TLS live migrations and cgroups (cpuset)

Hello, I have got a situation where a live migration (TLS) is failing because the virtual machine has the following configuration: <vcpu placement='static' cpuset='0-1,3,5,7-47,49,51,53,55-95'>2</vcpu> This is in place because the host is shared with some other application with strict requirements and so the `machine.slice` was limited to these CPUs. During a live migration, libvirtd (running as root) seems to spawn a new rpc-libvirtd process with the same uid/gid defined in qemu.conf (non-root). It then fails to write to `cpuset.cpus`: virNetClientProgramDispatchError:172 : Unable to write to '/sys/fs/cgroup/cpuset/machine.slice/machine-qemu\x2d80\x2dinstance\x2d0000007c.scope/libvirt/emulator/cpuset.cpus': Permission denied Here are the running processes during the live migration: UID PID GID PPID CMD root 2639801 0 2639361 /usr/sbin/libvirtd --listen 12345 3033179 109 2638878 /usr/sbin/libvirtd --listen 12345 3033179 109 2638878 [rpc-libvirtd] (processes with uid=12345 are spawned during the migration. gid=109 is `kvm`) Changing group membership and file permissions has no effect because the file/directory permissions in machine.slice are not inherited inside the machine scope (a workaround was setting regular files as 664 and making the non-root UID of rpc-libvirtd be a member of the root group). I did not try to change the user/group in qemu.conf for fear of breaking other parts of the system or sabotaging security (e.g. by setting it to root/root for qemu-system-x86_64). The systemd scope for the machine has "Delegate=yes" so systemd expects the manager process to fully own the cgroups configuration. So looking at libvirtd, I cannot find a configuration setting that would either change the UID/GID of that rpc-libvirtd process or how to tweak the cgroups file permissions. Any insights? Environment: * Ubuntu 22.04 x86_64 * systemd 249.11 * libvirt 8.0.0