxy = self.build_proxy()?;
        proxy
            .attach_processes_to_unit(unit_name, "/", &[pid as u32])
            .with_context(|| format!("failed to add process {}", unit_name))?;
        Ok(())
    }
 }
--- a/src/agent/rustjail/src/cgroups/systemd/interface/mod.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/interface/mod.rs
@ -0,0 +1,7 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 pub(crate) mod session;
 pub(crate) mod system;
--- a/src/agent/rustjail/src/cgroups/systemd/interface/session.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/interface/session.rs
--- a/src/agent/rustjail/src/cgroups/systemd/interface/system.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/interface/system.rs
--- a/src/agent/rustjail/src/cgroups/systemd/manager.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/manager.rs
@ -0,0 +1,129 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 use crate::cgroups::Manager as CgroupManager;
 use crate::protocols::agent::CgroupStats;
 use anyhow::Result;
 use cgroups::freezer::FreezerState;
 use libc::{self, pid_t};
 use oci::LinuxResources;
 use std::any::Any;
 use std::collections::HashMap;
 use std::convert::TryInto;
 use std::string::String;
 use std::vec;
 use super::super::fs::Manager as FsManager;
 use super::cgroups_path::CgroupsPath;
 use super::common::{CgroupHierarchy, Properties};
 use super::dbus_client::{DBusClient, SystemdInterface};
 use super::subsystem::transformer::Transformer;
 use super::subsystem::{cpu::Cpu, cpuset::CpuSet, memory::Memory, pids::Pids};
 #[derive(Serialize, Deserialize, Debug, Clone)]
 pub struct Manager {
    pub paths: HashMap<String, String>,
    pub mounts: HashMap<String, String>,
    pub cgroups_path: CgroupsPath,
    pub cpath: String,
    pub unit_name: String,
    // dbus client for set properties
    dbus_client: DBusClient,
    // fs manager for get properties
    fs_manager: FsManager,
    // cgroup version for different dbus properties
    cg_hierarchy: CgroupHierarchy,
 }
 impl CgroupManager for Manager {
    fn apply(&self, pid: pid_t) -> Result<()> {
        let unit_name = self.unit_name.as_str();
        if self.dbus_client.unit_exist(unit_name).unwrap() {
            self.dbus_client.add_process(pid, self.unit_name.as_str())?;
        } else {
            self.dbus_client.start_unit(
                (pid as u32).try_into().unwrap(),
                self.cgroups_path.slice.as_str(),
                self.unit_name.as_str(),
                &self.cg_hierarchy,
            )?;
        }
        Ok(())
    }
    fn set(&self, r: &LinuxResources, _: bool) -> Result<()> {
        let mut properties: Properties = vec![];
        let systemd_version = self.dbus_client.get_version()?;
        let systemd_version_str = systemd_version.as_str();
        Cpu::apply(r, &mut properties, &self.cg_hierarchy, systemd_version_str)?;
        Memory::apply(r, &mut properties, &self.cg_hierarchy, systemd_version_str)?;
        Pids::apply(r, &mut properties, &self.cg_hierarchy, systemd_version_str)?;
        CpuSet::apply(r, &mut properties, &self.cg_hierarchy, systemd_version_str)?;
        self.dbus_client
            .set_properties(self.unit_name.as_str(), &properties)?;
        Ok(())
    }
    fn get_stats(&self) -> Result<CgroupStats> {
        self.fs_manager.get_stats()
    }
    fn freeze(&self, state: FreezerState) -> Result<()> {
        self.fs_manager.freeze(state)
    }
    fn destroy(&mut self) -> Result<()> {
        self.dbus_client.stop_unit(self.unit_name.as_str())?;
        self.fs_manager.destroy()
    }
    fn get_pids(&self) -> Result<Vec<pid_t>> {
        self.fs_manager.get_pids()
    }
    fn update_cpuset_path(&self, guest_cpuset: &str, container_cpuset: &str) -> Result<()> {
        self.fs_manager
            .update_cpuset_path(guest_cpuset, container_cpuset)
    }
    fn get_cgroup_path(&self, cg: &str) -> Result<String> {
        self.fs_manager.get_cgroup_path(cg)
    }
    fn as_any(&self) -> Result<&dyn Any> {
        Ok(self)
    }
 }
 impl Manager {
    pub fn new(cgroups_path_str: &str) -> Result<Self> {
        let cgroups_path = CgroupsPath::new(cgroups_path_str)?;
        let (parent_slice, unit_name) = cgroups_path.parse()?;
        let cpath = parent_slice + "/" + &unit_name;
        let fs_manager = FsManager::new(cpath.as_str())?;
        Ok(Manager {
            paths: fs_manager.paths.clone(),
            mounts: fs_manager.mounts.clone(),
            cgroups_path,
            cpath,
            unit_name,
            dbus_client: DBusClient {},
            fs_manager,
            cg_hierarchy: if cgroups::hierarchies::is_cgroup2_unified_mode() {
                CgroupHierarchy::Unified
            } else {
                CgroupHierarchy::Legacy
            },
        })
    }
 }
--- a/src/agent/rustjail/src/cgroups/systemd/mod.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/mod.rs
@ -0,0 +1,12 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 pub mod manager;
 mod cgroups_path;
 mod common;
 mod dbus_client;
 mod interface;
 mod subsystem;
--- a/src/agent/rustjail/src/cgroups/systemd/subsystem/cpu.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/subsystem/cpu.rs
@ -0,0 +1,139 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 use super::super::common::{CgroupHierarchy, Properties};
 use super::transformer::Transformer;
 use anyhow::Result;
 use oci::{LinuxCpu, LinuxResources};
 use zbus::zvariant::Value;
 const BASIC_SYSTEMD_VERSION: &str = "242";
 const DEFAULT_CPUQUOTAPERIOD: u64 = 100 * 1000;
 const SEC2MICROSEC: u64 = 1000 * 1000;
 const BASIC_INTERVAL: u64 = 10 * 1000;
 pub struct Cpu {}
 impl Transformer for Cpu {
    fn apply(
        r: &LinuxResources,
        properties: &mut Properties,
        cgroup_hierarchy: &CgroupHierarchy,
        systemd_version: &str,
    ) -> Result<()> {
        if let Some(cpu_resources) = &r.cpu {
            match cgroup_hierarchy {
                CgroupHierarchy::Legacy => {
                    Self::legacy_apply(cpu_resources, properties, systemd_version)?
                }
                CgroupHierarchy::Unified => {
                    Self::unified_apply(cpu_resources, properties, systemd_version)?
