diff --git a/compute/compute-node.Dockerfile b/compute/compute-node.Dockerfile
index 730fb21bf4..92270f9a73 100644
--- a/compute/compute-node.Dockerfile
+++ b/compute/compute-node.Dockerfile
@@ -2043,7 +2043,9 @@ RUN systemctl enable \
     postgres_exporter sql_exporter sql_exporter-autoscaling \
     local_proxy \
     compute_ctl \
-    chown-pgdata
+    chown-pgdata \
+    make-cgroup-procs-writable \
+    load-cgconfig.service
 
 ENTRYPOINT ["/sbin/init"]
 
diff --git a/compute/etc/systemd/system/load-cgconfig.service b/compute/etc/systemd/system/load-cgconfig.service
new file mode 100644
index 0000000000..70c611c66e
--- /dev/null
+++ b/compute/etc/systemd/system/load-cgconfig.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Create neonvm-postgres cgroup
+
+[Service]
+Type=oneshot
+ExecStart=cgconfigparser -l /etc/cgconfig.conf
+RemainAfterExit=yes
+
+[Install]
+WantedBy=compute_ctl.service
diff --git a/compute/etc/systemd/system/make-cgroup-procs-writable.service b/compute/etc/systemd/system/make-cgroup-procs-writable.service
new file mode 100644
index 0000000000..ab79f7c271
--- /dev/null
+++ b/compute/etc/systemd/system/make-cgroup-procs-writable.service
@@ -0,0 +1,20 @@
+# Allow all users to move processes to/from the root cgroup.
+#
+# This is required in order to be able to 'cgexec' anything, if the entrypoint is not being run as
+# root, because moving tasks between one cgroup and another *requires write access to the
+# cgroup.procs file of the common ancestor*, and because the entrypoint isn't already in a cgroup,
+# any new tasks are automatically placed in the top-level cgroup.
+#
+# This *would* be bad for security, if we relied on cgroups for security; but instead because they
+# are just used for cooperative signaling, this should be mostly ok.
+
+[Unit]
+Description=Allow all users to move processes to/from the root cgroup.
+
+[Service]
+Type=oneshot
+ExecStart=chmod go+w /sys/fs/cgroup/cgroup.procs
+RemainAfterExit=yes
+
+[Install]
+WantedBy=compute_ctl.service