4cad4c
From 046ea98539eb8d7cef93d8062035fa6d9f58efea Mon Sep 17 00:00:00 2001
4cad4c
From: =?UTF-8?q?Michal=20Sekleta=CC=81r?= <msekleta@redhat.com>
4cad4c
Date: Wed, 29 Apr 2020 17:53:43 +0200
4cad4c
Subject: [PATCH] core: introduce support for cgroup freezer
4cad4c
4cad4c
With cgroup v2 the cgroup freezer is implemented as a cgroup
4cad4c
attribute called cgroup.freeze. cgroup can be frozen by writing "1"
4cad4c
to the file and kernel will send us a notification through
4cad4c
"cgroup.events" after the operation is finished and processes in the
4cad4c
cgroup entered quiescent state, i.e. they are not scheduled to
4cad4c
run. Writing "0" to the attribute file does the inverse and process
4cad4c
execution is resumed.
4cad4c
4cad4c
This commit exposes above low-level functionality through systemd's DBus
4cad4c
API. Each unit type must provide specialized implementation for these
4cad4c
methods, otherwise, we return an error. So far only service, scope, and
4cad4c
slice unit types provide the support. It is possible to check if a
4cad4c
given unit has the support using CanFreeze() DBus property.
4cad4c
4cad4c
Note that DBus API has a synchronous behavior and we dispatch the reply
4cad4c
to freeze/thaw requests only after the kernel has notified us that
4cad4c
requested operation was completed.
4cad4c
4cad4c
(cherry picked from commit d9e45bc3abb8adf5a1cb20816ba8f2d2aa65b17e)
4cad4c
4cad4c
Resolves: #1830861
4cad4c
---
4cad4c
 man/systemctl.xml                         |  24 +++++
4cad4c
 src/basic/cgroup-util.c                   |  18 +++-
4cad4c
 src/basic/cgroup-util.h                   |   1 +
4cad4c
 src/basic/unit-def.c                      |   9 ++
4cad4c
 src/basic/unit-def.h                      |  12 +++
4cad4c
 src/core/cgroup.c                         | 105 ++++++++++++++++--
4cad4c
 src/core/cgroup.h                         |  12 +++
4cad4c
 src/core/dbus-manager.c                   |  50 +++++++++
4cad4c
 src/core/dbus-unit.c                      |  96 +++++++++++++++++
4cad4c
 src/core/dbus-unit.h                      |   3 +
4cad4c
 src/core/dbus.c                           |   7 +-
4cad4c
 src/core/scope.c                          |   3 +
4cad4c
 src/core/service.c                        |   3 +
4cad4c
 src/core/slice.c                          |  80 ++++++++++++++
4cad4c
 src/core/unit.c                           | 123 ++++++++++++++++++++++
4cad4c
 src/core/unit.h                           |  20 ++++
4cad4c
 src/libsystemd/sd-bus/bus-common-errors.h |   2 +
4cad4c
 src/systemctl/systemctl.c                 | 105 +++++++++++++++++-
4cad4c
 18 files changed, 660 insertions(+), 13 deletions(-)
4cad4c
4cad4c
diff --git a/man/systemctl.xml b/man/systemctl.xml
4cad4c
index d95d3726af..6145486123 100644
4cad4c
--- a/man/systemctl.xml
4cad4c
+++ b/man/systemctl.xml
4cad4c
@@ -873,6 +873,30 @@ Sun 2017-02-26 20:57:49 EST  2h 3min left  Sun 2017-02-26 11:56:36 EST  6h ago
4cad4c
             the signal to send.</para>
4cad4c
           </listitem>
4cad4c
         </varlistentry>
4cad4c
+        <varlistentry>
4cad4c
+          <term><command>freeze <replaceable>PATTERN</replaceable>…</command></term>
4cad4c
+
4cad4c
+          <listitem>
4cad4c
+            <para>Freeze one or more units specified on the
4cad4c
+            command line using cgroup freezer</para>
4cad4c
+
4cad4c
+            <para>Freezing the unit will cause all processes contained within the cgroup corresponding to the unit
4cad4c
+            to be suspended. Being suspended means that unit's processes won't be scheduled to run on CPU until thawed.
4cad4c
+            Note that this command is supported only on systems that use unified cgroup hierarchy. Unit is automatically
4cad4c
+            thawed just before we execute a job against the unit, e.g. before the unit is stopped.</para>
4cad4c
+          </listitem>
4cad4c
+        </varlistentry>
4cad4c
+        <varlistentry>
4cad4c
+          <term><command>thaw <replaceable>PATTERN</replaceable>…</command></term>
4cad4c
+
4cad4c
+          <listitem>
4cad4c
+            <para>Thaw (unfreeze) one or more units specified on the
4cad4c
+            command line.</para>
4cad4c
+
4cad4c
+            <para>This is the inverse operation to the <command>freeze</command> command and resumes the execution of
4cad4c
+            processes in the unit's cgroup.</para>
4cad4c
+          </listitem>
4cad4c
+        </varlistentry>
4cad4c
         <varlistentry>
4cad4c
           <term><command>is-active <replaceable>PATTERN</replaceable>…</command></term>
4cad4c
 
4cad4c
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
4cad4c
index 4c0b73850d..992b12811a 100644
4cad4c
--- a/src/basic/cgroup-util.c
4cad4c
+++ b/src/basic/cgroup-util.c
4cad4c
@@ -137,6 +137,17 @@ bool cg_ns_supported(void) {
4cad4c
         return enabled;
4cad4c
 }
4cad4c
 
4cad4c
+bool cg_freezer_supported(void) {
4cad4c
+        static thread_local int supported = -1;
4cad4c
+
4cad4c
+        if (supported >= 0)
4cad4c
+                return supported;
4cad4c
+
4cad4c
+        supported = cg_all_unified() > 0 && access("/sys/fs/cgroup/init.scope/cgroup.freeze", F_OK) == 0;
4cad4c
+
4cad4c
+        return supported;
4cad4c
+}
4cad4c
+
4cad4c
 int cg_enumerate_subgroups(const char *controller, const char *path, DIR **_d) {
4cad4c
         _cleanup_free_ char *fs = NULL;
4cad4c
         int r;
4cad4c
@@ -2039,7 +2050,8 @@ int cg_get_keyed_attribute_full(
4cad4c
          * all keys to retrieve. The 'ret_values' parameter should be passed as string size with the same number of
4cad4c
          * entries as 'keys'. On success each entry will be set to the value of the matching key.
4cad4c
          *
4cad4c
-         * If the attribute file doesn't exist at all returns ENOENT, if any key is not found returns ENXIO. */
4cad4c
+         * If the attribute file doesn't exist at all returns ENOENT, if any key is not found returns ENXIO. If mode
4cad4c
+         * is set to GG_KEY_MODE_GRACEFUL we ignore missing keys and return those that were parsed successfully. */
4cad4c
 
4cad4c
         r = cg_get_path(controller, path, attribute, &filename);
4cad4c
         if (r < 0)
4cad4c
@@ -2089,8 +2101,8 @@ int cg_get_keyed_attribute_full(
4cad4c
 
4cad4c
         if (mode & CG_KEY_MODE_GRACEFUL)
4cad4c
                 goto done;
4cad4c
-        else
4cad4c
-                r = -ENXIO;
4cad4c
+
4cad4c
+        r = -ENXIO;
4cad4c
 
4cad4c
 fail:
4cad4c
         for (i = 0; i < n; i++)
4cad4c
diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
4cad4c
index 0673f4b4ce..1210b38a83 100644
4cad4c
--- a/src/basic/cgroup-util.h
4cad4c
+++ b/src/basic/cgroup-util.h
4cad4c
@@ -250,6 +250,7 @@ int cg_mask_to_string(CGroupMask mask, char **ret);
4cad4c
 int cg_kernel_controllers(Set **controllers);
4cad4c
 
4cad4c
 bool cg_ns_supported(void);
4cad4c
+bool cg_freezer_supported(void);
4cad4c
 
