CGroups v2 Adoption

Hi guys.

Just to check if LXD future version releases (>3.18) will/intends to support CGroup v2?

For those guys having problem running LXD containers due to default adoption of CGroups v2 in the distro, set systemd.unified_cgroup_hierarchy=0 on kernelopts variable in the grub2 file.

Further Reading:

  1. Docker package no longer available and will not run by default (due to switch to cgroups v2)
  2. The current adoption status of cgroup v2 in containers

Last I checked, LXD would work just fine on CGroupV2, though you wouldn’t be able to apply any of the usual cpu/memory/process limits to your containers.

Oh, that’s weird.
The container won’t even start on those that has no cpu/memory/process limits applied to it.

When I issue command lxc start container, lxc list still shows “STATE: STOPPED”. No error messages displayed.

That usually suggests that the container started properly but that its init system then died.
This could happen if the init system in the container doesn’t understand cgroupv2.

lxc console --show-log NAME may help

Yes, it “Failed to mount API filesystems.” during init time. Affects all my containers, with default setup which has disk device mounts in order to transfer files between host and containers.

Screenshot%20from%202019-11-06%2017-32-46

What container image is that?

I would have expected modern systemd to notice that this is a cgroupv2 system and do the right thing, but apparently that particular systemd doesn’t do that.

Ubuntu 19.10 amd64 upgraded from base image 19.04.

@brauner shouldn’t systemd in a container notice that the host is on cgroupv2 only?

Both LXD and LXC are very happy to work with cgroup2.
systemd will not necessarily automatically detect it so you need to set:

lxc config set <container-name> raw.lxc 'lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy'

However… this won’t be enough because of an AppArmor bug I reported almost two years ago:
https://bugs.launchpad.net/apparmor/+bug/1732725
Your kernel should report various AppArmor denials for group2 filesystem. So to get this to work you need to disable AppArmor for unpriv containers. You need the following section in your container’s config:

raw.lxc: |-
  lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy
  lxc.apparmor.profile = unconfined

Yeah, it works. However I will stick to v1 for now as some of the containers has cpu limits.
Any idea, when cpu/memory/process limits will be made available for cgroups v2?