4

I am trying to enable cgroups V2 on Amazon linux 2, but so far unsuccesfully.

I have tried to add

systemd.unified_cgroup_hierarchy=1

to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub, then

grub2-mkconfig -o /boot/grub2/grub.cfg
reboot

After that, I still do not see cgroup2 mounted.

sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
devtmpfs on /dev type devtmpfs (rw,nosuid,size=4021004k,nr_inodes=1005251,mode=755)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
/dev/nvme0n1p1 on / type xfs (rw,noatime,attr2,inode64,noquota)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
mqueue on /dev/mqueue type mqueue (rw,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=847)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=806356k,mode=700,uid=1000,gid=1000)

Does anyone has an experience with this?

dragonraid
  • 61
  • 3

2 Answers2

1

You need to add the option in the boot parameters (systemd.unified_cgroup_hierarchy=1) as you attempted, or like so;

sudo grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="systemd.unified_cgroup_hierarchy=1"

Reboot (/sbin/reboot) to the updated configuration, and mount cgroupv2;

sudo mount -t cgroup2 none /sys/fs/cgroup

You'll then be able to see cgroup v2 mounted, and its controllers.

$ mount | grep cgroup2
none on /sys/fs/cgroup type cgroup2 (rw,relatime)
$ ls -lah /sys/fs/cgroup/
total 0
dr-xr-xr-x 2 root root 0 Dec 18 12:42 .
drwxr-xr-x 6 root root 0 Dec 18 12:35 ..
-r--r--r-- 1 root root 0 Dec 18 12:42 cgroup.controllers
-rw-r--r-- 1 root root 0 Dec 18 12:42 cgroup.max.depth
-rw-r--r-- 1 root root 0 Dec 18 12:42 cgroup.max.descendants
-rw-r--r-- 1 root root 0 Dec 18 12:42 cgroup.procs
-r--r--r-- 1 root root 0 Dec 18 12:42 cgroup.stat
-rw-r--r-- 1 root root 0 Dec 18 12:42 cgroup.subtree_control
-rw-r--r-- 1 root root 0 Dec 18 12:42 cgroup.threads
-rw-r--r-- 1 root root 0 Dec 18 12:42 cpu.pressure
-r--r--r-- 1 root root 0 Dec 18 12:42 cpu.stat
-rw-r--r-- 1 root root 0 Dec 18 12:42 io.pressure
-rw-r--r-- 1 root root 0 Dec 18 12:42 memory.pressure

For more information check the authoritative documentation on cgroup v2

Panagiotis Moustafellos
  • 973
  • 1
  • 8
  • 18
  • Will this be persisted between kernel updates? Or will I have to run the grubby command again after every future krnel update ? – Falco Jan 28 '22 at 09:06
0

If you're running docker for Mac and would like to use systemd it's your lucky day... Mostly this would be for ansible molecule testing so I'll explain how to solve it with this in mind.

You'll need to add this to the molecule platform (here you can find how to run it outside molecule, you don't need privileged but you can search for the right permissions in other posts):

  - name: amazon
    image: amazonlinux:2
    docker_host: "unix://var/run/docker.sock"
    cgroupns_mode: "host"
    volumes:
      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
    privileged: true

And this to a Dockerfile.j2:

{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}

VOLUME [ "/tmp", "/run", "/run/lock" ]

# Mostly tested with Ubuntu, SuSe and Amazon Linux
RUN if [ -d /nsconfig ]; then exit 0; \
    elif [ $(command -v apt-get) ]; then apt-get update && DEBIAN_FRONTEND=noninteractive TZ=Europe/Berlin apt-get install -y tar rsyslog logrotate unzip gzip systemd systemd-sysv python3 python3-setuptools python3-pip sudo bash ca-certificates vim gnupg && apt-get clean && mkdir -p /lib/systemd && ln -s /lib/systemd/system /usr/lib/systemd/system; \
    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install rsyslog logrotate tar unzip gzip systemd systemd-sysv python3 python*-dnf python3-setuptools python3-pip bash iproute net-tools sudo vim && dnf clean all; \
    elif [ $(command -v yum) ]; then yum -y update && yum install -y rsyslog logrotate tar unzip gzip dbus systemd systemd-sysv python3 python3-setuptools python3-pip bash iproute net-tools sudo vim && yum clean all; \
    elif [ $(command -v zypper) ]; then zypper update -y && zypper install -y rsyslog logrotate tar unzip gzip cron dbus-1 systemd-sysvinit systemd sudo python3 python3-base python3-setuptools python3-pip bash iproute net-tools sudo vim && zypper clean -a && mkdir -p /lib/systemd && ln -s /lib/systemd/system /usr/lib/systemd/system; \
    elif [ $(command -v apk) ]; then apk update && apk add --no-cache tar rsyslog logrotate unzip gzip python3 python3-setuptools pip3 sudo bash ca-certificates vim; \
    elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y rsyslog logrotate tar unzip gzip python3 python3-setuptools pip3 sudo bash ca-certificates vim && xbps-remove -O; fi

WORKDIR /lib/systemd/system/sysinit.target.wants/

RUN cd /lib/systemd/system/sysinit.target.wants/ ; \
    for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \
    rm -f /lib/systemd/system/multi-user.target.wants/* ; \
    rm -f /etc/systemd/system/*.wants/* ; \
    rm -f /lib/systemd/system/local-fs.target.wants/* ; \
    rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \
    rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \
    rm -f /lib/systemd/system/basic.target.wants/* ; \
    rm -f /lib/systemd/system/anaconda.target.wants/*

RUN sed -i 's/OOMScoreAdjust=-900//' /lib/systemd/system/dbus.service

WORKDIR /

ENTRYPOINT ["/lib/systemd/systemd"]

Although the question was just for amazon linux 2 the search for cgroups v2 running in docker passes through here.

Pirolla
  • 31
  • 4