4cad4c
 int cg_all_unified(void);
4cad4c
 int cg_hybrid_unified(void);
4cad4c
diff --git a/src/basic/unit-def.c b/src/basic/unit-def.c
4cad4c
index 46593f6e65..e79cc73dd3 100644
4cad4c
--- a/src/basic/unit-def.c
4cad4c
+++ b/src/basic/unit-def.c
4cad4c
@@ -107,6 +107,15 @@ static const char* const unit_active_state_table[_UNIT_ACTIVE_STATE_MAX] = {
4cad4c
 
4cad4c
 DEFINE_STRING_TABLE_LOOKUP(unit_active_state, UnitActiveState);
4cad4c
 
4cad4c
+static const char* const freezer_state_table[_FREEZER_STATE_MAX] = {
4cad4c
+        [FREEZER_RUNNING] = "running",
4cad4c
+        [FREEZER_FREEZING] = "freezing",
4cad4c
+        [FREEZER_FROZEN] = "frozen",
4cad4c
+        [FREEZER_THAWING] = "thawing",
4cad4c
+};
4cad4c
+
4cad4c
+DEFINE_STRING_TABLE_LOOKUP(freezer_state, FreezerState);
4cad4c
+
4cad4c
 static const char* const automount_state_table[_AUTOMOUNT_STATE_MAX] = {
4cad4c
         [AUTOMOUNT_DEAD] = "dead",
4cad4c
         [AUTOMOUNT_WAITING] = "waiting",
4cad4c
diff --git a/src/basic/unit-def.h b/src/basic/unit-def.h
4cad4c
index db397a31ed..8eea379a6d 100644
4cad4c
--- a/src/basic/unit-def.h
4cad4c
+++ b/src/basic/unit-def.h
4cad4c
@@ -44,6 +44,15 @@ typedef enum UnitActiveState {
4cad4c
         _UNIT_ACTIVE_STATE_INVALID = -1
4cad4c
 } UnitActiveState;
4cad4c
 
4cad4c
+typedef enum FreezerState {
4cad4c
+        FREEZER_RUNNING,
4cad4c
+        FREEZER_FREEZING,
4cad4c
+        FREEZER_FROZEN,
4cad4c
+        FREEZER_THAWING,
4cad4c
+        _FREEZER_STATE_MAX,
4cad4c
+        _FREEZER_STATE_INVALID = -1
4cad4c
+} FreezerState;
4cad4c
+
4cad4c
 typedef enum AutomountState {
4cad4c
         AUTOMOUNT_DEAD,
4cad4c
         AUTOMOUNT_WAITING,
4cad4c
@@ -245,6 +254,9 @@ UnitLoadState unit_load_state_from_string(const char *s) _pure_;
4cad4c
 const char *unit_active_state_to_string(UnitActiveState i) _const_;
4cad4c
 UnitActiveState unit_active_state_from_string(const char *s) _pure_;
4cad4c
 
4cad4c
+const char *freezer_state_to_string(FreezerState i) _const_;
4cad4c
+FreezerState freezer_state_from_string(const char *s) _pure_;
4cad4c
+
4cad4c
 const char* automount_state_to_string(AutomountState i) _const_;
4cad4c
 AutomountState automount_state_from_string(const char *s) _pure_;
4cad4c
 
4cad4c
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
4cad4c
index 7a9857adad..e7ae9273a6 100644
4cad4c
--- a/src/core/cgroup.c
4cad4c
+++ b/src/core/cgroup.c
4cad4c
@@ -2279,6 +2279,51 @@ void unit_add_to_cgroup_empty_queue(Unit *u) {
4cad4c
                 log_debug_errno(r, "Failed to enable cgroup empty event source: %m");
4cad4c
 }
4cad4c
 
4cad4c
+static void unit_remove_from_cgroup_empty_queue(Unit *u) {
4cad4c
+        assert(u);
4cad4c
+
4cad4c
+        if (!u->in_cgroup_empty_queue)
4cad4c
+                return;
4cad4c
+
4cad4c
+        LIST_REMOVE(cgroup_empty_queue, u->manager->cgroup_empty_queue, u);
4cad4c
+        u->in_cgroup_empty_queue = false;
4cad4c
+}
4cad4c
+
4cad4c
+static int unit_check_cgroup_events(Unit *u) {
4cad4c
+        char *values[2] = {};
4cad4c
+        int r;
4cad4c
+
4cad4c
+        assert(u);
4cad4c
+
4cad4c
+        r = cg_get_keyed_attribute_graceful(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, "cgroup.events",
4cad4c
+                                            STRV_MAKE("populated", "frozen"), values);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        /* The cgroup.events notifications can be merged together so act as we saw the given state for the
4cad4c
+         * first time. The functions we call to handle given state are idempotent, which makes them
4cad4c
+         * effectively remember the previous state. */
4cad4c
+        if (values[0]) {
4cad4c
+                if (streq(values[0], "1"))
4cad4c
+                        unit_remove_from_cgroup_empty_queue(u);
4cad4c
+                else
4cad4c
+                        unit_add_to_cgroup_empty_queue(u);
4cad4c
+        }
4cad4c
+
4cad4c
+        /* Disregard freezer state changes due to operations not initiated by us */
4cad4c
+        if (values[1] && IN_SET(u->freezer_state, FREEZER_FREEZING, FREEZER_THAWING)) {
4cad4c
+                if (streq(values[1], "0"))
4cad4c
+                        unit_thawed(u);
4cad4c
+                else
4cad4c
+                        unit_frozen(u);
4cad4c
+        }
4cad4c
+
4cad4c
+        free(values[0]);
4cad4c
+        free(values[1]);
4cad4c
+
4cad4c
+        return 0;
4cad4c
+}
4cad4c
+
4cad4c
 static int on_cgroup_inotify_event(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
4cad4c
         Manager *m = userdata;
4cad4c
 
4cad4c
@@ -2310,15 +2355,12 @@ static int on_cgroup_inotify_event(sd_event_source *s, int fd, uint32_t revents,
4cad4c
                                 /* The watch was just removed */
4cad4c
                                 continue;
4cad4c
 
4cad4c
-                        u = hashmap_get(m->cgroup_inotify_wd_unit, INT_TO_PTR(e->wd));
4cad4c
-                        if (!u) /* Not that inotify might deliver
4cad4c
-                                 * events for a watch even after it
4cad4c
-                                 * was removed, because it was queued
4cad4c
-                                 * before the removal. Let's ignore
4cad4c
-                                 * this here safely. */
4cad4c
-                                continue;
4cad4c
+                        /* Note that inotify might deliver events for a watch even after it was removed,
4cad4c
+                         * because it was queued before the removal. Let's ignore this here safely. */
4cad4c
 
4cad4c
-                        unit_add_to_cgroup_empty_queue(u);
4cad4c
+                        u = hashmap_get(m->cgroup_inotify_wd_unit, INT_TO_PTR(e->wd));
4cad4c
+                        if (u)
4cad4c
+                                unit_check_cgroup_events(u);
4cad4c
                 }
4cad4c
         }
4cad4c
 }
4cad4c
@@ -2884,6 +2926,46 @@ void manager_invalidate_startup_units(Manager *m) {
4cad4c
                 unit_invalidate_cgroup(u, CGROUP_MASK_CPU|CGROUP_MASK_IO|CGROUP_MASK_BLKIO);
4cad4c
 }
4cad4c
 
