CGroups v2 Adoption

abcdef · November 4, 2019, 3:48am

Hi guys.

Just to check if LXD future version releases (>3.18) will/intends to support CGroup v2?

For those guys having problem running LXD containers due to default adoption of CGroups v2 in the distro, set systemd.unified_cgroup_hierarchy=0 on kernelopts variable in the grub2 file.

Further Reading:

stgraber · November 4, 2019, 4:34am

Last I checked, LXD would work just fine on CGroupV2, though you wouldn’t be able to apply any of the usual cpu/memory/process limits to your containers.

abcdef · November 4, 2019, 6:25am

Oh, that’s weird.
The container won’t even start on those that has no cpu/memory/process limits applied to it.

When I issue command lxc start container, lxc list still shows “STATE: STOPPED”. No error messages displayed.

stgraber · November 5, 2019, 3:45am

That usually suggests that the container started properly but that its init system then died.
This could happen if the init system in the container doesn’t understand cgroupv2.

lxc console --show-log NAME may help

abcdef · November 6, 2019, 10:54am

Yes, it “Failed to mount API filesystems.” during init time. Affects all my containers, with default setup which has disk device mounts in order to transfer files between host and containers.

Screenshot%20from%202019-11-06%2017-32-46

stgraber · November 7, 2019, 3:24am

What container image is that?

I would have expected modern systemd to notice that this is a cgroupv2 system and do the right thing, but apparently that particular systemd doesn’t do that.

abcdef · November 7, 2019, 3:45am

Ubuntu 19.10 amd64 upgraded from base image 19.04.

stgraber · November 7, 2019, 9:31pm

@brauner shouldn’t systemd in a container notice that the host is on cgroupv2 only?

brauner · November 8, 2019, 9:04am

Both LXD and LXC are very happy to work with cgroup2.
systemd will not necessarily automatically detect it so you need to set:

lxc config set <container-name> raw.lxc 'lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy'

However… this won’t be enough because of an AppArmor bug I reported almost two years ago:
https://bugs.launchpad.net/apparmor/+bug/1732725
Your kernel should report various AppArmor denials for group2 filesystem. So to get this to work you need to disable AppArmor for unpriv containers. You need the following section in your container’s config:

raw.lxc: |-
  lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy
  lxc.apparmor.profile = unconfined

abcdef · November 13, 2019, 6:29am

Yeah, it works. However I will stick to v1 for now as some of the containers has cpu limits.
Any idea, when cpu/memory/process limits will be made available for cgroups v2?

brauner · December 9, 2019, 3:30pm

Note that cgroup2 support has been completely reworked in current liblxc master and will soon come to the snap too.

ganto · February 14, 2020, 2:17am

@brauner Does the reworked liblxc cgroup2 support has something to do with it being broken with LXD 3.20?

It seems that the work-around with the lxc.init.cmd that you mentioned above doesn’t work anymore. See e.g. ganto/copr-lxc3: #21 - LXD 3.20 Upgrade Containers Stopped Working

brauner · February 14, 2020, 9:42am

Answered on the other thread.