core: Avoid spurious realization of unit cgroups

Cgroups may be unnecessarily realized when they are not needed. This
happens, e.g. for mount units parsed from /proc/$PID/mountinfo, check

        touch /run/ns_mount
        unshare -n sh -c "mount --bind /proc/self/ns/net /run/ns_mount"
        # no cgroup exists
        file /sys/fs/cgroup/system.slice/run-ns_mount.mount
        systemctl daemon-reload
        # the vain cgroup exists
        file /sys/fs/cgroup/system.slice/run-ns_mount.mount

. (Such cgroups can account to a large number with many similar mounts.)

The code already accounts for "lazy" realization (see various checks for
Unit.cgroup_realized) but the unit_deserialize() in the reload/reexec
path performs unconditional realization.

Invalidate (and queue) the units for realization only if we know that
they were already realized in the past. This is a safe thing to do even
in the case the reload brings some new cgroup setting (controllers, BPF)
because units that aren't realized will use the updated setting when the
time for their realization comes. (It's not even needed to add a code
comment because the current formulation suggests the changed behavior.)

man/systemd-resolved.service.xml

@@ -138,13 +138,14 @@
 
       <listitem><para>Queries for the address records (A and AAAA) of single-label non-synthesized names are
       resolved via unicast DNS using search domains. For any interface which defines search domains, such
-      look-ups are routed to that interface, suffixed with each of the search domains defined on that
-      interface in turn. When global search domains are defined, such look-ups are routed to all interfaces,
-      suffixed by each of the global search domains in turn. Additionally, lookup of single-label names via
-      unicast DNS may be enabled with the <varname>ResolveUnicastSingleLabel=yes</varname> setting. The
-      details of which servers are queried and how the final reply is chosen are described below. Note that
-      this means that address queries for single-label names are never sent out to remote DNS servers by
-      default, and resoulution is only possible if search domains are defined.</para></listitem>
+      look-ups are routed to the servers defined for that interface, suffixed with each of those search
+      domains. When global search domains are defined, such look-ups are routed to the global servers. For
+      each search domain, queries are performed by suffixing the name with each of the search domains in
+      turn. Additionally, lookup of single-label names via unicast DNS may be enabled with the
+      <varname>ResolveUnicastSingleLabel=yes</varname> setting. The details of which servers are queried and
+      how the final reply is chosen are described below. Note that this means that address queries for
+      single-label names are never sent out to remote DNS servers by default, and resoulution is only
+      possible if search domains are defined.</para></listitem>
 
       <listitem><para>Multi-label names with the domain suffix <literal>.local</literal> are resolved using
       MulticastDNS on all local interfaces where MulticastDNS is enabled. As with LLMNR, IPv4 address lookups

src/core/unit-serialize.c

@@ -526,8 +526,10 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) {
         /* Let's make sure that everything that is deserialized also gets any potential new cgroup settings
          * applied after we are done. For that we invalidate anything already realized, so that we can
          * realize it again. */
+        if (u->cgroup_realized) {
                 unit_invalidate_cgroup(u, _CGROUP_MASK_ALL);
                 unit_invalidate_cgroup_bpf(u);
+        }
 
         return 0;
 }