4cad4c
+int unit_cgroup_freezer_action(Unit *u, FreezerAction action) {
4cad4c
+        _cleanup_free_ char *path = NULL;
4cad4c
+        FreezerState target, kernel = _FREEZER_STATE_INVALID;
4cad4c
+        int r;
4cad4c
+
4cad4c
+        assert(u);
4cad4c
+        assert(IN_SET(action, FREEZER_FREEZE, FREEZER_THAW));
4cad4c
+
4cad4c
+        if (!u->cgroup_realized)
4cad4c
+                return -EBUSY;
4cad4c
+
4cad4c
+        target = action == FREEZER_FREEZE ? FREEZER_FROZEN : FREEZER_RUNNING;
4cad4c
+
4cad4c
+        r = unit_freezer_state_kernel(u, &kernel);
4cad4c
+        if (r < 0)
4cad4c
+                log_unit_debug_errno(u, r, "Failed to obtain cgroup freezer state: %m");
4cad4c
+
4cad4c
+        if (target == kernel) {
4cad4c
+                u->freezer_state = target;
4cad4c
+                return 0;
4cad4c
+        }
4cad4c
+
4cad4c
+        r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, "cgroup.freeze", &path);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        log_unit_debug(u, "%s unit.", action == FREEZER_FREEZE ? "Freezing" : "Thawing");
4cad4c
+
4cad4c
+        if (action == FREEZER_FREEZE)
4cad4c
+                u->freezer_state = FREEZER_FREEZING;
4cad4c
+        else
4cad4c
+                u->freezer_state = FREEZER_THAWING;
4cad4c
+
4cad4c
+        r = write_string_file(path, one_zero(action == FREEZER_FREEZE), WRITE_STRING_FILE_DISABLE_BUFFER);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        return 0;
4cad4c
+}
4cad4c
+
4cad4c
 static const char* const cgroup_device_policy_table[_CGROUP_DEVICE_POLICY_MAX] = {
4cad4c
         [CGROUP_AUTO] = "auto",
4cad4c
         [CGROUP_CLOSED] = "closed",
4cad4c
@@ -2919,3 +3001,10 @@ int unit_get_cpuset(Unit *u, CPUSet *cpus, const char *name) {
4cad4c
 }
4cad4c
 
4cad4c
 DEFINE_STRING_TABLE_LOOKUP(cgroup_device_policy, CGroupDevicePolicy);
4cad4c
+
4cad4c
+static const char* const freezer_action_table[_FREEZER_ACTION_MAX] = {
4cad4c
+        [FREEZER_FREEZE] = "freeze",
4cad4c
+        [FREEZER_THAW] = "thaw",
4cad4c
+};
4cad4c
+
4cad4c
+DEFINE_STRING_TABLE_LOOKUP(freezer_action, FreezerAction);
4cad4c
diff --git a/src/core/cgroup.h b/src/core/cgroup.h
4cad4c
index 976224336d..36ea77fdc5 100644
4cad4c
--- a/src/core/cgroup.h
4cad4c
+++ b/src/core/cgroup.h
4cad4c
@@ -33,6 +33,14 @@ typedef enum CGroupDevicePolicy {
4cad4c
         _CGROUP_DEVICE_POLICY_INVALID = -1
4cad4c
 } CGroupDevicePolicy;
4cad4c
 
4cad4c
+typedef enum FreezerAction {
4cad4c
+        FREEZER_FREEZE,
4cad4c
+        FREEZER_THAW,
4cad4c
+
4cad4c
+        _FREEZER_ACTION_MAX,
4cad4c
+        _FREEZER_ACTION_INVALID = -1,
4cad4c
+} FreezerAction;
4cad4c
+
4cad4c
 struct CGroupDeviceAllow {
4cad4c
         LIST_FIELDS(CGroupDeviceAllow, device_allow);
4cad4c
         char *path;
4cad4c
@@ -235,3 +243,7 @@ CGroupDevicePolicy cgroup_device_policy_from_string(const char *s) _pure_;
4cad4c
 
4cad4c
 bool unit_cgroup_delegate(Unit *u);
4cad4c
 int unit_get_cpuset(Unit *u, CPUSet *cpus, const char *name);
4cad4c
+int unit_cgroup_freezer_action(Unit *u, FreezerAction action);
4cad4c
+
4cad4c
+const char* freezer_action_to_string(FreezerAction a) _const_;
4cad4c
+FreezerAction freezer_action_from_string(const char *s) _pure_;
4cad4c
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
4cad4c
index b3c011b0df..a0777f63d5 100644
4cad4c
--- a/src/core/dbus-manager.c
4cad4c
+++ b/src/core/dbus-manager.c
4cad4c
@@ -683,6 +683,54 @@ static int method_unref_unit(sd_bus_message *message, void *userdata, sd_bus_err
4cad4c
         return bus_unit_method_unref(message, u, error);
4cad4c
 }
4cad4c
 
4cad4c
+static int method_freeze_unit(sd_bus_message *message, void *userdata, sd_bus_error *error) {
4cad4c
+        Manager *m = userdata;
4cad4c
+        const char *name;
4cad4c
+        Unit *u;
4cad4c
+        int r;
4cad4c
+
4cad4c
+        assert(message);
4cad4c
+        assert(m);
4cad4c
+
4cad4c
+        r = sd_bus_message_read(message, "s", &name);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        r = bus_load_unit_by_name(m, message, name, &u, error);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        r = bus_unit_validate_load_state(u, error);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        return bus_unit_method_freeze(message, u, error);
4cad4c
+}
4cad4c
+
4cad4c
+static int method_thaw_unit(sd_bus_message *message, void *userdata, sd_bus_error *error) {
4cad4c
+        Manager *m = userdata;
4cad4c
+        const char *name;
4cad4c
+        Unit *u;
4cad4c
+        int r;
4cad4c
+
4cad4c
+        assert(message);
4cad4c
+        assert(m);
4cad4c
+
4cad4c
+        r = sd_bus_message_read(message, "s", &name);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        r = bus_load_unit_by_name(m, message, name, &u, error);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        r = bus_unit_validate_load_state(u, error);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        return bus_unit_method_thaw(message, u, error);
4cad4c
+}
4cad4c
+
4cad4c
 static int reply_unit_info(sd_bus_message *reply, Unit *u) {
4cad4c
         _cleanup_free_ char *unit_path = NULL, *job_path = NULL;
4cad4c
         Unit *following;
4cad4c
@@ -2500,6 +2548,8 @@ const sd_bus_vtable bus_manager_vtable[] = {
4cad4c
         SD_BUS_METHOD("ReloadOrRestartUnit", "ss", "o", method_reload_or_restart_unit, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
         SD_BUS_METHOD("ReloadOrTryRestartUnit", "ss", "o", method_reload_or_try_restart_unit, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
         SD_BUS_METHOD("KillUnit", "ssi", NULL, method_kill_unit, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
+        SD_BUS_METHOD("FreezeUnit", "s", NULL, method_freeze_unit, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
+        SD_BUS_METHOD("ThawUnit", "s", NULL, method_thaw_unit, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
         SD_BUS_METHOD("ResetFailedUnit", "s", NULL, method_reset_failed_unit, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
         SD_BUS_METHOD("SetUnitProperties", "sba(sv)", NULL, method_set_unit_properties, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
         SD_BUS_METHOD("RefUnit", "s", NULL, method_ref_unit, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
4cad4c
index aa15e47754..ce81103e92 100644
4cad4c
--- a/src/core/dbus-unit.c
4cad4c
+++ b/src/core/dbus-unit.c
4cad4c
@@ -42,12 +42,14 @@ static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_job_mode, job_mode, JobMode);
4cad4c
 static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_emergency_action, emergency_action, EmergencyAction);
4cad4c
 static BUS_DEFINE_PROPERTY_GET(property_get_description, "s", Unit, unit_description);
4cad4c
 static BUS_DEFINE_PROPERTY_GET2(property_get_active_state, "s", Unit, unit_active_state, unit_active_state_to_string);
4cad4c
+static BUS_DEFINE_PROPERTY_GET2(property_get_freezer_state, "s", Unit, unit_freezer_state, freezer_state_to_string);
4cad4c
 static BUS_DEFINE_PROPERTY_GET(property_get_sub_state, "s", Unit, unit_sub_state_to_string);
4cad4c
 static BUS_DEFINE_PROPERTY_GET2(property_get_unit_file_state, "s", Unit, unit_get_unit_file_state, unit_file_state_to_string);
4cad4c
 static BUS_DEFINE_PROPERTY_GET(property_get_can_reload, "b", Unit, unit_can_reload);
4cad4c
 static BUS_DEFINE_PROPERTY_GET(property_get_can_start, "b", Unit, unit_can_start_refuse_manual);
4cad4c
 static BUS_DEFINE_PROPERTY_GET(property_get_can_stop, "b", Unit, unit_can_stop_refuse_manual);
4cad4c
 static BUS_DEFINE_PROPERTY_GET(property_get_can_isolate, "b", Unit, unit_can_isolate_refuse_manual);
4cad4c
+static BUS_DEFINE_PROPERTY_GET(property_get_can_freeze, "b", Unit, unit_can_freeze);
4cad4c
 static BUS_DEFINE_PROPERTY_GET(property_get_need_daemon_reload, "b", Unit, unit_need_daemon_reload);
4cad4c
 static BUS_DEFINE_PROPERTY_GET_GLOBAL(property_get_empty_strv, "as", 0);
4cad4c
 