                }
            }
        }
        Ok(())
    }
 }
 impl Cpu {
    // v1:
    // cpu.shares <-> CPUShares
    // cpu.period <-> CPUQuotaPeriodUSec
    // cpu.period & cpu.quota <-> CPUQuotaPerSecUSec
    fn legacy_apply(
        cpu_resources: &LinuxCpu,
        properties: &mut Properties,
        systemd_version: &str,
    ) -> Result<()> {
        if let Some(shares) = cpu_resources.shares {
            properties.push(("CPUShares", Value::U64(shares)));
        }
        if let Some(period) = cpu_resources.period {
            if period != 0 && systemd_version >= BASIC_SYSTEMD_VERSION {
                properties.push(("CPUQuotaPeriodUSec", Value::U64(period)));
            }
        }
        if let Some(quota) = cpu_resources.quota {
            let period = cpu_resources.period.unwrap_or(DEFAULT_CPUQUOTAPERIOD);
            if period != 0 {
                let cpu_quota_per_sec_usec = resolve_cpuquota(quota, period);
                properties.push(("CPUQuotaPerSecUSec", Value::U64(cpu_quota_per_sec_usec)));
            }
        }
        Ok(())
    }
    // v2:
    // cpu.shares <-> CPUShares
    // cpu.period <-> CPUQuotaPeriodUSec
    // cpu.period & cpu.quota <-> CPUQuotaPerSecUSec
    fn unified_apply(
        cpu_resources: &LinuxCpu,
        properties: &mut Properties,
        systemd_version: &str,
    ) -> Result<()> {
        if let Some(shares) = cpu_resources.shares {
            let unified_shares = get_unified_cpushares(shares);
            properties.push(("CPUShares", Value::U64(unified_shares)));
        }
        if let Some(period) = cpu_resources.period {
            if period != 0 && systemd_version >= BASIC_SYSTEMD_VERSION {
                properties.push(("CPUQuotaPeriodUSec", Value::U64(period)));
            }
        }
        if let Some(quota) = cpu_resources.quota {
            let period = cpu_resources.period.unwrap_or(DEFAULT_CPUQUOTAPERIOD);
            if period != 0 {
                let cpu_quota_per_sec_usec = resolve_cpuquota(quota, period);
                properties.push(("CPUQuotaPerSecUSec", Value::U64(cpu_quota_per_sec_usec)));
            }
        }
        Ok(())
    }
 }
 // ref: https://github.com/containers/crun/blob/main/crun.1.md#cgroup-v2
 // [2-262144] to [1-10000]
 fn get_unified_cpushares(shares: u64) -> u64 {
    if shares == 0 {
        return 100;
    }
    1 + ((shares - 2) * 9999) / 262142
 }
 fn resolve_cpuquota(quota: i64, period: u64) -> u64 {
    let mut cpu_quota_per_sec_usec = u64::MAX;
    if quota > 0 {
        cpu_quota_per_sec_usec = (quota as u64) * SEC2MICROSEC / period;
        if cpu_quota_per_sec_usec % BASIC_INTERVAL != 0 {
            cpu_quota_per_sec_usec =
                ((cpu_quota_per_sec_usec / BASIC_INTERVAL) + 1) * BASIC_INTERVAL;
        }
    }
    cpu_quota_per_sec_usec
 }
 #[cfg(test)]
 mod tests {
    use crate::cgroups::systemd::subsystem::cpu::resolve_cpuquota;
    #[test]
    fn test_unified_cpuquota() {
        let quota: i64 = 1000000;
        let period: u64 = 500000;
        let cpu_quota_per_sec_usec = resolve_cpuquota(quota, period);
        assert_eq!(2000000, cpu_quota_per_sec_usec);
    }
 }
--- a/src/agent/rustjail/src/cgroups/systemd/subsystem/cpuset.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/subsystem/cpuset.rs
@ -0,0 +1,124 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 use super::super::common::{CgroupHierarchy, Properties};
 use super::transformer::Transformer;
 use anyhow::{bail, Result};
 use bit_vec::BitVec;
 use oci::{LinuxCpu, LinuxResources};
 use std::convert::{TryFrom, TryInto};
 use zbus::zvariant::Value;
 const BASIC_SYSTEMD_VERSION: &str = "244";
 pub struct CpuSet {}
 impl Transformer for CpuSet {
    fn apply(
        r: &LinuxResources,
        properties: &mut Properties,
        _: &CgroupHierarchy,
        systemd_version: &str,
    ) -> Result<()> {
        if let Some(cpuset_resources) = &r.cpu {
            Self::apply(cpuset_resources, properties, systemd_version)?;
        }
        Ok(())
    }
 }
 // v1 & v2:
 // cpuset.cpus <-> AllowedCPUs (v244)
 // cpuset.mems <-> AllowedMemoryNodes (v244)
 impl CpuSet {
    fn apply(
        cpuset_resources: &LinuxCpu,
        properties: &mut Properties,
        systemd_version: &str,
    ) -> Result<()> {
        if systemd_version < BASIC_SYSTEMD_VERSION {
            return Ok(());
        }
        let cpus = cpuset_resources.cpus.as_str();
        if !cpus.is_empty() {
            let cpus_vec: BitMask = cpus.try_into()?;
            properties.push(("AllowedCPUs", Value::Array(cpus_vec.0.into())));
        }
        let mems = cpuset_resources.mems.as_str();
        if !mems.is_empty() {
            let mems_vec: BitMask = mems.try_into()?;
            properties.push(("AllowedMemoryNodes", Value::Array(mems_vec.0.into())));
        }
        Ok(())
    }
 }
 struct BitMask(Vec<u8>);
 impl TryFrom<&str> for BitMask {
    type Error = anyhow::Error;
    fn try_from(bitmask_str: &str) -> Result<Self, Self::Error> {
        let mut bitmask_vec = BitVec::from_elem(8, false);
        let bitmask_str_vec: Vec<&str> = bitmask_str.split(',').collect();
        for bitmask in bitmask_str_vec.iter() {
            let range: Vec<&str> = bitmask.split('-').collect();
            match range.len() {
                1 => {
                    let idx: usize = range[0].parse()?;
                    while idx >= bitmask_vec.len() {
                        bitmask_vec.grow(8, false);
                    }
                    bitmask_vec.set(adjust_index(idx), true);
                }
                2 => {
                    let left_index = range[0].parse()?;
                    let right_index = range[1].parse()?;
                    while right_index >= bitmask_vec.len() {
                        bitmask_vec.grow(8, false);
                    }
                    for idx in left_index..=right_index {
                        bitmask_vec.set(adjust_index(idx), true);
                    }
                }
                _ => bail!("invalid bitmask str {}", bitmask_str),
            }
        }
        let mut result_vec = bitmask_vec.to_bytes();
        result_vec.reverse();
        Ok(BitMask(result_vec))
    }
 }
 #[inline(always)]
 fn adjust_index(idx: usize) -> usize {
    idx / 8 * 8 + 7 - idx % 8
 }
 #[cfg(test)]
 mod tests {
    use std::convert::TryInto;
    use crate::cgroups::systemd::subsystem::cpuset::BitMask;
    #[test]
    fn test_bitmask_conversion() {
        let cpus_vec: BitMask = "2-4".try_into().unwrap();
        assert_eq!(vec![0b11100 as u8], cpus_vec.0);
        let cpus_vec: BitMask = "1,7".try_into().unwrap();
        assert_eq!(vec![0b10000010 as u8], cpus_vec.0);
        let cpus_vec: BitMask = "0,2-3,7".try_into().unwrap();
        assert_eq!(vec![0b10001101 as u8], cpus_vec.0);
    }
 }
--- a/src/agent/rustjail/src/cgroups/systemd/subsystem/memory.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/subsystem/memory.rs
@ -0,0 +1,117 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 use super::super::common::{CgroupHierarchy, Properties};
 use super::transformer::Transformer;
 use anyhow::{bail, Result};
 use oci::{LinuxMemory, LinuxResources};
 use zbus::zvariant::Value;
 pub struct Memory {}
 impl Transformer for Memory {
    fn apply(
        r: &LinuxResources,
        properties: &mut Properties,
        cgroup_hierarchy: &CgroupHierarchy,
        _: &str,
    ) -> Result<()> {
        if let Some(memory_resources) = &r.memory {
            match cgroup_hierarchy {
                CgroupHierarchy::Legacy => Self::legacy_apply(memory_resources, properties)?,
                CgroupHierarchy::Unified => Self::unified_apply(memory_resources, properties)?,
            }
        }
        Ok(())
    }
 }
 impl Memory {
    // v1:
    // memory.limit <-> MemoryLimit
    fn legacy_apply(memory_resources: &LinuxMemory, properties: &mut Properties) -> Result<()> {
        if let Some(limit) = memory_resources.limit {
            let limit = match limit {
                1..=i64::MAX => limit as u64,
                0 => u64::MAX,
                _ => bail!("invalid memory.limit"),
            };
            properties.push(("MemoryLimit", Value::U64(limit)));
        }
        Ok(())
    }
