Unified CGroups

Problem introduced with change from systemd 241 to 247. Main change is to drop CGroup V1 support and switch by default to unified CGroup V2.

• Previous v241 was built with -Ddefault-hierarchy=hybrid
• Current v247 is built with -Ddefault-hierarchy=unified

$ systemctl --version
systemd 247 (247.3-1~bpo10+1)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

Lots of issues are reported, and lots of containerization software needs to be upgraded:

• Docker (CGroup V2 supported since v20.10)
• kubernetes
• LXC
• libpam_cgfs cannot be used with pure unified systems

Resources:

• systemd 233
• The current adoption status of cgroup v2 in containers
• Unable to start an unprivileged container on fresh install of Fedora 31
• Fails to work with cgroupv2 / unified hierarchy #3183

Add kernel boot commandline argument: systemd.unified_cgroup_hierarchy=0

echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT systemd.unified_cgroup_hierarchy=false"' > /etc/default/grub.d/cgroup.cfg

More info:

• systemd.unified_cgroup_hierarchy
  • When specified without an argument or with a true argument, enables the usage of unified cgroup hierarchy (a.k.a. cgroups-v2). When specified with a false argument, fall back to hybrid or full legacy cgroup hierarchy. If this option is not specified, the default behaviour is determined during compilation (the -Ddefault-hierarchy= meson option). If the kernel does not support unified cgroup hierarchy, the legacy hierarchy will be used even if this option is specified.

From: https://linuxcontainers.org/lxc/getting-started/

Running unprivileged containers as an unprivileged user only works if you delegate a cgroup in advance (the cgroup2 delegation model enforces this restriction, not liblxc). Use the following systemd command to delegate the cgroup:

systemd-run --unit=myshell --user --scope -p "Delegate=yes" lxc-start <container-name>