Unified CGroups

Problem introduced with change from systemd 241 to 247. Previous v241 was built with -Ddefault-hierarchy=hybrid and current v247 is built with -Ddefault-hierarchy=unified Main change is to drop CGroup V1 support and switch by default to unified CGroup V2.

Lots of issues are reported, and lots of containerization software needs to be upgraded:

• Docker (CGroup V2 supported since v20.10)
• kubernetes
• LXC
• libpam_cgfs cannot be used with pure unified systems

Resources:

• The current adoption status of cgroup v2 in containers
• Unable to start an unprivileged container on fresh install of Fedora 31

Add kernel boot commandline argument: systemd.unified_cgroup_hierarchy=0 More info:

• systemd.unified_cgroup_hierarchy
  • When specified without an argument or with a true argument, enables the usage of unified cgroup hierarchy (a.k.a. cgroups-v2). When specified with a false argument, fall back to hybrid or full legacy cgroup hierarchy. If this option is not specified, the default behaviour is determined during compilation (the -Ddefault-hierarchy= meson option). If the kernel does not support unified cgroup hierarchy, the legacy hierarchy will be used even if this option is specified.

From: https://linuxcontainers.org/lxc/getting-started/

Running unprivileged containers as an unprivileged user only works if you delegate a cgroup in advance (the cgroup2 delegation model enforces this restriction, not liblxc). Use the following systemd command to delegate the cgroup:

systemd-run --unit=myshell --user --scope -p "Delegate=yes" lxc-start <container-name>