    // v2:
    // memory.low <-> MemoryLow
    // memory.max <-> MemoryMax
    // memory.swap & memory.limit <-> MemorySwapMax
    fn unified_apply(memory_resources: &LinuxMemory, properties: &mut Properties) -> Result<()> {
        if let Some(limit) = memory_resources.limit {
            let limit = match limit {
                1..=i64::MAX => limit as u64,
                0 => u64::MAX,
                _ => bail!("invalid memory.limit: {}", limit),
            };
            properties.push(("MemoryMax", Value::U64(limit)));
        }
        if let Some(reservation) = memory_resources.reservation {
            let reservation = match reservation {
                1..=i64::MAX => reservation as u64,
                0 => u64::MAX,
                _ => bail!("invalid memory.reservation: {}", reservation),
            };
            properties.push(("MemoryLow", Value::U64(reservation)));
        }
        let swap = match memory_resources.swap {
            Some(0) => u64::MAX,
            Some(1..=i64::MAX) => match memory_resources.limit {
                Some(1..=i64::MAX) => {
                    (memory_resources.limit.unwrap() - memory_resources.swap.unwrap()) as u64
                }
                _ => bail!("invalid memory.limit when memory.swap specified"),
            },
            None => u64::MAX,
            _ => bail!("invalid memory.swap"),
        };
        properties.push(("MemorySwapMax", Value::U64(swap)));
        Ok(())
    }
 }
 #[cfg(test)]
 mod tests {
    use super::Memory;
    use super::Properties;
    use super::Value;
    #[test]
    fn test_unified_memory() {
        let memory_resources = oci::LinuxMemory {
            limit: Some(736870912),
            reservation: Some(536870912),
            swap: Some(536870912),
            kernel: Some(0),
            kernel_tcp: Some(0),
            swappiness: Some(0),
            disable_oom_killer: Some(false),
        };
        let mut properties: Properties = vec![];
        assert_eq!(
            true,
            Memory::unified_apply(&memory_resources, &mut properties).is_ok()
        );
        assert_eq!(Value::U64(200000000), properties[2].1);
    }
 }
--- a/src/agent/rustjail/src/cgroups/systemd/subsystem/mod.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/subsystem/mod.rs
@ -0,0 +1,10 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 pub mod cpu;
 pub mod cpuset;
 pub mod memory;
 pub mod pids;
 pub mod transformer;
--- a/src/agent/rustjail/src/cgroups/systemd/subsystem/pids.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/subsystem/pids.rs
@ -0,0 +1,60 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 use super::super::common::{CgroupHierarchy, Properties};
 use super::transformer::Transformer;
 use anyhow::Result;
 use oci::{LinuxPids, LinuxResources};
 use zbus::zvariant::Value;
 pub struct Pids {}
 impl Transformer for Pids {
    fn apply(
        r: &LinuxResources,
        properties: &mut Properties,
        _: &CgroupHierarchy,
        _: &str,
    ) -> Result<()> {
        if let Some(pids_resources) = &r.pids {
            Self::apply(pids_resources, properties)?;
        }
        Ok(())
    }
 }
 // pids.limit <-> TasksMax
 impl Pids {
    fn apply(pids_resources: &LinuxPids, properties: &mut Properties) -> Result<()> {
        let limit = if pids_resources.limit > 0 {
            pids_resources.limit as u64
        } else {
            u64::MAX
        };
        properties.push(("TasksMax", Value::U64(limit)));
        Ok(())
    }
 }
 #[cfg(test)]
 mod tests {
    use super::Pids;
    use super::Properties;
    use super::Value;
    #[test]
    fn test_subsystem_workflow() {
        let pids_resources = oci::LinuxPids { limit: 0 };
        let mut properties: Properties = vec![];
        assert_eq!(true, Pids::apply(&pids_resources, &mut properties).is_ok());
        assert_eq!(Value::U64(u64::MAX), properties[0].1);
    }
 }
--- a/src/agent/rustjail/src/cgroups/systemd/subsystem/transformer.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/subsystem/transformer.rs
@ -0,0 +1,17 @@
 // Copyright 2021-2022 Kata Contributors
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 use super::super::common::{CgroupHierarchy, Properties};
 use anyhow::Result;
 use oci::LinuxResources;
 pub trait Transformer {
    fn apply(
        r: &LinuxResources,
        properties: &mut Properties,
        cgroup_hierarchy: &CgroupHierarchy,
        systemd_version: &str,
    ) -> Result<()>;
 }
--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@ -22,6 +22,7 @@ use crate::capabilities;
 use crate::cgroups::fs::Manager as FsManager;
 #[cfg(test)]
 use crate::cgroups::mock::Manager as FsManager;
 use crate::cgroups::systemd::manager::Manager as SystemdManager;
 use crate::cgroups::Manager;
 #[cfg(feature = "standard-oci-runtime")]
 use crate::console;
@ -49,6 +50,7 @@ use std::os::unix::io::AsRawFd;
 use protobuf::SingularPtrField;
 use oci::State as OCIState;
 use regex::Regex;
 use std::collections::HashMap;
 use std::os::unix::io::FromRawFd;
 use std::str::FromStr;
@ -201,6 +203,8 @@ lazy_static! {
            },
        ]
    };
    pub static ref SYSTEMD_CGROUP_PATH_FORMAT:Regex = Regex::new(r"^[\w\-.]*:[\w\-.]*:[\w\-.]*$").unwrap();
 }
 #[derive(Serialize, Deserialize, Debug)]
@ -239,7 +243,7 @@ pub struct LinuxContainer {
    pub id: String,
    pub root: String,
    pub config: Config,
-    pub cgroup_manager: Option<FsManager>,
+    pub cgroup_manager: Option<Box<dyn Manager + Send + Sync>>,
    pub init_process_pid: pid_t,
    pub init_process_start_time: u64,
    pub uid_map_path: String,
@ -390,7 +394,9 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
    let buf = read_sync(crfd)?;
    let cm_str = std::str::from_utf8(&buf)?;
-    let cm: FsManager = serde_json::from_str(cm_str)?;
+    // deserialize cm_str into FsManager and SystemdManager separately
    let fs_cm: Result<FsManager, serde_json::Error> = serde_json::from_str(cm_str);
    let systemd_cm: Result<SystemdManager, serde_json::Error> = serde_json::from_str(cm_str);
    #[cfg(feature = "standard-oci-runtime")]
    let csocket_fd = console::setup_console_socket(&std::env::var(CONSOLE_SOCKET_FD)?)?;
@ -548,7 +554,18 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
    if to_new.contains(CloneFlags::CLONE_NEWNS) {
        // setup rootfs
-        mount::init_rootfs(cfd_log, &spec, &cm.paths, &cm.mounts, bind_device)?;
+        if let Ok(systemd_cm) = systemd_cm {
            mount::init_rootfs(
                cfd_log,
                &spec,
                &systemd_cm.paths,
                &systemd_cm.mounts,
                bind_device,
            )?;
        } else {
            let fs_cm = fs_cm.unwrap();
            mount::init_rootfs(cfd_log, &spec, &fs_cm.paths, &fs_cm.mounts, bind_device)?;
        }
    }
    if init {
@ -1018,7 +1035,8 @@ impl BaseContainer for LinuxContainer {
            &logger,
            spec,
            &p,
-            self.cgroup_manager.as_ref().unwrap(),
+            self.cgroup_manager.as_ref().unwrap().as_ref(),
            self.config.use_systemd_cgroup,
            &st,
            &mut pipe_w,
            &mut pipe_r,
@ -1280,11 +1298,13 @@ pub fn setup_child_logger(fd: RawFd, child_logger: Logger) -> tokio::task::JoinH
    })
 }
 #[allow(clippy::too_many_arguments)]
 async fn join_namespaces(
    logger: &Logger,
    spec: &Spec,
    p: &Process,
-    cm: &FsManager,
+    cm: &(dyn Manager + Send + Sync),
    use_systemd_cgroup: bool,
    st: &OCIState,
    pipe_w: &mut PipeStream,
    pipe_r: &mut PipeStream,
@ -1311,7 +1331,11 @@ async fn join_namespaces(
    info!(logger, "wait child received oci process");
    read_async(pipe_r).await?;
-    let cm_str = serde_json::to_string(cm)?;
+    let cm_str = if use_systemd_cgroup {
        serde_json::to_string(cm.as_any()?.downcast_ref::<SystemdManager>().unwrap())
    } else {
        serde_json::to_string(cm.as_any()?.downcast_ref::<FsManager>().unwrap())
    }?;
    write_async(pipe_w, SYNC_DATA, cm_str.as_str()).await?;
    // wait child setup user namespace
@ -1334,13 +1358,16 @@ async fn join_namespaces(
    }
    // apply cgroups
-    if p.init && res.is_some() {
+    // For FsManger, it's no matter about the order of apply and set.
