====== Unified CGroups ======

Problem introduced with change from systemd 241 to 247.
Main change is to drop CGroup V1 support and switch by default to ''unified'' CGroup V2.
  * Previous v241 was built with ''-Ddefault-hierarchy=hybrid''
  * Current v247 is built with ''-Ddefault-hierarchy=unified''

<code bash>
$ systemctl --version
systemd 247 (247.3-1~bpo10+1)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified
</code>

Lots of issues are reported, and lots of containerization software needs to be upgraded:
  * Docker (CGroup V2 supported since v20.10)
  * kubernetes
  * LXC
  * libpam_cgfs cannot be used with pure ''unified'' systems

Resources:
  * [[https://lwn.net/Articles/716454/|systemd 233]]
  * [[https://medium.com/nttlabs/cgroup-v2-596d035be4d7|The current adoption status of cgroup v2 in containers]]
  * [[https://github.com/lxc/lxc/issues/3221|Unable to start an unprivileged container on fresh install of Fedora 31]]
  * [[https://github.com/lxc/lxc/issues/3183|Fails to work with cgroupv2 / unified hierarchy #3183]]

===== Workaround =====

==== Switch systemd to hybrid hierarchy ====

Add kernel boot commandline argument: ''systemd.unified_cgroup_hierarchy=0''

<code bash>
echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT systemd.unified_cgroup_hierarchy=false"' > /etc/default/grub.d/cgroup.cfg
</code>

More info:
  * **systemd.unified_cgroup_hierarchy**
    *  When specified without an argument or with a true argument, enables the usage of unified cgroup hierarchy (a.k.a. cgroups-v2). When specified with a false argument, fall back to hybrid or full legacy cgroup hierarchy. If this option is not specified, the default behaviour is determined during compilation (the -Ddefault-hierarchy= meson option). If the kernel does not support unified cgroup hierarchy, the legacy hierarchy will be used even if this option is specified.

==== Delegate a cgroup in advance ====

From: [[https://linuxcontainers.org/lxc/getting-started/]]

Running unprivileged containers as an unprivileged user only works if you delegate a cgroup in advance (the cgroup2 delegation model enforces this restriction, not liblxc). Use the following systemd command to delegate the cgroup:

<code bash>
systemd-run --unit=myshell --user --scope -p "Delegate=yes" lxc-start <container-name> 
</code>