github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/docs/cgroup-v2.md

github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/docs/cgroup-v2.md (about)

     1  # cgroup v2
     2  
     3  runc fully supports cgroup v2 (unified mode) since v1.0.0-rc93.
     4  
     5  To use cgroup v2, you might need to change the configuration of the host init system.
     6  The following distributions are known to use cgroup v2 by default:
     7  <!-- the list should be kept in sync with https://github.com/rootless-containers/rootlesscontaine.rs/blob/master/content/getting-started/common/cgroup2.md -->
     8  - Fedora (since 31)
     9  - Arch Linux (since April 2021)
    10  - openSUSE Tumbleweed (since c. 2021)
    11  - Debian GNU/Linux (since 11)
    12  - Ubuntu (since 21.10)
    13  - RHEL and RHEL-like distributions (since 9)
    14  
    15  On other systemd-based distros, cgroup v2 can be enabled by adding `systemd.unified_cgroup_hierarchy=1` to the kernel cmdline.
    16  
    17  ## Am I using cgroup v2?
    18  
    19  Yes if `/sys/fs/cgroup/cgroup.controllers` is present.
    20  
    21  ## Host Requirements
    22  ### Kernel
    23  * Recommended version: 5.2 or later
    24  * Minimum version: 4.15
    25  
    26  Kernel older than 5.2 is not recommended due to lack of freezer.
    27  
    28  Notably, kernel older than 4.15 MUST NOT be used (unless you are running containers with user namespaces), as it lacks support for controlling permissions of devices.
    29  
    30  ### Systemd
    31  On cgroup v2 hosts, it is highly recommended to run runc with the systemd cgroup driver (`runc --systemd-cgroup`), though not mandatory.
    32  
    33  The recommended systemd version is 244 or later. Older systemd does not support delegation of `cpuset` controller.
    34  
    35  Make sure you also have the `dbus-user-session` (Debian/Ubuntu) or `dbus-daemon` (CentOS/Fedora) package installed, and that `dbus` is running. On Debian-flavored distros, this can be accomplished like so:
    36  
    37  ```console
    38  $ sudo apt install -y dbus-user-session
    39  $ systemctl --user start dbus
    40  ```
    41  
    42  ## Rootless
    43  On cgroup v2 hosts, rootless runc can talk to systemd to get cgroup permissions to be delegated.
    44  
    45  ```console
    46  $ runc spec --rootless
    47  $ jq '.linux.cgroupsPath="user.slice:runc:foo"' config.json | sponge config.json
    48  $ runc --systemd-cgroup run foo
    49  ```
    50  
    51  The container processes are executed in a cgroup like `/user.slice/user-$(id -u).slice/user@$(id -u).service/user.slice/runc-foo.scope`.
    52  
    53  ### Configuring delegation
    54  Typically, only `memory` and `pids` controllers are delegated to non-root users by default.
    55  
    56  ```console
    57  $ cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers
    58  memory pids
    59  ```
    60  
    61  To allow delegation of other controllers, you need to change the systemd configuration as follows:
    62  
    63  ```console
    64  # mkdir -p /etc/systemd/system/user@.service.d
    65  # cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF
    66  [Service]
    67  Delegate=cpu cpuset io memory pids
    68  EOF
    69  # systemctl daemon-reload
    70  ```