4cad4c
@@ -561,6 +563,79 @@ int bus_unit_method_unref(sd_bus_message *message, void *userdata, sd_bus_error
4cad4c
         return sd_bus_reply_method_return(message, NULL);
4cad4c
 }
4cad4c
 
4cad4c
+static int bus_unit_method_freezer_generic(sd_bus_message *message, void *userdata, sd_bus_error *error, FreezerAction action) {
4cad4c
+        const char* perm;
4cad4c
+        int (*method)(Unit*);
4cad4c
+        Unit *u = userdata;
4cad4c
+        bool reply_no_delay = false;
4cad4c
+        int r;
4cad4c
+
4cad4c
+        assert(message);
4cad4c
+        assert(u);
4cad4c
+        assert(IN_SET(action, FREEZER_FREEZE, FREEZER_THAW));
4cad4c
+
4cad4c
+        if (action == FREEZER_FREEZE) {
4cad4c
+                perm = "stop";
4cad4c
+                method = unit_freeze;
4cad4c
+        } else {
4cad4c
+                perm = "start";
4cad4c
+                method = unit_thaw;
4cad4c
+        }
4cad4c
+
4cad4c
+        r = mac_selinux_unit_access_check(u, message, perm, error);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        r = bus_verify_manage_units_async_full(
4cad4c
+                        u,
4cad4c
+                        perm,
4cad4c
+                        CAP_SYS_ADMIN,
4cad4c
+                        N_("Authentication is required to freeze or thaw the processes of '$(unit)' unit."),
4cad4c
+                        true,
4cad4c
+                        message,
4cad4c
+                        error);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+        if (r == 0)
4cad4c
+                return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
4cad4c
+
4cad4c
+        r = method(u);
4cad4c
+        if (r == -EOPNOTSUPP)
4cad4c
+                return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Unit '%s' does not support freezing.", u->id);
4cad4c
+        if (r == -EBUSY)
4cad4c
+                return sd_bus_error_setf(error, BUS_ERROR_UNIT_BUSY, "Unit has a pending job.");
4cad4c
+        if (r == -EHOSTDOWN)
4cad4c
+                return sd_bus_error_setf(error, BUS_ERROR_UNIT_INACTIVE, "Unit is inactive.");
4cad4c
+        if (r == -EALREADY)
4cad4c
+                return sd_bus_error_setf(error, SD_BUS_ERROR_FAILED, "Previously requested freezer operation for unit '%s' is still in progress.", u->id);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+        if (r == 0)
4cad4c
+                reply_no_delay = true;
4cad4c
+
4cad4c
+        assert(!u->pending_freezer_message);
4cad4c
+
4cad4c
+        r = sd_bus_message_new_method_return(message, &u->pending_freezer_message);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        if (reply_no_delay) {
4cad4c
+                r = bus_unit_send_pending_freezer_message(u);
4cad4c
+                if (r < 0)
4cad4c
+                        return r;
4cad4c
+        }
4cad4c
+
4cad4c
+        return 1;
4cad4c
+}
4cad4c
+
4cad4c
+int bus_unit_method_thaw(sd_bus_message *message, void *userdata, sd_bus_error *error) {
4cad4c
+        return bus_unit_method_freezer_generic(message, userdata, error, FREEZER_THAW);
4cad4c
+}
4cad4c
+
4cad4c
+int bus_unit_method_freeze(sd_bus_message *message, void *userdata, sd_bus_error *error) {
4cad4c
+        return bus_unit_method_freezer_generic(message, userdata, error, FREEZER_FREEZE);
4cad4c
+}
4cad4c
+
4cad4c
 const sd_bus_vtable bus_unit_vtable[] = {
4cad4c
         SD_BUS_VTABLE_START(0),
4cad4c
 
4cad4c
@@ -592,6 +667,7 @@ const sd_bus_vtable bus_unit_vtable[] = {
4cad4c
         SD_BUS_PROPERTY("Description", "s", property_get_description, 0, SD_BUS_VTABLE_PROPERTY_CONST),
4cad4c
         SD_BUS_PROPERTY("LoadState", "s", property_get_load_state, offsetof(Unit, load_state), SD_BUS_VTABLE_PROPERTY_CONST),
4cad4c
         SD_BUS_PROPERTY("ActiveState", "s", property_get_active_state, 0, SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
4cad4c
+        SD_BUS_PROPERTY("FreezerState", "s", property_get_freezer_state, 0, SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
4cad4c
         SD_BUS_PROPERTY("SubState", "s", property_get_sub_state, 0, SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
4cad4c
         SD_BUS_PROPERTY("FragmentPath", "s", NULL, offsetof(Unit, fragment_path), SD_BUS_VTABLE_PROPERTY_CONST),
4cad4c
         SD_BUS_PROPERTY("SourcePath", "s", NULL, offsetof(Unit, source_path), SD_BUS_VTABLE_PROPERTY_CONST),
4cad4c
@@ -607,6 +683,7 @@ const sd_bus_vtable bus_unit_vtable[] = {
4cad4c
         SD_BUS_PROPERTY("CanStop", "b", property_get_can_stop, 0, SD_BUS_VTABLE_PROPERTY_CONST),
4cad4c
         SD_BUS_PROPERTY("CanReload", "b", property_get_can_reload, 0, SD_BUS_VTABLE_PROPERTY_CONST),
4cad4c
         SD_BUS_PROPERTY("CanIsolate", "b", property_get_can_isolate, 0, SD_BUS_VTABLE_PROPERTY_CONST),
4cad4c
+        SD_BUS_PROPERTY("CanFreeze", "b", property_get_can_freeze, 0, SD_BUS_VTABLE_PROPERTY_CONST),
4cad4c
         SD_BUS_PROPERTY("Job", "(uo)", property_get_job, offsetof(Unit, job), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
4cad4c
         SD_BUS_PROPERTY("StopWhenUnneeded", "b", bus_property_get_bool, offsetof(Unit, stop_when_unneeded), SD_BUS_VTABLE_PROPERTY_CONST),
4cad4c
         SD_BUS_PROPERTY("RefuseManualStart", "b", bus_property_get_bool, offsetof(Unit, refuse_manual_start), SD_BUS_VTABLE_PROPERTY_CONST),
4cad4c
@@ -650,6 +727,8 @@ const sd_bus_vtable bus_unit_vtable[] = {
4cad4c
         SD_BUS_METHOD("SetProperties", "ba(sv)", NULL, bus_unit_method_set_properties, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
         SD_BUS_METHOD("Ref", NULL, NULL, bus_unit_method_ref, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
         SD_BUS_METHOD("Unref", NULL, NULL, bus_unit_method_unref, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
+        SD_BUS_METHOD("Freeze", NULL, NULL, bus_unit_method_freeze, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
+        SD_BUS_METHOD("Thaw", NULL, NULL, bus_unit_method_thaw, SD_BUS_VTABLE_UNPRIVILEGED),
4cad4c
 
4cad4c
         /* For dependency types we don't support anymore always return an empty array */
4cad4c
         SD_BUS_PROPERTY("RequiresOverridable", "as", property_get_empty_strv, 0, SD_BUS_VTABLE_HIDDEN),
4cad4c
@@ -1209,6 +1288,23 @@ void bus_unit_send_change_signal(Unit *u) {
4cad4c
         u->sent_dbus_new_signal = true;
4cad4c
 }
4cad4c
 
