Bug#943981: Proposal: Switch to cgroupv2 by default
Michael Biebl
biebl at debian.org
Wed Apr 22 16:28:48 BST 2020
Am 22.04.20 um 03:25 schrieb Ryutaroh Matsumoto:
>> It's a bit unfortunate, that when you boot your system with the unified
>> hierarchy, you need to explicitly configure
>> "lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy=1" or hope
>> the host systemd instance has been built with unified hierarchy as default.
>> That means, once we flip the default in unstable/testing, creating and
>> running a buster container will require
>> "lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy=1"
>
> Alternatively, we can also use "lxc.mount.auto = cgroup:rw:force".
> The default is "cgroup:mixed". This trick was told in the upstream:
> https://github.com/lxc/lxc/issues/3183#issuecomment-560163709
> (this github issue was opened by you).
>
> By reading lxc.container.conf(5) man page, "cgroup:rw" seemed
> insecure to me on hosts with the hybrid hierarchy.
> But, comparison of /proc/mounts in containers
> with "cgroup:rw:force" and "cgroup:mixed" on the hybrid hierarchy
> on the host Linux, the effects of "cgroup:rw:force" and "cgroup:mixed"
> look the same (*),
> while "cgroup:rw:force" is more friendly on host with the unified hierarchy.
>
> (*) Is it really correct??
>
> One way to sort out the situation is that changing the line
> lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
> to
> lxc.mount.auto = cgroup:rw:force proc:mixed sys:mixed
> in /usr/share/lxc/config/common.conf.
>
> Then we almost achieve
>> Would be nice if lxc could do that automatically.
>
> We could send a wishlist but report to the Debian lxc package,
> as it still lives in the experimental.
> We can do some experiment now...
Yeah, I think it would make sense to loop in the lxc maintainers.
Dear lxc maintainers, please see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943981#48
Your input on how to make this transition as smooth as possible would be
most welcome. Especially how we can cover usage scenarios where the host
system is booted with unified hierarchy but the guest system is running
older systemd versions which still default to hybrid.
Regards,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20200422/9e1d177a/attachment-0001.sig>
More information about the Pkg-systemd-maintainers
mailing list