-        info!(logger, "apply cgroups!");
+    // For SystemdManger, apply must be precede set because we can only create a systemd unit with specific processes(pids).
-        cm.set(res.unwrap(), false)?;
+    if res.is_some() {
        info!(logger, "apply processes to cgroups!");
        cm.apply(p.pid)?;
    }
-    if res.is_some() {
+    if p.init && res.is_some() {
-        cm.apply(p.pid)?;
+        info!(logger, "set properties to cgroups!");
        cm.set(res.unwrap(), false)?;
    }
    info!(logger, "notify child to continue");
@ -1419,7 +1446,7 @@ impl LinuxContainer {
    pub fn new<T: Into<String> + Display + Clone>(
        id: T,
        base: T,
-        config: Config,
+        mut config: Config,
        logger: &Logger,
    ) -> Result<Self> {
        let base = base.into();
@ -1448,18 +1475,40 @@ impl LinuxContainer {
        let linux = spec.linux.as_ref().unwrap();
-        let cpath = if linux.cgroups_path.is_empty() {
+        // determine which cgroup driver to take and then assign to config.use_systemd_cgroup
-            format!("/{}", id.as_str())
+        // systemd: "[slice]:[prefix]:[name]"
        // fs: "/path_a/path_b"
        let cpath = if SYSTEMD_CGROUP_PATH_FORMAT.is_match(linux.cgroups_path.as_str()) {
            config.use_systemd_cgroup = true;
            if linux.cgroups_path.len() == 2 {
                format!("system.slice:kata_agent:{}", id.as_str())
            } else {
                linux.cgroups_path.clone()
            }
        } else {
-            linux.cgroups_path.clone()
+            config.use_systemd_cgroup = false;
            if linux.cgroups_path.is_empty() {
                format!("/{}", id.as_str())
            } else {
                linux.cgroups_path.clone()
            }
        };
-        let cgroup_manager = FsManager::new(cpath.as_str()).map_err(|e| {
+        let cgroup_manager: Box<dyn Manager + Send + Sync> = if config.use_systemd_cgroup {
-            anyhow!(format!(
+            Box::new(SystemdManager::new(cpath.as_str()).map_err(|e| {
-                "fail to create cgroup manager with path {}: {:}",
+                anyhow!(format!(
-                cpath, e
+                    "fail to create cgroup manager with path {}: {:}",
-            ))
+                    cpath, e
-        })?;
+                ))
            })?)
        } else {
            Box::new(FsManager::new(cpath.as_str()).map_err(|e| {
                anyhow!(format!(
                    "fail to create cgroup manager with path {}: {:}",
                    cpath, e
                ))
            })?)
        };
        info!(logger, "new cgroup_manager {:?}", &cgroup_manager);
        Ok(LinuxContainer {
@ -1944,7 +1993,11 @@ mod tests {
    #[test]
    fn test_linuxcontainer_pause() {
        let ret = new_linux_container_and_then(|mut c: LinuxContainer| {
-            c.cgroup_manager = FsManager::new("").ok();
+            let cgroup_manager: Box<dyn Manager + Send + Sync> =
                Box::new(FsManager::new("").map_err(|e| {
                    anyhow!(format!("fail to create cgroup manager with path: {:}", e))
                })?);
            c.cgroup_manager = Some(cgroup_manager);
            c.pause().map_err(|e| anyhow!(e))
        });
@ -1977,7 +2030,11 @@ mod tests {
    #[test]
    fn test_linuxcontainer_resume() {
        let ret = new_linux_container_and_then(|mut c: LinuxContainer| {
-            c.cgroup_manager = FsManager::new("").ok();
+            let cgroup_manager: Box<dyn Manager + Send + Sync> =
                Box::new(FsManager::new("").map_err(|e| {
                    anyhow!(format!("fail to create cgroup manager with path: {:}", e))
                })?);
            c.cgroup_manager = Some(cgroup_manager);
            // Change status to paused, this way we can resume it
            c.status.transition(ContainerState::Paused);
            c.resume().map_err(|e| anyhow!(e))
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@ -44,7 +44,6 @@ use nix::errno::Errno;
 use nix::mount::MsFlags;
 use nix::sys::{stat, statfs};
 use nix::unistd::{self, Pid};
 use rustjail::cgroups::Manager;
 use rustjail::process::ProcessOperations;
 use crate::device::{
@ -267,9 +266,9 @@ impl AgentService {
        // start oom event loop
        if let Some(ref ctr) = ctr.cgroup_manager {
-            let cg_path = ctr.get_cg_path("memory");
+            let cg_path = ctr.get_cgroup_path("memory");
-            if let Some(cg_path) = cg_path {
+            if let Ok(cg_path) = cg_path {
                let rx = notifier::notify_oom(cid.as_str(), cg_path.to_string()).await?;
                s.run_oom_event_monitor(rx, cid.clone()).await;
--- a/src/runtime/virtcontainers/kata_agent.go
+++ b/src/runtime/virtcontainers/kata_agent.go
@ -23,7 +23,6 @@ import (
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
 	volume "github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
 	resCtrl "github.com/kata-containers/kata-containers/src/runtime/pkg/resourcecontrol"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/uuid"
 	persistapi "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/persist/api"
 	pbTypes "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols"
@ -927,18 +926,19 @@ func (k *kataAgent) constrainGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool, str
 		grpcSpec.Linux.Resources.CPU.Mems = ""
 	}
 	// We need agent systemd cgroup now.
 	// There are three main reasons to do not apply systemd cgroups in the VM
 	// - Initrd image doesn't have systemd.
 	// - Nobody will be able to modify the resources of a specific container by using systemctl set-property.
 	// - docker is not running in the VM.