4cad4c
+int bus_unit_send_pending_freezer_message(Unit *u) {
4cad4c
+        int r;
4cad4c
+
4cad4c
+        assert(u);
4cad4c
+
4cad4c
+        if (!u->pending_freezer_message)
4cad4c
+                return 0;
4cad4c
+
4cad4c
+        r = sd_bus_send(NULL, u->pending_freezer_message, NULL);
4cad4c
+        if (r < 0)
4cad4c
+                log_warning_errno(r, "Failed to send queued message, ignoring: %m");
4cad4c
+
4cad4c
+        u->pending_freezer_message = sd_bus_message_unref(u->pending_freezer_message);
4cad4c
+
4cad4c
+        return 0;
4cad4c
+}
4cad4c
+
4cad4c
 static int send_removed_signal(sd_bus *bus, void *userdata) {
4cad4c
         _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
4cad4c
         _cleanup_free_ char *p = NULL;
4cad4c
diff --git a/src/core/dbus-unit.h b/src/core/dbus-unit.h
4cad4c
index 68eb621836..39aa1bb53c 100644
4cad4c
--- a/src/core/dbus-unit.h
4cad4c
+++ b/src/core/dbus-unit.h
4cad4c
@@ -11,6 +11,7 @@ extern const sd_bus_vtable bus_unit_vtable[];
4cad4c
 extern const sd_bus_vtable bus_unit_cgroup_vtable[];
4cad4c
 
4cad4c
 void bus_unit_send_change_signal(Unit *u);
4cad4c
+int bus_unit_send_pending_freezer_message(Unit *u);
4cad4c
 void bus_unit_send_removed_signal(Unit *u);
4cad4c
 
4cad4c
 int bus_unit_method_start_generic(sd_bus_message *message, Unit *u, JobType job_type, bool reload_if_possible, sd_bus_error *error);
4cad4c
@@ -23,6 +24,8 @@ int bus_unit_method_get_processes(sd_bus_message *message, void *userdata, sd_bu
4cad4c
 int bus_unit_method_attach_processes(sd_bus_message *message, void *userdata, sd_bus_error *error);
4cad4c
 int bus_unit_method_ref(sd_bus_message *message, void *userdata, sd_bus_error *error);
4cad4c
 int bus_unit_method_unref(sd_bus_message *message, void *userdata, sd_bus_error *error);
4cad4c
+int bus_unit_method_freeze(sd_bus_message *message, void *userdata, sd_bus_error *error);
4cad4c
+int bus_unit_method_thaw(sd_bus_message *message, void *userdata, sd_bus_error *error);
4cad4c
 
4cad4c
 int bus_unit_queue_job(sd_bus_message *message, Unit *u, JobType type, JobMode mode, bool reload_if_possible, sd_bus_error *error);
4cad4c
 int bus_unit_validate_load_state(Unit *u, sd_bus_error *error);
4cad4c
diff --git a/src/core/dbus.c b/src/core/dbus.c
4cad4c
index 346a440c5d..b69c11c519 100644
4cad4c
--- a/src/core/dbus.c
4cad4c
+++ b/src/core/dbus.c
4cad4c
@@ -1073,10 +1073,15 @@ static void destroy_bus(Manager *m, sd_bus **bus) {
4cad4c
                 if (j->bus_track && sd_bus_track_get_bus(j->bus_track) == *bus)
4cad4c
                         j->bus_track = sd_bus_track_unref(j->bus_track);
4cad4c
 
4cad4c
-        HASHMAP_FOREACH(u, m->units, i)
4cad4c
+        HASHMAP_FOREACH(u, m->units, i) {
4cad4c
                 if (u->bus_track && sd_bus_track_get_bus(u->bus_track) == *bus)
4cad4c
                         u->bus_track = sd_bus_track_unref(u->bus_track);
4cad4c
 
4cad4c
+                /* Get rid of pending freezer messages on this bus */
4cad4c
+                if (u->pending_freezer_message && sd_bus_message_get_bus(u->pending_freezer_message) == *bus)
4cad4c
+                        u->pending_freezer_message = sd_bus_message_unref(u->pending_freezer_message);
4cad4c
+        }
4cad4c
+
4cad4c
         /* Get rid of queued message on this bus */
4cad4c
         if (m->pending_reload_message && sd_bus_message_get_bus(m->pending_reload_message) == *bus)
4cad4c
                 m->pending_reload_message = sd_bus_message_unref(m->pending_reload_message);
4cad4c
diff --git a/src/core/scope.c b/src/core/scope.c
4cad4c
index a1a5363244..5a595c65a6 100644
4cad4c
--- a/src/core/scope.c
4cad4c
+++ b/src/core/scope.c
4cad4c
@@ -601,6 +601,9 @@ const UnitVTable scope_vtable = {
4cad4c
 
4cad4c
         .kill = scope_kill,
4cad4c
 
4cad4c
+        .freeze = unit_freeze_vtable_common,
4cad4c
+        .thaw = unit_thaw_vtable_common,
4cad4c
+
4cad4c
         .get_timeout = scope_get_timeout,
4cad4c
 
4cad4c
         .serialize = scope_serialize,
4cad4c
diff --git a/src/core/service.c b/src/core/service.c
4cad4c
index 1d98ee37fd..89b41f6783 100644
4cad4c
--- a/src/core/service.c
4cad4c
+++ b/src/core/service.c
4cad4c
@@ -4143,6 +4143,9 @@ const UnitVTable service_vtable = {
4cad4c
 
4cad4c
         .kill = service_kill,
4cad4c
 
4cad4c
+        .freeze = unit_freeze_vtable_common,
4cad4c
+        .thaw = unit_thaw_vtable_common,
4cad4c
+
4cad4c
         .serialize = service_serialize,
4cad4c
         .deserialize_item = service_deserialize_item,
4cad4c
 
4cad4c
diff --git a/src/core/slice.c b/src/core/slice.c
4cad4c
index 58f18a4dad..b5eb2f5c01 100644
4cad4c
--- a/src/core/slice.c
4cad4c
+++ b/src/core/slice.c
4cad4c
@@ -344,6 +344,82 @@ static void slice_enumerate_perpetual(Manager *m) {
4cad4c
                 (void) slice_make_perpetual(m, SPECIAL_SYSTEM_SLICE, NULL);
4cad4c
 }
4cad4c
 
4cad4c
+static bool slice_freezer_action_supported_by_children(Unit *s) {
4cad4c
+        Unit *member;
4cad4c
+        void *v;
4cad4c
+        Iterator i;
4cad4c
+
4cad4c
+        assert(s);
4cad4c
+
4cad4c
+        HASHMAP_FOREACH_KEY(v, member, s->dependencies[UNIT_BEFORE], i) {
4cad4c
+                int r;
4cad4c
+
4cad4c
+                if (UNIT_DEREF(member->slice) != s)
4cad4c
+                        continue;
4cad4c
+
4cad4c
+                if (member->type == UNIT_SLICE) {
4cad4c
+                        r = slice_freezer_action_supported_by_children(member);
4cad4c
+                        if (!r)
4cad4c
+                                return r;
4cad4c
+                }
4cad4c
+
4cad4c
+                if (!UNIT_VTABLE(member)->freeze)
4cad4c
+                        return false;
4cad4c
+        }
4cad4c
+
4cad4c
+        return true;
4cad4c
+}
4cad4c
+
4cad4c
+static int slice_freezer_action(Unit *s, FreezerAction action) {
4cad4c
+        Unit *member;
4cad4c
+        void *v;
4cad4c
+        Iterator i;
4cad4c
+        int r;
4cad4c
+
4cad4c
+        assert(s);
4cad4c
+        assert(IN_SET(action, FREEZER_FREEZE, FREEZER_THAW));
4cad4c
+
4cad4c
+        if (!slice_freezer_action_supported_by_children(s))
4cad4c
+                return log_unit_warning(s, "Requested freezer operation is not supported by all children of the slice");
4cad4c
+
4cad4c
+        HASHMAP_FOREACH_KEY(v, member, s->dependencies[UNIT_BEFORE], i) {
4cad4c
+                if (UNIT_DEREF(member->slice) != s)
4cad4c
+                        continue;
4cad4c
+
4cad4c
+                if (action == FREEZER_FREEZE)
4cad4c
+                        r = UNIT_VTABLE(member)->freeze(member);
4cad4c
+                else
4cad4c
+                        r = UNIT_VTABLE(member)->thaw(member);
4cad4c
+
4cad4c
+                if (r < 0)
4cad4c
+                        return r;
4cad4c
+        }
4cad4c
+
4cad4c
+        r = unit_cgroup_freezer_action(s, action);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        return 0;
4cad4c
+}
4cad4c
+
4cad4c
+static int slice_freeze(Unit *s) {
4cad4c
+        assert(s);
4cad4c
+
4cad4c
+        return slice_freezer_action(s, FREEZER_FREEZE);
4cad4c
+}
4cad4c
+
4cad4c
+static int slice_thaw(Unit *s) {
4cad4c
+        assert(s);
4cad4c
+
4cad4c
+        return slice_freezer_action(s, FREEZER_THAW);
4cad4c
+}
4cad4c
+
4cad4c
+static bool slice_can_freeze(Unit *s) {
4cad4c
+        assert(s);
4cad4c
+
4cad4c
+        return slice_freezer_action_supported_by_children(s);
4cad4c
+}
4cad4c
+
4cad4c
 const UnitVTable slice_vtable = {
4cad4c
         .object_size = sizeof(Slice),
4cad4c
         .cgroup_context_offset = offsetof(Slice, cgroup_context),
4cad4c
@@ -368,6 +444,10 @@ const UnitVTable slice_vtable = {
4cad4c
 
