diff options
author | Florian Klink <flokli@flokli.de> | 2020-11-22 22:35:42 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-11-22 22:35:42 +0100 |
commit | c76891314d2f84a75c6591c9e568bca6019b940f (patch) | |
tree | b5dac443182a494c0c1337f62938904d0093a33b /nixos | |
parent | a62e6738af0b0019195d21f7b35f528bc858bade (diff) | |
parent | 90d5bdb12fc4db671db9ec11043fe26f51c88404 (diff) |
Merge pull request #104094 from flokli/systemd-unified-cgroup-hierarchy
systemd: switch to unified cgroup hierarchy by default
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2103.xml | 13 | ||||
-rw-r--r-- | nixos/modules/security/hidepid.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/cluster/k3s/default.nix | 4 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 9 | ||||
-rw-r--r-- | nixos/modules/virtualisation/docker.nix | 3 | ||||
-rw-r--r-- | nixos/tests/podman.nix | 19 | ||||
-rw-r--r-- | nixos/tests/systemd.nix | 35 |
7 files changed, 71 insertions, 16 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 10d5cda77464..a099bbb76384 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -277,6 +277,19 @@ <literal>unbound-control</literal> without passing a custom configuration location. </para> </listitem> + <listitem> + <para> + NixOS now defaults to the unified cgroup hierarchy (cgroupsv2). + See the <link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora Article for 31</link> + for details on why this is desirable, and how it impacts containers. + </para> + <para> + If you want to run containers with a runtime that does not yet support cgroupsv2, + you can switch back to the old behaviour by setting + <xref linkend="opt-systemd.enableUnifiedCgroupHierarchy"/> = <literal>false</literal>; + and rebooting. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix index 55a48ea3c9c6..4953f517e93b 100644 --- a/nixos/modules/security/hidepid.nix +++ b/nixos/modules/security/hidepid.nix @@ -23,5 +23,9 @@ with lib; boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ]; systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ]; + + # Disable cgroupsv2, which doesn't work with hidepid. + # https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203 + systemd.enableUnifiedCgroupHierarchy = false; }; } diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix index 2e8bf20a68fc..f0317fdbd160 100644 --- a/nixos/modules/services/cluster/k3s/default.nix +++ b/nixos/modules/services/cluster/k3s/default.nix @@ -76,6 +76,10 @@ in enable = mkDefault true; }; + # TODO: disable this once k3s supports cgroupsv2, either by docker + # supporting it, or their bundled containerd + systemd.enableUnifiedCgroupHierarchy = false; + systemd.services.k3s = { description = "k3s service"; after = mkIf cfg.docker [ "docker.service" ]; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index c22264b3e92d..cbf9e7b49d36 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -550,6 +550,14 @@ in ''; }; + systemd.enableUnifiedCgroupHierarchy = mkOption { + default = true; + type = types.bool; + description = '' + Whether to enable the unified cgroup hierarchy (cgroupsv2). + ''; + }; + systemd.coredump.enable = mkOption { default = true; type = types.bool; @@ -1178,6 +1186,7 @@ in boot.kernel.sysctl = mkIf (!cfg.coredump.enable) { "kernel.core_pattern" = "core"; }; + boot.kernelParams = optional (!cfg.enableUnifiedCgroupHierarchy) "systemd.unified_cgroup_hierarchy=0"; }; # FIXME: Remove these eventually. diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index d87ada35a0ae..ec257801b330 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -155,6 +155,9 @@ in users.groups.docker.gid = config.ids.gids.docker; systemd.packages = [ cfg.package ]; + # TODO: remove once docker 20.10 is released + systemd.enableUnifiedCgroupHierarchy = false; + systemd.services.docker = { wantedBy = optional cfg.enableOnBoot "multi-user.target"; environment = proxy_env; diff --git a/nixos/tests/podman.nix b/nixos/tests/podman.nix index cd8c2b4308c8..bccd2de7c9b9 100644 --- a/nixos/tests/podman.nix +++ b/nixos/tests/podman.nix @@ -34,7 +34,6 @@ import ./make-test-python.nix ( podman.wait_for_unit("sockets.target") start_all() - with subtest("Run container as root with runc"): podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg") podman.succeed( @@ -53,22 +52,32 @@ import ./make-test-python.nix ( podman.succeed("podman stop sleeping") podman.succeed("podman rm sleeping") - with subtest("Run container rootless with runc"): + with subtest("Run container as root with the default backend"): + podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg") + podman.succeed( + "podman run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + podman.succeed("podman ps | grep sleeping") + podman.succeed("podman stop sleeping") + podman.succeed("podman rm sleeping") + + with subtest("Run container rootless with crun"): podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg")) podman.succeed( su_cmd( - "podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + "podman run --runtime=crun -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" ) ) podman.succeed(su_cmd("podman ps | grep sleeping")) podman.succeed(su_cmd("podman stop sleeping")) podman.succeed(su_cmd("podman rm sleeping")) + # As of 2020-11-20, the runc backend doesn't work with cgroupsv2 yet, so we don't run that test. - with subtest("Run container rootless with crun"): + with subtest("Run container rootless with the default backend"): podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg")) podman.succeed( su_cmd( - "podman run --runtime=crun -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + "podman run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" ) ) podman.succeed(su_cmd("podman ps | grep sleeping")) diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index dfa16eecfad2..390a1bd30f90 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -82,6 +82,10 @@ import ./make-test-python.nix ({ pkgs, ... }: { "systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami" ) + with subtest("regression test for https://bugs.freedesktop.org/show_bug.cgi?id=77507"): + retcode, output = machine.execute("systemctl status testservice1.service") + assert retcode in [0, 3] # https://bugs.freedesktop.org/show_bug.cgi?id=77507 + # Regression test for https://github.com/NixOS/nixpkgs/issues/35268 with subtest("file system with x-initrd.mount is not unmounted"): machine.succeed("mountpoint -q /test-x-initrd-mount") @@ -122,17 +126,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.wait_for_unit("multi-user.target") assert "fq_codel" in machine.succeed("sysctl net.core.default_qdisc") - # Test cgroup accounting is enabled - with subtest("systemd cgroup accounting is enabled"): - machine.wait_for_unit("multi-user.target") - assert "yes" in machine.succeed( - "systemctl show testservice1.service -p IOAccounting" - ) - - retcode, output = machine.execute("systemctl status testservice1.service") - assert retcode in [0, 3] # https://bugs.freedesktop.org/show_bug.cgi?id=77507 - assert "CPU:" in output - # Test systemd is configured to manage a watchdog with subtest("systemd manages hardware watchdog"): machine.wait_for_unit("multi-user.target") @@ -168,5 +161,25 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.succeed("systemctl status systemd-cryptsetup@luks1.service") machine.succeed("mkdir -p /tmp/luks1") machine.succeed("mount /dev/mapper/luks1 /tmp/luks1") + + # Do some IP traffic + output_ping = machine.succeed( + "systemd-run --wait -- /run/wrappers/bin/ping -c 1 127.0.0.1 2>&1" + ) + + with subtest("systemd reports accounting data on system.slice"): + output = machine.succeed("systemctl status system.slice") + assert "CPU:" in output + assert "Memory:" in output + + assert "IP:" in output + assert "0B in, 0B out" not in output + + assert "IO:" in output + assert "0B read, 0B written" not in output + + with subtest("systemd per-unit accounting works"): + assert "IP traffic received: 84B" in output_ping + assert "IP traffic sent: 84B" in output_ping ''; }) |