-	if resCtrl.IsSystemdCgroup(grpcSpec.Linux.CgroupsPath) {
+	// if resCtrl.IsSystemdCgroup(grpcSpec.Linux.CgroupsPath) {
-		// Convert systemd cgroup to cgroupfs
+	// 	// Convert systemd cgroup to cgroupfs
-		slice := strings.Split(grpcSpec.Linux.CgroupsPath, ":")
+	// 	slice := strings.Split(grpcSpec.Linux.CgroupsPath, ":")
-		// 0 - slice: system.slice
+	// 	// 0 - slice: system.slice
-		// 1 - prefix: docker
+	// 	// 1 - prefix: docker
-		// 2 - name: abc123
+	// 	// 2 - name: abc123
-		grpcSpec.Linux.CgroupsPath = filepath.Join("/", slice[1], slice[2])
+	// 	grpcSpec.Linux.CgroupsPath = filepath.Join("/", slice[1], slice[2])
-	}
+	// }
 	// Disable network namespace since it is already handled on the host by
 	// virtcontainers. The network is a complex part which cannot be simply
--- a/src/runtime/virtcontainers/kata_agent_test.go
+++ b/src/runtime/virtcontainers/kata_agent_test.go
@ -574,7 +574,7 @@ func TestAppendVhostUserBlkDevices(t *testing.T) {
 func TestConstrainGRPCSpec(t *testing.T) {
 	assert := assert.New(t)
-	expectedCgroupPath := "/foo/bar"
+	expectedCgroupPath := "system.slice:foo:bar"
 	g := &pb.Spec{
 		Hooks: &pb.Hooks{},
--- a/src/tools/agent-ctl/Cargo.lock
+++ b/src/tools/agent-ctl/Cargo.lock
@ -41,6 +41,88 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c5d78ce20460b82d3fa150275ed9d55e21064fc7951177baacf86a145c4a4b1f"
 [[package]]
 name = "async-broadcast"
 version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6d26004fe83b2d1cd3a97609b21e39f9a31535822210fe83205d2ce48866ea61"
 dependencies = [
 "event-listener",
 "futures-core",
 "parking_lot",
 ]
 [[package]]
 name = "async-channel"
 version = "1.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e14485364214912d3b19cc3435dde4df66065127f05fa0d75c712f36f12c2f28"
 dependencies = [
 "concurrent-queue",
 "event-listener",
 "futures-core",
 ]
 [[package]]
 name = "async-executor"
 version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "871f9bb5e0a22eeb7e8cf16641feb87c9dc67032ccf8ff49e772eb9941d3a965"
 dependencies = [
 "async-task",
 "concurrent-queue",
 "fastrand",
 "futures-lite",
 "once_cell",
 "slab",
 ]
 [[package]]
 name = "async-io"
 version = "1.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "83e21f3a490c72b3b0cf44962180e60045de2925d8dff97918f7ee43c8f637c7"
 dependencies = [
 "autocfg",
 "concurrent-queue",
 "futures-lite",
 "libc",
 "log",
 "once_cell",
 "parking",
 "polling",
 "slab",
 "socket2",
 "waker-fn",
 "winapi",
 ]
 [[package]]
 name = "async-lock"
 version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e97a171d191782fba31bb902b14ad94e24a68145032b7eedf871ab0bc0d077b6"
 dependencies = [
 "event-listener",
 ]
 [[package]]
 name = "async-recursion"
 version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d7d78656ba01f1b93024b7c3a0467f1608e4be67d725749fdcd7d2c7678fd7a2"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "async-task"
 version = "4.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7a40729d2133846d9ed0ea60a8b9541bccddab49cd30f0715a1da672fe9a2524"
 [[package]]
 name = "async-trait"
 version = "0.1.52"
@ -65,9 +147,15 @@ dependencies = [
 [[package]]
 name = "autocfg"
-version = "1.0.1"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
+checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
 [[package]]
 name = "bit-vec"
 version = "0.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
 [[package]]
 name = "bitflags"
@ -93,6 +181,12 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8"
 [[package]]
 name = "cache-padded"
 version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1db59621ec70f09c5e9b597b220c7a2b43611f4710dc03ceb8748637775692c"
 [[package]]
 name = "capctl"
 version = "0.2.0"
@ -174,6 +268,15 @@ dependencies = [
 "vec_map",
 ]
 [[package]]
 name = "concurrent-queue"
 version = "1.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "af4780a44ab5696ea9e28294517f1fffb421a83a25af521333c838635509db9c"
 dependencies = [
 "cache-padded",
 ]
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.3"
@ -200,6 +303,17 @@ dependencies = [
 "lazy_static",
 ]
 [[package]]
 name = "derivative"
 version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "derive-new"
 version = "0.5.9"
@ -211,12 +325,53 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "dirs"
 version = "4.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ca3aa72a6f96ea37bbc5aa912f6788242832f75369bdfdadcb0e38423f100059"
 dependencies = [
 "dirs-sys",
 ]
 [[package]]
 name = "dirs-sys"
 version = "0.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1b1d1d91c932ef41c0f2663aa8b0ca0342d444d842c06914aa0a7e352d0bada6"
 dependencies = [
 "libc",
 "redox_users",
 "winapi",
 ]
 [[package]]
 name = "either"
 version = "1.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
 [[package]]
 name = "enumflags2"
 version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e75d4cd21b95383444831539909fbb14b9dc3fdceb2a6f5d36577329a1f55ccb"
 dependencies = [
 "enumflags2_derive",
 "serde",
 ]
 [[package]]
 name = "enumflags2_derive"
 version = "0.7.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f58dc3c5e468259f19f2d46304a6b28f1c3d034442e14b322d2b850e36f6d5ae"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "errno"
 version = "0.2.8"
@ -238,6 +393,21 @@ dependencies = [
 "libc",
 ]
 [[package]]
 name = "event-listener"
 version = "2.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
 [[package]]
 name = "fastrand"
 version = "1.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7a407cfaa3385c4ae6b23e84623d48c2798d06e3e6a1878f7f59f17b3f86499"
 dependencies = [
 "instant",
 ]
 [[package]]
 name = "fixedbitset"
 version = "0.2.0"
@ -271,9 +441,9 @@ dependencies = [
 [[package]]
 name = "futures-core"
-version = "0.3.17"
+version = "0.3.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "88d1c26957f23603395cd326b0ffe64124b818f4449552f960d815cfba83a53d"
+checksum = "4e5aa3de05362c3fb88de6531e6296e85cde7739cccad4b9dfeeb7f6ebce56bf"
 [[package]]
 name = "futures-executor"
@ -292,6 +462,21 @@ version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "522de2a0fe3e380f1bc577ba0474108faf3f6b18321dbf60b3b9c39a75073377"
 [[package]]
 name = "futures-lite"
 version = "1.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7694489acd39452c77daa48516b894c153f192c3578d5a839b62c58099fcbf48"
 dependencies = [
 "fastrand",
 "futures-core",
 "futures-io",
 "memchr",
 "parking",
 "pin-project-lite",
 "waker-fn",
 ]
 [[package]]
 name = "futures-macro"
 version = "0.3.17"
@ -430,6 +615,15 @@ dependencies = [
 "libc",
 ]
 [[package]]
 name = "instant"
 version = "0.1.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c"
 dependencies = [
 "cfg-if 1.0.0",
 ]
 [[package]]
 name = "itertools"
 version = "0.10.3"
@ -491,6 +685,16 @@ version = "0.2.132"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8371e4e5341c3a96db127eb2465ac681ced4c433e01dd0e938adbef26ba93ba5"
 [[package]]
 name = "lock_api"
 version = "0.4.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9f80bf5aacaf25cbfc8210d1cfb718f2bf3b11c4c54e5afe36c236853a8ec390"
 dependencies = [
 "autocfg",
 "scopeguard",
 ]
 [[package]]
 name = "log"
 version = "0.4.14"
@ -576,6 +780,7 @@ dependencies = [
 "bitflags",
 "cfg-if 1.0.0",
 "libc",
 "memoffset",
 ]
 [[package]]
@ -618,9 +823,48 @@ dependencies = [
 [[package]]
 name = "once_cell"
-version = "1.9.0"
+version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da32515d9f6e6e489d7bc9d84c71b060db7247dc035bbe44eac88cf87486d8d5"
+checksum = "2f7254b99e31cad77da24b08ebf628882739a608578bb1bcdfc1f9c21260d7c0"
 [[package]]
 name = "ordered-stream"
 version = "0.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "44630c059eacfd6e08bdaa51b1db2ce33119caa4ddc1235e923109aa5f25ccb1"
 dependencies = [
 "futures-core",
 "pin-project-lite",
 ]
 [[package]]
 name = "parking"
