No devices cgroup in cgroup2

Hi all,

cgroup2 does not implement a device cgroup controller any more. I’m wondering what the practical implications of this are since Ubuntu 22.04 defaults to the unified hierachy.

  • Can a privileged container do whatever it wants with device nodes in cgroup2?
  • On cgroupv1, do I get full device node access from a privileged container if I don’t compile the devices cgroup controller into the kernel?
  • What happens if I have some “lxc.cgroup.devices.allow” stanzas inside LXD profiles? They don’t seem to hurt, I only got into trouble once I tried running LXD 3 containers within LXD 4 containers…

I’m doing a funny migration from Ubuntu 18.04 (LXD 3 .deb) to 22.04 (LXD 4 homegrown .deb) with a slightly dated 4.9 kernel.


The cgroup2 device controller is implemented in BPF. (Control Group v2 — The Linux Kernel documentation)
It can be configured in LXC in the same way as cgroup1; LXC internally converts the configuration for cgroup2.