cgroup v2 is not fully supported yet, proceeding with partial confinement

Bug #1850667 reported by Balint Reczey on 2019-10-30
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
docker.io (Ubuntu)
Undecided
Unassigned
lxc (Ubuntu)
New
Unknown
lxcfs (Ubuntu)
Undecided
Unassigned
lxd (Ubuntu)
Undecided
Unassigned
snapd (Ubuntu)
Undecided
Maciej Borzecki

Bug Description

Systemd upstream switched the default cgroup hierarchy to unified with v243. This change is reverted by the Ubuntu systemd packages, but as unified is the way to go per upstream support should be added to all relevant Ubuntu packges (and snaps):

https://github.com/systemd/systemd/blob/v243/NEWS#L56

        * systemd now defaults to the "unified" cgroup hierarchy setup during
          build-time, i.e. -Ddefault-hierarchy=unified is now the build-time
          default. Previously, -Ddefault-hierarchy=hybrid was the default. This
          change reflects the fact that cgroupsv2 support has matured
          substantially in both systemd and in the kernel, and is clearly the
          way forward. Downstream production distributions might want to
          continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for
          their builds as unfortunately the popular container managers have not
          caught up with the kernel API changes.

Systemd is rebuilt using the new default and is available from the following PPA for testing:

https://launchpad.net/~rbalint/+archive/ubuntu/systemd-unified-cgh

The autopkgtest results against other packges are available here:

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-eoan-rbalint-systemd-unified-cgh/?format=plain

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-focal-rbalint-systemd-unified-cgh/?format=plain

lxc autopkgtest failing:

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-eoan-rbalint-systemd-unified-cgh/eoan/amd64/d/docker.io/20191030_155944_2331e@/log.gz

snapd autopkgtest failing:

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-eoan-rbalint-systemd-unified-cgh/eoan/amd64/s/snapd/20191030_161354_94b26@/log.gz

docker.io autopkgtest failing:

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-eoan-rbalint-systemd-unified-cgh/eoan/amd64/d/docker.io/20191030_155944_2331e@/log.gz

There's some ongoing work in snapd in this area. With 2.42 the snaps do not outright fail and a warning is printed out for the user. The current work on a named snapd v1 hierarchy should restore the snap process tracking capabilities.

Changed in snapd (Ubuntu):
status: New → In Progress
assignee: nobody → Maciej Borzecki (maciek-borzecki)
Ryutaroh Matsumoto (emojifreak) wrote :

When Ubuntu Eoan is started with systemd.unified_cgroup_hierarchy, lxc-start (version 3.0.4 packaged by Eoan) cannot be used in its default setting. It is a combination of unsuitable default configuration and an upstream bug in LXC 3.0.4. For detail, please refer to https://github.com/lxc/lxc/issues/3183

affects: lxc → lxc (Ubuntu)
Changed in lxc (Ubuntu):
status: Unknown → New
Ryutaroh Matsumoto (emojifreak) wrote :

This was reported to the upstream https://github.com/lxc/lxc/issues/3198
The purpose of libpam-cgfs is only chowning some CGroup directories to the login user.
When Linux is booted with systemd.unified_cgroup_hierarchy,
/sys/fs/cgroup/user.slice/user-$UID.slice/session-nnn.scope is not chowned to a login user.
So libpam-cgfs completely fails to function under cgroup v2.

https://github.com/lxc/lxc/issues/3221 Another LXC-container-doesn't-start-at-all type issue also observed on Ubuntu Eoan with systemd.unified_cgroup_hierarchy as well as Fedora 31.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.