 version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "427c3892f9e783d91cc128285287e70a59e206ca452770ece88a76f7a3eddd72"
 [[package]]
 name = "parking_lot"
 version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f"
 dependencies = [
 "lock_api",
 "parking_lot_core",
 ]
 [[package]]
 name = "parking_lot_core"
 version = "0.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09a279cbf25cb0757810394fbc1e359949b59e348145c643a939a525692e6929"
 dependencies = [
 "cfg-if 1.0.0",
 "libc",
 "redox_syscall",
 "smallvec",
 "windows-sys",
 ]
 [[package]]
 name = "path-absolutize"
@ -653,9 +897,9 @@ dependencies = [
 [[package]]
 name = "pin-project-lite"
-version = "0.2.7"
+version = "0.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d31d11c69a6b52a174b42bdc0c30e5e11670f90788b2c471c31c1d17d449443"
+checksum = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116"
 [[package]]
 name = "pin-utils"
@ -663,12 +907,37 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 [[package]]
 name = "polling"
 version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "899b00b9c8ab553c743b3e11e87c5c7d423b2a2de229ba95b24a756344748011"
 dependencies = [
 "autocfg",
 "cfg-if 1.0.0",
 "libc",
 "log",
 "wepoll-ffi",
 "winapi",
 ]
 [[package]]
 name = "ppv-lite86"
 version = "0.2.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ed0cfbc8191465bed66e1718596ee0b0b35d5ee1f41c5df2189d0fe8bde535ba"
 [[package]]
 name = "proc-macro-crate"
 version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eda0fc3b0fb7c975631757e14d9049da17374063edb6ebbcbc54d880d4fe94e9"
 dependencies = [
 "once_cell",
 "thiserror",
 "toml",
 ]
 [[package]]
 name = "proc-macro-hack"
 version = "0.5.19"
@ -833,13 +1102,24 @@ dependencies = [
 [[package]]
 name = "redox_syscall"
-version = "0.2.10"
+version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8383f39639269cde97d255a32bdb68c047337295414940c68bdd30c2e13203ff"
+checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a"
 dependencies = [
 "bitflags",
 ]
 [[package]]
 name = "redox_users"
 version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b"
 dependencies = [
 "getrandom",
 "redox_syscall",
 "thiserror",
 ]
 [[package]]
 name = "regex"
 version = "1.5.6"
@ -881,6 +1161,7 @@ version = "0.1.0"
 dependencies = [
 "anyhow",
 "async-trait",
 "bit-vec",
 "capctl",
 "caps",
 "cfg-if 0.1.10",
@ -889,7 +1170,7 @@ dependencies = [
 "inotify",
 "lazy_static",
 "libc",
- "nix 0.23.1",
+ "nix 0.24.2",
 "oci",
 "path-absolutize",
 "protobuf",
@ -904,6 +1185,7 @@ dependencies = [
 "slog",
 "slog-scope",
 "tokio",
 "zbus",
 ]
 [[package]]
@ -958,6 +1240,32 @@ dependencies = [
 "serde",
 ]
 [[package]]
 name = "serde_repr"
 version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1fe39d9fbb0ebf5eb2c7cb7e2a47e4f462fad1379f1166b8ae49ad9eae89a7ca"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "sha1"
 version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1da05c97445caa12d05e848c4a4fcbbea29e748ac28f7e80e9b010392063770"
 dependencies = [
 "sha1_smol",
 ]
 [[package]]
 name = "sha1_smol"
 version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ae1a47186c03a32177042e55dbc5fd5aee900b8e0069a8d70fba96a9375cd012"
 [[package]]
 name = "signal-hook-registry"
 version = "1.4.0"
@ -1020,6 +1328,28 @@ dependencies = [
 "slog",
 ]
 [[package]]
 name = "smallvec"
 version = "1.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2fd0db749597d91ff862fd1d55ea87f7855a744a8425a64695b6fca237d1dad1"
 [[package]]
 name = "socket2"
 version = "0.4.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "02e2d2db9033d13a1567121ddd7a095ee144db4e1ca1b1bda3419bc0da294ebd"
 dependencies = [
 "libc",
 "winapi",
 ]
 [[package]]
 name = "static_assertions"
 version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
 [[package]]
 name = "strsim"
 version = "0.8.0"
@ -1133,6 +1463,47 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "toml"
 version = "0.5.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8d82e1a7758622a465f8cee077614c73484dac5b836c02ff6a40d5d1010324d7"
 dependencies = [
 "serde",
 ]
 [[package]]
 name = "tracing"
 version = "0.1.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2fce9567bd60a67d08a16488756721ba392f24f29006402881e43b19aac64307"
 dependencies = [
 "cfg-if 1.0.0",
 "pin-project-lite",
 "tracing-attributes",
 "tracing-core",
 ]
 [[package]]
 name = "tracing-attributes"
 version = "0.1.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "11c75893af559bc8e10716548bdef5cb2b983f8e637db9d0e15126b61b484ee2"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "tracing-core"
 version = "0.1.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5aeea4303076558a00714b823f9ad67d58a3bbda1df83d8827d21193156e22f7"
 dependencies = [
 "once_cell",
 ]
 [[package]]
 name = "ttrpc"
 version = "0.6.0"
@ -1175,6 +1546,16 @@ dependencies = [
 "tempfile",
 ]
 [[package]]
 name = "uds_windows"
 version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ce65604324d3cce9b966701489fbd0cf318cb1f7bd9dd07ac9a4ee6fb791930d"
 dependencies = [
 "tempfile",
 "winapi",
 ]
 [[package]]
 name = "unicode-segmentation"
 version = "1.8.0"
@ -1199,6 +1580,12 @@ version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
 [[package]]
 name = "waker-fn"
 version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d5b2c62b4012a3e1eca5a7e077d13b3bf498c4073e33ccd58626607748ceeca"
 [[package]]
 name = "wasi"
 version = "0.10.2+wasi-snapshot-preview1"
@ -1259,6 +1646,15 @@ version = "0.2.81"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be"
 [[package]]
 name = "wepoll-ffi"
 version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d743fdedc5c64377b5fc2bc036b01c7fd642205a0d96356034ae3404d49eb7fb"
 dependencies = [
 "cc",
 ]
 [[package]]
 name = "which"
 version = "4.2.2"
@ -1291,3 +1687,136 @@ name = "winapi-x86_64-pc-windows-gnu"
 version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 [[package]]
 name = "windows-sys"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ea04155a16a59f9eab786fe12a4a450e75cdb175f9e0d80da1e17db09f55b8d2"
 dependencies = [
 "windows_aarch64_msvc",
 "windows_i686_gnu",
 "windows_i686_msvc",
 "windows_x86_64_gnu",
 "windows_x86_64_msvc",
 ]
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9bb8c3fd39ade2d67e9874ac4f3db21f0d710bee00fe7cab16949ec184eeaa47"
 [[package]]
 name = "windows_i686_gnu"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "180e6ccf01daf4c426b846dfc66db1fc518f074baa793aa7d9b9aaeffad6a3b6"
 [[package]]
 name = "windows_i686_msvc"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e2e7917148b2812d1eeafaeb22a97e4813dfa60a3f8f78ebe204bcc88f12f024"
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4dcd171b8776c41b97521e5da127a2d86ad280114807d0b2ab1e462bc764d9e1"
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680"
 [[package]]
 name = "zbus"
 version = "2.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2d8f1a037b2c4a67d9654dc7bdfa8ff2e80555bbefdd3c1833c1d1b27c963a6b"
 dependencies = [
 "async-broadcast",
 "async-channel",
 "async-executor",
 "async-io",
 "async-lock",
 "async-recursion",
 "async-task",
 "async-trait",
 "byteorder",
 "derivative",
 "dirs",
 "enumflags2",
 "event-listener",
 "futures-core",
 "futures-sink",
 "futures-util",
 "hex",
 "lazy_static",
 "nix 0.23.1",
 "once_cell",
 "ordered-stream",
 "rand",
 "serde",
 "serde_repr",
 "sha1",
 "static_assertions",
 "tracing",
 "uds_windows",
 "winapi",
 "zbus_macros",
 "zbus_names",
 "zvariant",
 ]
 [[package]]
 name = "zbus_macros"
 version = "2.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1f8fb5186d1c87ae88cf234974c240671238b4a679158ad3b94ec465237349a6"
 dependencies = [
 "proc-macro-crate",
 "proc-macro2",
 "quote",
 "regex",
 "syn",
 ]
 [[package]]
 name = "zbus_names"
 version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "41a408fd8a352695690f53906dc7fd036be924ec51ea5e05666ff42685ed0af5"
 dependencies = [