4cad4c
         .kill = slice_kill,
4cad4c
 
4cad4c
+        .freeze = slice_freeze,
4cad4c
+        .thaw = slice_thaw,
4cad4c
+        .can_freeze = slice_can_freeze,
4cad4c
+
4cad4c
         .serialize = slice_serialize,
4cad4c
         .deserialize_item = slice_deserialize_item,
4cad4c
 
4cad4c
diff --git a/src/core/unit.c b/src/core/unit.c
4cad4c
index f57260727f..29ce6c1fb7 100644
4cad4c
--- a/src/core/unit.c
4cad4c
+++ b/src/core/unit.c
4cad4c
@@ -583,6 +583,7 @@ void unit_free(Unit *u) {
4cad4c
         sd_bus_slot_unref(u->match_bus_slot);
4cad4c
         sd_bus_track_unref(u->bus_track);
4cad4c
         u->deserialized_refs = strv_free(u->deserialized_refs);
4cad4c
+        u->pending_freezer_message = sd_bus_message_unref(u->pending_freezer_message);
4cad4c
 
4cad4c
         unit_free_requires_mounts_for(u);
4cad4c
 
4cad4c
@@ -685,6 +686,38 @@ void unit_free(Unit *u) {
4cad4c
         free(u);
4cad4c
 }
4cad4c
 
4cad4c
+FreezerState unit_freezer_state(Unit *u) {
4cad4c
+        assert(u);
4cad4c
+
4cad4c
+        return u->freezer_state;
4cad4c
+}
4cad4c
+
4cad4c
+int unit_freezer_state_kernel(Unit *u, FreezerState *ret) {
4cad4c
+        char *values[1] = {};
4cad4c
+        int r;
4cad4c
+
4cad4c
+        assert(u);
4cad4c
+
4cad4c
+        r = cg_get_keyed_attribute(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, "cgroup.events",
4cad4c
+                                   STRV_MAKE("frozen"), values);
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        r = _FREEZER_STATE_INVALID;
4cad4c
+
4cad4c
+        if (values[0])  {
4cad4c
+                if (streq(values[0], "0"))
4cad4c
+                        r = FREEZER_RUNNING;
4cad4c
+                else if (streq(values[0], "1"))
4cad4c
+                        r = FREEZER_FROZEN;
4cad4c
+        }
4cad4c
+
4cad4c
+        free(values[0]);
4cad4c
+        *ret = r;
4cad4c
+
4cad4c
+        return 0;
4cad4c
+}
4cad4c
+
4cad4c
 UnitActiveState unit_active_state(Unit *u) {
4cad4c
         assert(u);
4cad4c
 
4cad4c
@@ -1760,6 +1793,7 @@ int unit_start(Unit *u) {
4cad4c
          * before it will start again. */
4cad4c
 
4cad4c
         unit_add_to_dbus_queue(u);
4cad4c
+        unit_cgroup_freezer_action(u, FREEZER_THAW);
4cad4c
 
4cad4c
         return UNIT_VTABLE(u)->start(u);
4cad4c
 }
4cad4c
@@ -1812,6 +1846,7 @@ int unit_stop(Unit *u) {
4cad4c
                 return -EBADR;
4cad4c
 
4cad4c
         unit_add_to_dbus_queue(u);
4cad4c
+        unit_cgroup_freezer_action(u, FREEZER_THAW);
4cad4c
 
4cad4c
         return UNIT_VTABLE(u)->stop(u);
4cad4c
 }
4cad4c
@@ -1868,6 +1903,8 @@ int unit_reload(Unit *u) {
4cad4c
                 return 0;
4cad4c
         }
4cad4c
 
4cad4c
+        unit_cgroup_freezer_action(u, FREEZER_THAW);
4cad4c
+
4cad4c
         return UNIT_VTABLE(u)->reload(u);
4cad4c
 }
4cad4c
 
4cad4c
@@ -3208,6 +3245,8 @@ int unit_serialize(Unit *u, FILE *f, FDSet *fds, bool serialize_jobs) {
4cad4c
         if (!sd_id128_is_null(u->invocation_id))
4cad4c
                 unit_serialize_item_format(u, f, "invocation-id", SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id));
4cad4c
 
4cad4c
+        (void) unit_serialize_item_format(u, f, "freezer-state", "%s", freezer_state_to_string(unit_freezer_state(u)));
4cad4c
+
4cad4c
         bus_track_serialize(u->bus_track, f, "ref");
4cad4c
 
4cad4c
         for (m = 0; m < _CGROUP_IP_ACCOUNTING_METRIC_MAX; m++) {
4cad4c
@@ -3574,6 +3613,16 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) {
4cad4c
                                         log_unit_warning_errno(u, r, "Failed to set invocation ID for unit: %m");
4cad4c
                         }
4cad4c
 
4cad4c
+                        continue;
4cad4c
+                } else if (streq(l, "freezer-state")) {
4cad4c
+                        FreezerState s;
4cad4c
+
4cad4c
+                        s = freezer_state_from_string(v);
4cad4c
+                        if (s < 0)
4cad4c
+                                log_unit_debug(u, "Failed to deserialize freezer-state '%s', ignoring.", v);
4cad4c
+                        else
4cad4c
+                                u->freezer_state = s;
4cad4c
+
4cad4c
                         continue;
4cad4c
                 }
4cad4c
 
4cad4c
@@ -5507,6 +5556,80 @@ void unit_log_skip(Unit *u, const char *result) {
4cad4c
                    "UNIT_RESULT=%s", result);
4cad4c
 }
4cad4c
 
