User sessions under the systemd control group hierarchy, why it's needed?

Question

When a user log in a server with systemd, the PAM logic execute pam_systemd.

With that module, the users are registered under the systemd control group. This is an example of two users (root and a normal user) login in a server:

# systemd-cgls
Control group /:
-.slice
├─user.slice
│ ├─user-0.slice
│ │ ├─session-5233.scope
│ │ │ ├─13309 sshd: root@pts/0
│ │ │ ├─13367 -bash
│ │ │ ├─13447 systemd-cgls
│ │ │ └─13448 pager
│ │ └─user@0.service
│ │   └─init.scope
│ │     ├─13312 /lib/systemd/systemd --user
│ │     └─13313 (sd-pam)
│ └─user-1000.slice
│   ├─session-5236.scope
│   │ ├─13385 sshd: user1 [priv]
│   │ ├─13443 sshd: user1@pts/1
│   │ └─13444 -bash
│   └─user@1000.service
│     └─init.scope
│       ├─13388 /lib/systemd/systemd --user
│       └─13389 (sd-pam)

But that behaviour was optional in Debian 8 (already with systemd), and in Debian 9 you have the option to disable with pam-auth-update and if you do all seems to work equal.

Why is needed that agrupation over the users under cgroups? What happens when it is disabled?

Answer 1

It's not really needed, but it allows administrator to set per-user limits via cgroup. E.g. memory and cpu usage can be limited.

If cgroup isolation is disabled you won't be able to set such limits.