 "serde",
 "static_assertions",
 "zvariant",
 ]
 [[package]]
 name = "zvariant"
 version = "3.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1bd68e4e6432ef19df47d7e90e2e72b5e7e3d778e0ae3baddf12b951265cc758"
 dependencies = [
 "byteorder",
 "enumflags2",
 "libc",
 "serde",
 "static_assertions",
 "zvariant_derive",
 ]
 [[package]]
 name = "zvariant_derive"
 version = "3.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08e977eaa3af652f63d479ce50d924254ad76722a6289ec1a1eac3231ca30430"
 dependencies = [
 "proc-macro-crate",
 "proc-macro2",
 "quote",
 "syn",
 ]
--- a/src/tools/runk/Cargo.lock
+++ b/src/tools/runk/Cargo.lock
@ -29,6 +29,88 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c5d78ce20460b82d3fa150275ed9d55e21064fc7951177baacf86a145c4a4b1f"
 [[package]]
 name = "async-broadcast"
 version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6d26004fe83b2d1cd3a97609b21e39f9a31535822210fe83205d2ce48866ea61"
 dependencies = [
 "event-listener",
 "futures-core",
 "parking_lot",
 ]
 [[package]]
 name = "async-channel"
 version = "1.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e14485364214912d3b19cc3435dde4df66065127f05fa0d75c712f36f12c2f28"
 dependencies = [
 "concurrent-queue",
 "event-listener",
 "futures-core",
 ]
 [[package]]
 name = "async-executor"
 version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "871f9bb5e0a22eeb7e8cf16641feb87c9dc67032ccf8ff49e772eb9941d3a965"
 dependencies = [
 "async-task",
 "concurrent-queue",
 "fastrand",
 "futures-lite",
 "once_cell",
 "slab",
 ]
 [[package]]
 name = "async-io"
 version = "1.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "83e21f3a490c72b3b0cf44962180e60045de2925d8dff97918f7ee43c8f637c7"
 dependencies = [
 "autocfg",
 "concurrent-queue",
 "futures-lite",
 "libc",
 "log",
 "once_cell",
 "parking",
 "polling",
 "slab",
 "socket2",
 "waker-fn",
 "winapi",
 ]
 [[package]]
 name = "async-lock"
 version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e97a171d191782fba31bb902b14ad94e24a68145032b7eedf871ab0bc0d077b6"
 dependencies = [
 "event-listener",
 ]
 [[package]]
 name = "async-recursion"
 version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d7d78656ba01f1b93024b7c3a0467f1608e4be67d725749fdcd7d2c7678fd7a2"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "async-task"
 version = "4.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7a40729d2133846d9ed0ea60a8b9541bccddab49cd30f0715a1da672fe9a2524"
 [[package]]
 name = "async-trait"
 version = "0.1.53"
@ -57,6 +139,12 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
 [[package]]
 name = "bit-vec"
 version = "0.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@ -75,6 +163,12 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8"
 [[package]]
 name = "cache-padded"
 version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1db59621ec70f09c5e9b597b220c7a2b43611f4710dc03ceb8748637775692c"
 [[package]]
 name = "capctl"
 version = "0.2.1"
@ -180,6 +274,15 @@ dependencies = [
 "os_str_bytes",
 ]
 [[package]]
 name = "concurrent-queue"
 version = "1.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "af4780a44ab5696ea9e28294517f1fffb421a83a25af521333c838635509db9c"
 dependencies = [
 "cache-padded",
 ]
 [[package]]
 name = "crc32fast"
 version = "1.3.2"
@ -244,6 +347,17 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "derivative"
 version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "derive-new"
 version = "0.5.9"
@ -286,12 +400,53 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "dirs"
 version = "4.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ca3aa72a6f96ea37bbc5aa912f6788242832f75369bdfdadcb0e38423f100059"
 dependencies = [
 "dirs-sys",
 ]
 [[package]]
 name = "dirs-sys"
 version = "0.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1b1d1d91c932ef41c0f2663aa8b0ca0342d444d842c06914aa0a7e352d0bada6"
 dependencies = [
 "libc",
 "redox_users",
 "winapi",
 ]
 [[package]]
 name = "either"
 version = "1.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
 [[package]]
 name = "enumflags2"
 version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e75d4cd21b95383444831539909fbb14b9dc3fdceb2a6f5d36577329a1f55ccb"
 dependencies = [
 "enumflags2_derive",
 "serde",
 ]
 [[package]]
 name = "enumflags2_derive"
 version = "0.7.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f58dc3c5e468259f19f2d46304a6b28f1c3d034442e14b322d2b850e36f6d5ae"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "errno"
 version = "0.2.8"
@ -313,6 +468,12 @@ dependencies = [
 "libc",
 ]
 [[package]]
 name = "event-listener"
 version = "2.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
 [[package]]
 name = "fastrand"
 version = "1.7.0"
@ -392,6 +553,21 @@ version = "0.3.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc4045962a5a5e935ee2fdedaa4e08284547402885ab326734432bed5d12966b"
 [[package]]
 name = "futures-lite"
 version = "1.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7694489acd39452c77daa48516b894c153f192c3578d5a839b62c58099fcbf48"
 dependencies = [
 "fastrand",
 "futures-core",
 "futures-io",
 "memchr",
 "parking",
 "pin-project-lite",
 "waker-fn",
 ]
 [[package]]
 name = "futures-macro"
 version = "0.3.21"
@ -433,6 +609,17 @@ dependencies = [
 "slab",
 ]
 [[package]]
 name = "getrandom"
 version = "0.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4eb1a864a501629691edf6c15a593b7a51eebaa1e8468e9ddc623de7c9b58ec6"
 dependencies = [
 "cfg-if 1.0.0",
 "libc",
 "wasi 0.11.0+wasi-snapshot-preview1",
 ]
 [[package]]
 name = "hashbrown"
 version = "0.11.2"
@ -582,10 +769,11 @@ dependencies = [
 [[package]]
 name = "libseccomp"
-version = "0.2.3"
+version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49bda1fbf25c42ac8942ff7df1eb6172a3bc36299e84be0dba8c888a7db68c80"
+checksum = "21c57fd8981a80019807b7b68118618d29a87177c63d704fc96e6ecd003ae5b3"
 dependencies = [
 "bitflags",
 "libc",
 "libseccomp-sys",
 "pkg-config",
@ -770,9 +958,19 @@ dependencies = [
 [[package]]
 name = "once_cell"
-version = "1.10.0"
+version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87f3e037eac156d1775da914196f0f37741a274155e34a0b7e427c35d2a2ecb9"
+checksum = "2f7254b99e31cad77da24b08ebf628882739a608578bb1bcdfc1f9c21260d7c0"
 [[package]]
 name = "ordered-stream"
 version = "0.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "44630c059eacfd6e08bdaa51b1db2ce33119caa4ddc1235e923109aa5f25ccb1"
 dependencies = [
 "futures-core",
 "pin-project-lite",
 ]
 [[package]]
 name = "os_str_bytes"
@ -781,10 +979,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8e22443d1643a904602595ba1cd8f7d896afe56d26712531c5ff73a15b2fbf64"
 [[package]]
-name = "parking_lot"
+name = "parking"
-version = "0.12.0"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87f5ec2493a61ac0506c0f4199f99070cbe83857b0337006a30f3e6719b8ef58"
+checksum = "427c3892f9e783d91cc128285287e70a59e206ca452770ece88a76f7a3eddd72"
 [[package]]
 name = "parking_lot"
 version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f"
 dependencies = [
 "lock_api",
 "parking_lot_core",
@ -850,6 +1054,37 @@ version = "0.3.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1df8c4ec4b0627e53bdf214615ad287367e482558cf84b109250b37464dc03ae"
 [[package]]
 name = "polling"
 version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "899b00b9c8ab553c743b3e11e87c5c7d423b2a2de229ba95b24a756344748011"
 dependencies = [
 "autocfg",
 "cfg-if 1.0.0",
 "libc",
 "log",
 "wepoll-ffi",
 "winapi",
 ]
 [[package]]
 name = "ppv-lite86"
 version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eb9f9e6e233e5c4a35559a617bf40a4ec447db2e84c20b55a6f83167b7e57872"
 [[package]]
 name = "proc-macro-crate"
 version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eda0fc3b0fb7c975631757e14d9049da17374063edb6ebbcbc54d880d4fe94e9"
 dependencies = [
 "once_cell",
 "thiserror",
 "toml",
 ]
 [[package]]
 name = "proc-macro-error"
