meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
linux:lxc:issues:unified_cgroups [2021/04/25 12:06] – created niziaklinux:lxc:issues:unified_cgroups [2021/04/25 20:14] (current) niziak
Line 3: Line 3:
 Problem introduced with change from systemd 241 to 247. Problem introduced with change from systemd 241 to 247.
 Main change is to drop CGroup V1 support and switch by default to ''unified'' CGroup V2. Main change is to drop CGroup V1 support and switch by default to ''unified'' CGroup V2.
 +  * Previous v241 was built with ''-Ddefault-hierarchy=hybrid''
 +  * Current v247 is built with ''-Ddefault-hierarchy=unified''
  
 +<code bash>
 +$ systemctl --version
 +systemd 247 (247.3-1~bpo10+1)
 ++PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified
 +</code>
  
 Lots of issues are reported, and lots of containerization software needs to be upgraded: Lots of issues are reported, and lots of containerization software needs to be upgraded:
-  * docker (CGroup V2 supported since v20.10)+  * Docker (CGroup V2 supported since v20.10)
   * kubernetes   * kubernetes
-  * lxcs+  * LXC 
 +  * libpam_cgfs cannot be used with pure ''unified'' systems 
 + 
 +Resources: 
 +  * [[https://lwn.net/Articles/716454/|systemd 233]] 
 +  * [[https://medium.com/nttlabs/cgroup-v2-596d035be4d7|The current adoption status of cgroup v2 in containers]] 
 +  * [[https://github.com/lxc/lxc/issues/3221|Unable to start an unprivileged container on fresh install of Fedora 31]] 
 +  * [[https://github.com/lxc/lxc/issues/3183|Fails to work with cgroupv2 / unified hierarchy #3183]]
  
 ===== Workaround ===== ===== Workaround =====
  
-''systemd.unified_cgroup_hierarchy=1''+==== Switch systemd to hybrid hierarchy ==== 
 + 
 +Add kernel boot commandline argument: ''systemd.unified_cgroup_hierarchy=0'' 
 + 
 +<code bash> 
 +echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT systemd.unified_cgroup_hierarchy=false"' > /etc/default/grub.d/cgroup.cfg 
 +</code> 
 + 
 +More info: 
 +  * **systemd.unified_cgroup_hierarchy** 
 +    *  When specified without an argument or with a true argument, enables the usage of unified cgroup hierarchy (a.k.a. cgroups-v2). When specified with a false argument, fall back to hybrid or full legacy cgroup hierarchy. If this option is not specified, the default behaviour is determined during compilation (the -Ddefault-hierarchy= meson option). If the kernel does not support unified cgroup hierarchy, the legacy hierarchy will be used even if this option is specified. 
 + 
 +==== Delegate a cgroup in advance ==== 
 + 
 +From: [[https://linuxcontainers.org/lxc/getting-started/]] 
 + 
 +Running unprivileged containers as an unprivileged user only works if you delegate a cgroup in advance (the cgroup2 delegation model enforces this restriction, not liblxc). Use the following systemd command to delegate the cgroup: 
 + 
 +<code bash> 
 +systemd-run --unit=myshell --user --scope -p "Delegate=yes" lxc-start <container-name>  
 +</code>