systemd: switch to unified cgroup hierarchy by default

See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for details on why this is desirable, and how it impacts containers. Users that need to keep using the old cgroup hierarchy can re-enable it by setting `systemd.unifiedCgroupHierarchy` to `false`. Well-known candidates not supporting that hierarchy, like docker and hidepid=… will disable it automatically. Fixes #73800
4 years ago · d22b3ed4bc
parent e949d75899
commit d22b3ed4bc
5 changed files with 32 additions and 3 deletions
--- a/nixos/doc/manual/release-notes/rl-2103.xml
+++ b/nixos/doc/manual/release-notes/rl-2103.xml
@ -264,6 +264,19 @@
     <literal>unbound-control</literal> without passing a custom configuration location.
    </para>
   </listitem>
+   <listitem>
+    <para>
+     NixOS now defaults to the unified cgroup hierarchy (cgroupsv2).
+     See the <link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora Article for 31</link>
+     for details on why this is desirable, and how it impacts containers.
+    </para>
+    <para>
+     If you want to run containers with a runtime that does not yet support cgroupsv2,
+     you can switch back to the old behaviour by setting
+     <xref linkend="opt-systemd.enableUnifiedCgroupHierarchy"/> = <literal>false</literal>;
+     and rebooting.
+    </para>
+   </listitem>
  </itemizedlist>
 </section>
 </section>
--- a/nixos/modules/security/hidepid.nix
+++ b/nixos/modules/security/hidepid.nix
@ -23,5 +23,9 @@ with lib;

    boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
    systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
+
+    # Disable cgroupsv2, which doesn't work with hidepid.
+    # https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203
+    systemd.enableUnifiedCgroupHierarchy = false;
  };
 }
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@ -550,6 +550,14 @@ in
      '';
    };

+    systemd.enableUnifiedCgroupHierarchy = mkOption {
+      default = true;
+      type = types.bool;
+      description = ''
+        Whether to enable the unified cgroup hierarchy (cgroupsv2).
+      '';
+    };
+
    systemd.coredump.enable = mkOption {
      default = true;
      type = types.bool;
@ -1178,6 +1186,7 @@ in
    boot.kernel.sysctl = mkIf (!cfg.coredump.enable) {
      "kernel.core_pattern" = "core";
    };
+    boot.kernelParams = optional (!cfg.enableUnifiedCgroupHierarchy) "systemd.unified_cgroup_hierarchy=0";
  };

  # FIXME: Remove these eventually.
--- a/nixos/modules/virtualisation/docker.nix
+++ b/nixos/modules/virtualisation/docker.nix
@ -155,6 +155,9 @@ in
      users.groups.docker.gid = config.ids.gids.docker;
      systemd.packages = [ cfg.package ];

+      # TODO: remove once docker 20.10 is released
+      systemd.enableUnifiedCgroupHierarchy = false;
+
      systemd.services.docker = {
        wantedBy = optional cfg.enableOnBoot "multi-user.target";
        environment = proxy_env;
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@ -281,9 +281,9 @@ stdenv.mkDerivation {
    "-Dmount-path=${utillinux}/bin/mount"
    "-Dumount-path=${utillinux}/bin/umount"
    "-Dcreate-log-dirs=false"
-    # Upstream uses cgroupsv2 by default. To support docker and other
-    # container managers we still need v1.
-    "-Ddefault-hierarchy=hybrid"
+
+    # Use cgroupsv2. This is already the upstream default, but better be explicit.
+    "-Ddefault-hierarchy=unified"
    # Upstream defaulted to disable manpages since they optimize for the much
    # more frequent development builds
    "-Dman=true"