I have a Linux distro (with LXC 4.0.2) that uses “hybrid” mode for cgroups by default and I want to switch it to “unified” mode.
I added systemd.unified_cgroup_hierarchy=1 to the kernel’s command line and lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy=1 to the container’s config file.
It works fine except for cgroup’s device policy which seems just doesn’t do anything.
E.g.:
lxc.cgroup2.devices.deny = c 1:5 r
should prevent reading from /dev/zero, right? But it’s still possible.
There’s also a message when starting containers which I guess has something to do with the device policy:
cgroups/cgroup2_devices.c: bpf_program_load_kernel: 332 Operation not permitted - Failed to load bpf program
I’ve figured this out, /usr/share/lxc/config/common.conf was still using cgroup1 policies:
# CGroup whitelist
lxc.cgroup.devices.deny = a
## Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## Allow specific devices
### /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm
### /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm
### /dev/full
lxc.cgroup.devices.allow = c 1:7 rwm
### /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
### /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm
### /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
### /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
### /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
### /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
### fuse
lxc.cgroup.devices.allow = c 10:229 rwm
I added a new config file /usr/share/lxc/config/common.conf.d/99-cgroup2.conf with all common.conf device policies changed to cgroup2 and now it works fine.