4cad4c
+bool unit_can_freeze(Unit *u) {
4cad4c
+        assert(u);
4cad4c
+
4cad4c
+        if (UNIT_VTABLE(u)->can_freeze)
4cad4c
+                return UNIT_VTABLE(u)->can_freeze(u);
4cad4c
+
4cad4c
+        return UNIT_VTABLE(u)->freeze;
4cad4c
+}
4cad4c
+
4cad4c
+void unit_frozen(Unit *u) {
4cad4c
+        assert(u);
4cad4c
+
4cad4c
+        u->freezer_state = FREEZER_FROZEN;
4cad4c
+
4cad4c
+        bus_unit_send_pending_freezer_message(u);
4cad4c
+}
4cad4c
+
4cad4c
+void unit_thawed(Unit *u) {
4cad4c
+        assert(u);
4cad4c
+
4cad4c
+        u->freezer_state = FREEZER_RUNNING;
4cad4c
+
4cad4c
+        bus_unit_send_pending_freezer_message(u);
4cad4c
+}
4cad4c
+
4cad4c
+static int unit_freezer_action(Unit *u, FreezerAction action) {
4cad4c
+        UnitActiveState s;
4cad4c
+        int (*method)(Unit*);
4cad4c
+        int r;
4cad4c
+
4cad4c
+        assert(u);
4cad4c
+        assert(IN_SET(action, FREEZER_FREEZE, FREEZER_THAW));
4cad4c
+
4cad4c
+        method = action == FREEZER_FREEZE ? UNIT_VTABLE(u)->freeze : UNIT_VTABLE(u)->thaw;
4cad4c
+        if (!method || !cg_freezer_supported())
4cad4c
+                return -EOPNOTSUPP;
4cad4c
+
4cad4c
+        if (u->job)
4cad4c
+                return -EBUSY;
4cad4c
+
4cad4c
+        if (u->load_state != UNIT_LOADED)
4cad4c
+                return -EHOSTDOWN;
4cad4c
+
4cad4c
+        s = unit_active_state(u);
4cad4c
+        if (s != UNIT_ACTIVE)
4cad4c
+                return -EHOSTDOWN;
4cad4c
+
4cad4c
+        if (IN_SET(u->freezer_state, FREEZER_FREEZING, FREEZER_THAWING))
4cad4c
+                return -EALREADY;
4cad4c
+
4cad4c
+        r = method(u);
4cad4c
+        if (r <= 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        return 1;
4cad4c
+}
4cad4c
+
4cad4c
+int unit_freeze(Unit *u) {
4cad4c
+        return unit_freezer_action(u, FREEZER_FREEZE);
4cad4c
+}
4cad4c
+
4cad4c
+int unit_thaw(Unit *u) {
4cad4c
+        return unit_freezer_action(u, FREEZER_THAW);
4cad4c
+}
4cad4c
+
4cad4c
+/* Wrappers around low-level cgroup freezer operations common for service and scope units */
4cad4c
+int unit_freeze_vtable_common(Unit *u) {
4cad4c
+        return unit_cgroup_freezer_action(u, FREEZER_FREEZE);
4cad4c
+}
4cad4c
+
4cad4c
+int unit_thaw_vtable_common(Unit *u) {
4cad4c
+        return unit_cgroup_freezer_action(u, FREEZER_THAW);
4cad4c
+}
4cad4c
+
4cad4c
 static const char* const collect_mode_table[_COLLECT_MODE_MAX] = {
4cad4c
         [COLLECT_INACTIVE] = "inactive",
4cad4c
         [COLLECT_INACTIVE_OR_FAILED] = "inactive-or-failed",
4cad4c
diff --git a/src/core/unit.h b/src/core/unit.h
4cad4c
index b40ff9b961..6e37fd6f5a 100644
4cad4c
--- a/src/core/unit.h
4cad4c
+++ b/src/core/unit.h
4cad4c
@@ -118,6 +118,9 @@ typedef struct Unit {
4cad4c
         UnitLoadState load_state;
4cad4c
         Unit *merged_into;
4cad4c
 
4cad4c
+        FreezerState freezer_state;
4cad4c
+        sd_bus_message *pending_freezer_message;
4cad4c
+
4cad4c
         char *id; /* One name is special because we use it for identification. Points to an entry in the names set */
4cad4c
         char *instance;
4cad4c
 
4cad4c
@@ -456,6 +459,11 @@ typedef struct UnitVTable {
4cad4c
 
4cad4c
         int (*kill)(Unit *u, KillWho w, int signo, sd_bus_error *error);
4cad4c
 
4cad4c
+        /* Freeze the unit */
4cad4c
+        int (*freeze)(Unit *u);
4cad4c
+        int (*thaw)(Unit *u);
4cad4c
+        bool (*can_freeze)(Unit *u);
4cad4c
+
4cad4c
         bool (*can_reload)(Unit *u);
4cad4c
 
4cad4c
         /* Write all data that cannot be restored from other sources
4cad4c
@@ -641,6 +649,8 @@ const char *unit_description(Unit *u) _pure_;
4cad4c
 bool unit_has_name(Unit *u, const char *name);
4cad4c
 
4cad4c
 UnitActiveState unit_active_state(Unit *u);
4cad4c
+FreezerState unit_freezer_state(Unit *u);
4cad4c
+int unit_freezer_state_kernel(Unit *u, FreezerState *ret);
4cad4c
 
4cad4c
 const char* unit_sub_state_to_string(Unit *u);
4cad4c
 
4cad4c
@@ -814,6 +824,16 @@ void unit_log_failure(Unit *u, const char *result);
4cad4c
  * after some execution, rather than succeeded or failed. */
4cad4c
 void unit_log_skip(Unit *u, const char *result);
4cad4c
 
4cad4c
+bool unit_can_freeze(Unit *u);
4cad4c
+int unit_freeze(Unit *u);
4cad4c
+void unit_frozen(Unit *u);
4cad4c
+
4cad4c
+int unit_thaw(Unit *u);
4cad4c
+void unit_thawed(Unit *u);
4cad4c
+
4cad4c
+int unit_freeze_vtable_common(Unit *u);
4cad4c
+int unit_thaw_vtable_common(Unit *u);
4cad4c
+
4cad4c
 /* Macros which append UNIT= or USER_UNIT= to the message */
4cad4c
 
4cad4c
 #define log_unit_full(unit, level, error, ...)                          \
4cad4c
diff --git a/src/libsystemd/sd-bus/bus-common-errors.h b/src/libsystemd/sd-bus/bus-common-errors.h
4cad4c
index 3945c7f6ac..77da78d4d4 100644
4cad4c
--- a/src/libsystemd/sd-bus/bus-common-errors.h
4cad4c
+++ b/src/libsystemd/sd-bus/bus-common-errors.h
4cad4c
@@ -30,6 +30,8 @@
4cad4c
 #define BUS_ERROR_NO_SUCH_DYNAMIC_USER "org.freedesktop.systemd1.NoSuchDynamicUser"
4cad4c
 #define BUS_ERROR_NOT_REFERENCED "org.freedesktop.systemd1.NotReferenced"
4cad4c
 #define BUS_ERROR_DISK_FULL "org.freedesktop.systemd1.DiskFull"
4cad4c
+#define BUS_ERROR_UNIT_BUSY "org.freedesktop.systemd1.UnitBusy"
4cad4c
+#define BUS_ERROR_UNIT_INACTIVE "org.freedesktop.systemd1.UnitInactive"
4cad4c
 
4cad4c
 #define BUS_ERROR_NO_SUCH_MACHINE "org.freedesktop.machine1.NoSuchMachine"
4cad4c
 #define BUS_ERROR_NO_SUCH_IMAGE "org.freedesktop.machine1.NoSuchImage"
4cad4c
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
4cad4c
index e0db97e339..e963f19b0a 100644
4cad4c
--- a/src/systemctl/systemctl.c
4cad4c
+++ b/src/systemctl/systemctl.c
4cad4c
@@ -27,6 +27,7 @@
4cad4c
 #include "bus-message.h"
4cad4c
 #include "bus-unit-util.h"
4cad4c
 #include "bus-util.h"
4cad4c
+#include "bus-wait-for-units.h"
4cad4c
 #include "cgroup-show.h"
4cad4c
 #include "cgroup-util.h"
4cad4c
 #include "copy.h"
4cad4c
@@ -3728,6 +3729,98 @@ static int kill_unit(int argc, char *argv[], void *userdata) {
4cad4c
 