 version = "1.0.4"
@ -997,6 +1232,36 @@ dependencies = [
 "proc-macro2",
 ]
 [[package]]
 name = "rand"
 version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
 dependencies = [
 "libc",
 "rand_chacha",
 "rand_core",
 ]
 [[package]]
 name = "rand_chacha"
 version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
 dependencies = [
 "ppv-lite86",
 "rand_core",
 ]
 [[package]]
 name = "rand_core"
 version = "0.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7"
 dependencies = [
 "getrandom",
 ]
 [[package]]
 name = "redox_syscall"
 version = "0.2.13"
@ -1006,6 +1271,17 @@ dependencies = [
 "bitflags",
 ]
 [[package]]
 name = "redox_users"
 version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b"
 dependencies = [
 "getrandom",
 "redox_syscall",
 "thiserror",
 ]
 [[package]]
 name = "regex"
 version = "1.6.0"
@ -1085,6 +1361,7 @@ version = "0.1.0"
 dependencies = [
 "anyhow",
 "async-trait",
 "bit-vec",
 "capctl",
 "caps",
 "cfg-if 0.1.10",
@ -1094,7 +1371,7 @@ dependencies = [
 "lazy_static",
 "libc",
 "libseccomp",
- "nix 0.23.1",
+ "nix 0.24.2",
 "oci",
 "path-absolutize",
 "protobuf",
@ -1109,6 +1386,7 @@ dependencies = [
 "slog",
 "slog-scope",
 "tokio",
 "zbus",
 ]
 [[package]]
@ -1163,6 +1441,32 @@ dependencies = [
 "serde",
 ]
 [[package]]
 name = "serde_repr"
 version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1fe39d9fbb0ebf5eb2c7cb7e2a47e4f462fad1379f1166b8ae49ad9eae89a7ca"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "sha1"
 version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1da05c97445caa12d05e848c4a4fcbbea29e748ac28f7e80e9b010392063770"
 dependencies = [
 "sha1_smol",
 ]
 [[package]]
 name = "sha1_smol"
 version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ae1a47186c03a32177042e55dbc5fd5aee900b8e0069a8d70fba96a9375cd012"
 [[package]]
 name = "signal-hook-registry"
 version = "1.4.0"
@ -1241,6 +1545,12 @@ dependencies = [
 "winapi",
 ]
 [[package]]
 name = "static_assertions"
 version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
 [[package]]
 name = "strsim"
 version = "0.10.0"
@ -1391,6 +1701,47 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "toml"
 version = "0.5.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8d82e1a7758622a465f8cee077614c73484dac5b836c02ff6a40d5d1010324d7"
 dependencies = [
 "serde",
 ]
 [[package]]
 name = "tracing"
 version = "0.1.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2fce9567bd60a67d08a16488756721ba392f24f29006402881e43b19aac64307"
 dependencies = [
 "cfg-if 1.0.0",
 "pin-project-lite",
 "tracing-attributes",
 "tracing-core",
 ]
 [[package]]
 name = "tracing-attributes"
 version = "0.1.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "11c75893af559bc8e10716548bdef5cb2b983f8e637db9d0e15126b61b484ee2"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "tracing-core"
 version = "0.1.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5aeea4303076558a00714b823f9ad67d58a3bbda1df83d8827d21193156e22f7"
 dependencies = [
 "once_cell",
 ]
 [[package]]
 name = "ttrpc"
 version = "0.6.1"
@ -1433,6 +1784,16 @@ dependencies = [
 "tempfile",
 ]
 [[package]]
 name = "uds_windows"
 version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ce65604324d3cce9b966701489fbd0cf318cb1f7bd9dd07ac9a4ee6fb791930d"
 dependencies = [
 "tempfile",
 "winapi",
 ]
 [[package]]
 name = "unicode-segmentation"
 version = "1.9.0"
@ -1467,6 +1828,12 @@ version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
 [[package]]
 name = "waker-fn"
 version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d5b2c62b4012a3e1eca5a7e077d13b3bf498c4073e33ccd58626607748ceeca"
 [[package]]
 name = "wasi"
 version = "0.10.0+wasi-snapshot-preview1"
@ -1479,6 +1846,15 @@ version = "0.11.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 [[package]]
 name = "wepoll-ffi"
 version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d743fdedc5c64377b5fc2bc036b01c7fd642205a0d96356034ae3404d49eb7fb"
 dependencies = [
 "cc",
 ]
 [[package]]
 name = "which"
 version = "4.2.5"
@ -1606,3 +1982,93 @@ name = "windows_x86_64_msvc"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680"
 [[package]]
 name = "zbus"
 version = "2.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2d8f1a037b2c4a67d9654dc7bdfa8ff2e80555bbefdd3c1833c1d1b27c963a6b"
 dependencies = [
 "async-broadcast",
 "async-channel",
 "async-executor",
 "async-io",
 "async-lock",
 "async-recursion",
 "async-task",
 "async-trait",
 "byteorder",
 "derivative",
 "dirs",
 "enumflags2",
 "event-listener",
 "futures-core",
 "futures-sink",
 "futures-util",
 "hex",
 "lazy_static",
 "nix 0.23.1",
 "once_cell",
 "ordered-stream",
 "rand",
 "serde",
 "serde_repr",
 "sha1",
 "static_assertions",
 "tracing",
 "uds_windows",
 "winapi",
 "zbus_macros",
 "zbus_names",
 "zvariant",
 ]
 [[package]]
 name = "zbus_macros"
 version = "2.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1f8fb5186d1c87ae88cf234974c240671238b4a679158ad3b94ec465237349a6"
 dependencies = [
 "proc-macro-crate",
 "proc-macro2",
 "quote",
 "regex",
 "syn",
 ]
 [[package]]
 name = "zbus_names"
 version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "41a408fd8a352695690f53906dc7fd036be924ec51ea5e05666ff42685ed0af5"
 dependencies = [
 "serde",
 "static_assertions",
 "zvariant",
 ]
 [[package]]
 name = "zvariant"
 version = "3.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1bd68e4e6432ef19df47d7e90e2e72b5e7e3d778e0ae3baddf12b951265cc758"
 dependencies = [
 "byteorder",
 "enumflags2",
 "libc",
 "serde",
 "static_assertions",
 "zvariant_derive",
 ]
 [[package]]
 name = "zvariant_derive"
 version = "3.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08e977eaa3af652f63d479ce50d924254ad76722a6289ec1a1eac3231ca30430"
 dependencies = [
 "proc-macro-crate",
 "proc-macro2",
 "quote",
 "syn",
 ]
--- a/src/tools/runk/libcontainer/src/container.rs
+++ b/src/tools/runk/libcontainer/src/container.rs
@ -17,6 +17,7 @@ use nix::{
 };
 use oci::{ContainerState, State as OCIState};
 use procfs;
 use rustjail::cgroups::fs::Manager as CgroupManager;
 use rustjail::{
    container::{self, BaseContainer, LinuxContainer, EXEC_FIFO_FILENAME},
    process::{Process, ProcessOperations},
@ -327,8 +328,12 @@ impl ContainerLauncher {
            self.runner.created,
            self.runner
                .cgroup_manager
-                .clone()
+                .as_ref()
-                .ok_or_else(|| anyhow!("cgroup manager was not present"))?,
+                .unwrap()
                .as_any()?
                .downcast_ref::<CgroupManager>()
                .unwrap()
                .clone(),
            self.runner.config.clone(),
        )
    }
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@ -5,7 +5,7 @@
 OS_NAME=ubuntu
 # This should be Ubuntu's code name, e.g. "focal" (Focal Fossa) for 20.04
 OS_VERSION=${OS_VERSION:-focal}
-PACKAGES="chrony iptables"
+PACKAGES="chrony iptables dbus"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" init"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp2"
 REPO_URL=http://ports.ubuntu.com
--- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
@ -2,6 +2,12 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 build_dbus() {
 	local rootfs_dir=$1
 	ln -sf /lib/systemd/system/dbus.service $rootfs_dir/etc/systemd/system/dbus.service
 	ln -sf /lib/systemd/system/dbus.socket $rootfs_dir/etc/systemd/system/dbus.socket
 }
 build_rootfs() {
 	local rootfs_dir=$1
 	local multistrap_conf=multistrap.conf
@ -19,7 +25,9 @@ keyring=ubuntu-keyring
 suite=focal
 packages=$PACKAGES $EXTRA_PKGS
 EOF
-	multistrap -a "$DEB_ARCH" -d "$rootfs_dir" -f "$multistrap_conf"
+	if ! multistrap -a "$DEB_ARCH" -d "$rootfs_dir" -f "$multistrap_conf"; then
 		build_dbus $rootfs_dir
 	fi
 	rm -rf "$rootfs_dir/var/run"
 	ln -s /run "$rootfs_dir/var/run"
 	cp --remove-destination /etc/resolv.conf "$rootfs_dir/etc"