Merge pull request #104781 from NixOS/staging-next

Staging next
author: Frederik Rietdijk <freddyrietdijk@fridh.nl> 2020-11-30 18:27:29 +0100
committer: GitHub <noreply@github.com> 2020-11-30 18:27:29 +0100
commit: 9a63b3d3d61ca822aceeb4a994e8ef21a7593cc7 (patch)
tree: aceb3c75e546efae7ce47a390fdadce36e39eddd /nixos/modules
parent: d554addf6c5f7024b44fc214df03af25dbcf3bfc (diff)
parent: 0d8491cb2b045e8a0b52bde121929b15a1d20196 (diff)
4 files changed, 20 insertions, 0 deletions
diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix
index 55a48ea3c9c6..4953f517e93b 100644
--- a/nixos/modules/security/hidepid.nix
+++ b/nixos/modules/security/hidepid.nix
@@ -23,5 +23,9 @@ with lib;
 
     boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
     systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
+
+    # Disable cgroupsv2, which doesn't work with hidepid.
+    # https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203
+    systemd.enableUnifiedCgroupHierarchy = false;
   };
 }
diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix
index 2e8bf20a68fc..f0317fdbd160 100644
--- a/nixos/modules/services/cluster/k3s/default.nix
+++ b/nixos/modules/services/cluster/k3s/default.nix
@@ -76,6 +76,10 @@ in
       enable = mkDefault true;
     };
 
+    # TODO: disable this once k3s supports cgroupsv2, either by docker
+    # supporting it, or their bundled containerd
+    systemd.enableUnifiedCgroupHierarchy = false;
+
     systemd.services.k3s = {
       description = "k3s service";
       after = mkIf cfg.docker [ "docker.service" ];
diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix
index c22264b3e92d..cbf9e7b49d36 100644
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@@ -550,6 +550,14 @@ in
       '';
     };
 
+    systemd.enableUnifiedCgroupHierarchy = mkOption {
+      default = true;
+      type = types.bool;
+      description = ''
+        Whether to enable the unified cgroup hierarchy (cgroupsv2).
+      '';
+    };
+
     systemd.coredump.enable = mkOption {
       default = true;
       type = types.bool;
@@ -1178,6 +1186,7 @@ in
     boot.kernel.sysctl = mkIf (!cfg.coredump.enable) {
       "kernel.core_pattern" = "core";
     };
+    boot.kernelParams = optional (!cfg.enableUnifiedCgroupHierarchy) "systemd.unified_cgroup_hierarchy=0";
   };
 
   # FIXME: Remove these eventually.
diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix
index d87ada35a0ae..ec257801b330 100644
--- a/nixos/modules/virtualisation/docker.nix
+++ b/nixos/modules/virtualisation/docker.nix
@@ -155,6 +155,9 @@ in
       users.groups.docker.gid = config.ids.gids.docker;
       systemd.packages = [ cfg.package ];
 
+      # TODO: remove once docker 20.10 is released
+      systemd.enableUnifiedCgroupHierarchy = false;
+
       systemd.services.docker = {
         wantedBy = optional cfg.enableOnBoot "multi-user.target";
         environment = proxy_env;
author	Frederik Rietdijk <freddyrietdijk@fridh.nl>	2020-11-30 18:27:29 +0100
committer	GitHub <noreply@github.com>	2020-11-30 18:27:29 +0100
commit	9a63b3d3d61ca822aceeb4a994e8ef21a7593cc7 (patch)
tree	aceb3c75e546efae7ce47a390fdadce36e39eddd /nixos/modules
parent	d554addf6c5f7024b44fc214df03af25dbcf3bfc (diff)
parent	0d8491cb2b045e8a0b52bde121929b15a1d20196 (diff)