4cad4c
         return r;
4cad4c
 }
4cad4c
+static int freeze_or_thaw_unit(int argc, char *argv[], void *userdata) {
4cad4c
+        _cleanup_(bus_wait_for_units_freep) BusWaitForUnits *w = NULL;
4cad4c
+        _cleanup_strv_free_ char **names = NULL;
4cad4c
+        int r, ret = EXIT_SUCCESS;
4cad4c
+        char **name;
4cad4c
+        const char *method;
4cad4c
+        sd_bus *bus;
4cad4c
+
4cad4c
+        r = acquire_bus(BUS_FULL, &bus;;
4cad4c
+        if (r < 0)
4cad4c
+                return r;
4cad4c
+
4cad4c
+        polkit_agent_open_maybe();
4cad4c
+
4cad4c
+        r = expand_names(bus, strv_skip(argv, 1), NULL, &names);
4cad4c
+        if (r < 0)
4cad4c
+                return log_error_errno(r, "Failed to expand names: %m");
4cad4c
+
4cad4c
+        if (!arg_no_block) {
4cad4c
+                r = bus_wait_for_units_new(bus, &w);
4cad4c
+                if (r < 0)
4cad4c
+                        return log_error_errno(r, "Failed to allocate unit waiter: %m");
4cad4c
+        }
4cad4c
+
4cad4c
+        if (streq(argv[0], "freeze"))
4cad4c
+                method = "FreezeUnit";
4cad4c
+        else if (streq(argv[0], "thaw"))
4cad4c
+                method = "ThawUnit";
4cad4c
+        else
4cad4c
+                assert_not_reached("Unhandled method");
4cad4c
+
4cad4c
+        STRV_FOREACH(name, names) {
4cad4c
+                _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
4cad4c
+                _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
4cad4c
+
4cad4c
+                if (w) {
4cad4c
+                        /* If we shall wait for the cleaning to complete, let's add a ref on the unit first */
4cad4c
+                        r = sd_bus_call_method(
4cad4c
+                                        bus,
4cad4c
+                                        "org.freedesktop.systemd1",
4cad4c
+                                        "/org/freedesktop/systemd1",
4cad4c
+                                        "org.freedesktop.systemd1.Manager",
4cad4c
+                                        "RefUnit",
4cad4c
+                                        &error,
4cad4c
+                                        NULL,
4cad4c
+                                        "s", *name);
4cad4c
+                        if (r < 0) {
4cad4c
+                                log_error_errno(r, "Failed to add reference to unit %s: %s", *name, bus_error_message(&error, r));
4cad4c
+                                if (ret == EXIT_SUCCESS)
4cad4c
+                                        ret = r;
4cad4c
+                                continue;
4cad4c
+                        }
4cad4c
+                }
4cad4c
+
4cad4c
+                r = sd_bus_message_new_method_call(
4cad4c
+                                bus,
4cad4c
+                                &m,
4cad4c
+                                "org.freedesktop.systemd1",
4cad4c
+                                "/org/freedesktop/systemd1",
4cad4c
+                                "org.freedesktop.systemd1.Manager",
4cad4c
+                                method);
4cad4c
+                if (r < 0)
4cad4c
+                        return bus_log_create_error(r);
4cad4c
+
4cad4c
+                r = sd_bus_message_append(m, "s", *name);
4cad4c
+                if (r < 0)
4cad4c
+                        return bus_log_create_error(r);
4cad4c
+
4cad4c
+                r = sd_bus_call(bus, m, 0, &error, NULL);
4cad4c
+                if (r < 0) {
4cad4c
+                        log_error_errno(r, "Failed to %s unit %s: %s", argv[0], *name, bus_error_message(&error, r));
4cad4c
+                        if (ret == EXIT_SUCCESS) {
4cad4c
+                                ret = r;
4cad4c
+                                continue;
4cad4c
+                        }
4cad4c
+                }
4cad4c
+
4cad4c
+                if (w) {
4cad4c
+                        r = bus_wait_for_units_add_unit(w, *name, BUS_WAIT_REFFED|BUS_WAIT_FOR_MAINTENANCE_END, NULL, NULL);
4cad4c
+                        if (r < 0)
4cad4c
+                                return log_error_errno(r, "Failed to watch unit %s: %m", *name);
4cad4c
+                }
4cad4c
+        }
4cad4c
+
4cad4c
+        r = bus_wait_for_units_run(w);
4cad4c
+        if (r < 0)
4cad4c
+                return log_error_errno(r, "Failed to wait for units: %m");
4cad4c
+        if (r == BUS_WAIT_FAILURE)
4cad4c
+                ret = EXIT_FAILURE;
4cad4c
+
4cad4c
+        return ret;
4cad4c
+}
4cad4c
 
4cad4c
 typedef struct ExecStatusInfo {
4cad4c
         char *name;
4cad4c
@@ -3832,6 +3925,7 @@ typedef struct UnitStatusInfo {
4cad4c
         const char *id;
4cad4c
         const char *load_state;
4cad4c
         const char *active_state;
4cad4c
+        const char *freezer_state;
4cad4c
         const char *sub_state;
4cad4c
         const char *unit_file_state;
4cad4c
         const char *unit_file_preset;
4cad4c
@@ -3949,7 +4043,7 @@ static void print_status_info(
4cad4c
                 bool *ellipsized) {
4cad4c
 
4cad4c
         char since1[FORMAT_TIMESTAMP_RELATIVE_MAX], since2[FORMAT_TIMESTAMP_MAX];
4cad4c
-        const char *s1, *s2, *active_on, *active_off, *on, *off, *ss;
4cad4c
+        const char *s1, *s2, *active_on, *active_off, *on, *off, *ss, *fs;
4cad4c
         _cleanup_free_ char *formatted_path = NULL;
4cad4c
         ExecStatusInfo *p;
4cad4c
         usec_t timestamp;
4cad4c
@@ -4056,6 +4150,10 @@ static void print_status_info(
4cad4c
                 printf("   Active: %s%s%s",
4cad4c
                        active_on, strna(i->active_state), active_off);
4cad4c
 
4cad4c
+        fs = !isempty(i->freezer_state) && !streq(i->freezer_state, "running") ? i->freezer_state : NULL;
4cad4c
+        if (fs)
4cad4c
+                printf(" %s(%s)%s", ansi_highlight_yellow(), fs, active_off);
4cad4c
+
4cad4c
         if (!isempty(i->result) && !streq(i->result, "success"))
4cad4c
                 printf(" (Result: %s)", i->result);
4cad4c
 
4cad4c
@@ -4985,6 +5083,7 @@ static int show_one(
4cad4c
                 { "Id",                             "s",              NULL,           offsetof(UnitStatusInfo, id)                                },
4cad4c
                 { "LoadState",                      "s",              NULL,           offsetof(UnitStatusInfo, load_state)                        },
4cad4c
                 { "ActiveState",                    "s",              NULL,           offsetof(UnitStatusInfo, active_state)                      },
4cad4c
+                { "FreezerState",                   "s",              NULL,           offsetof(UnitStatusInfo, freezer_state)                     },
4cad4c
                 { "SubState",                       "s",              NULL,           offsetof(UnitStatusInfo, sub_state)                         },
4cad4c
                 { "UnitFileState",                  "s",              NULL,           offsetof(UnitStatusInfo, unit_file_state)                   },
4cad4c
                 { "UnitFilePreset",                 "s",              NULL,           offsetof(UnitStatusInfo, unit_file_preset)                  },
4cad4c
@@ -7139,6 +7238,8 @@ static void systemctl_help(void) {
4cad4c
                "                                      if supported, otherwise restart\n"
4cad4c
                "  isolate UNIT                        Start one unit and stop all others\n"
4cad4c
                "  kill UNIT...                        Send signal to processes of a unit\n"
4cad4c
+               "  freeze PATTERN...                   Freeze execution of unit processes\n"
4cad4c
+               "  thaw PATTERN...                     Resume execution of a frozen unit\n"
4cad4c
                "  is-active PATTERN...                Check whether units are active\n"
4cad4c
                "  is-failed PATTERN...                Check whether units are failed\n"
4cad4c
                "  status [PATTERN...|PID...]          Show runtime status of one or more units\n"
4cad4c
@@ -8280,6 +8381,8 @@ static int systemctl_main(int argc, char *argv[]) {
4cad4c
                 { "condrestart",           2,        VERB_ANY, VERB_ONLINE_ONLY, start_unit           }, /* For compatibility with RH */
4cad4c
                 { "isolate",               2,        2,        VERB_ONLINE_ONLY, start_unit           },
4cad4c
                 { "kill",                  2,        VERB_ANY, VERB_ONLINE_ONLY, kill_unit            },
4cad4c
+                { "freeze",                2,        VERB_ANY, VERB_ONLINE_ONLY, freeze_or_thaw_unit  },
4cad4c
+                { "thaw",                  2,        VERB_ANY, VERB_ONLINE_ONLY, freeze_or_thaw_unit  },
4cad4c
                 { "is-active",             2,        VERB_ANY, VERB_ONLINE_ONLY, check_unit_active    },
4cad4c
                 { "check",                 2,        VERB_ANY, VERB_ONLINE_ONLY, check_unit_active    }, /* deprecated alias of is-active */
4cad4c
                 { "is-failed",             2,        VERB_ANY, VERB_ONLINE_ONLY, check_unit_failed    },