runc fully supports cgroup v2 (unified mode) since v1.0.0-rc93.
To use cgroup v2, you might need to change the configuration of the host init system.
Fedora (>= 31) uses cgroup v2 by default and no extra configuration is required.
On other systemd-based distros, cgroup v2 can be enabled by adding systemd.unified_cgroup_hierarchy=1
to the kernel cmdline.
Yes if /sys/fs/cgroup/cgroup.controllers
is present.
Kernel older than 5.2 is not recommended due to lack of freezer.
Notably, kernel older than 4.15 MUST NOT be used (unless you are running containers with user namespaces), as it lacks support for controlling permissions of devices.
On cgroup v2 hosts, it is highly recommended to run runc with the systemd cgroup driver (runc --systemd-cgroup
), though not mandatory.
The recommended systemd version is 244 or later. Older systemd does not support delegation of cpuset
controller.
Make sure you also have the dbus-user-session
(Debian/Ubuntu) or dbus-daemon
(CentOS/Fedora) package installed, and that dbus
is running. On Debian-flavored distros, this can be accomplished like so:
$ sudo apt install -y dbus-user-session
$ systemctl --user start dbus
On cgroup v2 hosts, rootless runc can talk to systemd to get cgroup permissions to be delegated.
$ runc spec --rootless
$ jq '.linux.cgroupsPath="user.slice:runc:foo"' config.json | sponge config.json
$ runc --systemd-cgroup run foo
The container processes are executed in a cgroup like /user.slice/user-$(id -u).slice/user@$(id -u).service/user.slice/runc-foo.scope
.
Typically, only memory
and pids
controllers are delegated to non-root users by default.
$ cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers
memory pids
To allow delegation of other controllers, you need to change the systemd configuration as follows:
# mkdir -p /etc/systemd/system/user@.service.d
# cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF
[Service]
Delegate=cpu cpuset io memory pids
EOF
# systemctl daemon-reload
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。