[Optional] cgroup v2

Note

Enabling cgroup v2 is optional.

Enabling cgroup v2 is often needed for running Rootless Containers with limiting the consumption of the CPU, memory, I/O, and PIDs resources, e.g. docker run --memory 32m.

Note that cgroup is not needed for just limiting resources with traditional ulimit and cpulimit, though they work in process-granularity rather than in container-granularity. See here for the further information.

If /sys/fs/cgroup/cgroup.controllers is present on your system, you are using v2, otherwise you are using v1.

The following distributions are known to use cgroup v2 by default:

• Fedora (since 31)
• Arch Linux (since April 2021)
• openSUSE Tumbleweed (since c. 2021)
• Debian GNU/Linux (since 11)
• Ubuntu (since 21.10)
• RHEL and RHEL-like distributions (since 9)

Enabling cgroup v2 for containers requires kernel 4.15 or later. Kernel 5.2 or later is recommended.

And yet, delegating cgroup v2 controllers to non-root users requires a recent version of systemd. systemd 244 or later is recommended.

To boot the host with cgroup v2, add the following string to the GRUB_CMDLINE_LINUX line in /etc/default/grub and then run sudo update-grub.

systemd.unified_cgroup_hierarchy=1

For ubuntu on azure, you should add this in /etc/default/grub.d/50-cloudimg-settings.cfg

By default, a non-root user can only get memory controller and pids controller to be delegated.

$ cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers
memory pids

To allow delegation of other controllers such as cpu, cpuset, and io, run the following commands:

$ sudo mkdir -p /etc/systemd/system/user@.service.d
$ cat <<EOF | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
[Service]
Delegate=cpu cpuset io memory pids
EOF
$ sudo systemctl daemon-reload

Delegating cpuset is recommended as well as cpu. Delegating cpuset requires systemd 244 or later.

After changing the systemd configuration, you need to re-login or reboot the host. Rebooting the host is recommended.