diff options
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2103.xml | 13 | ||||
| -rw-r--r-- | nixos/modules/security/hidepid.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 9 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/docker.nix | 3 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/systemd/default.nix | 6 |
5 files changed, 32 insertions, 3 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 5c017c65a253..8aaa9094a7a3 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -264,6 +264,19 @@ <literal>unbound-control</literal> without passing a custom configuration location. </para> </listitem> + <listitem> + <para> + NixOS now defaults to the unified cgroup hierarchy (cgroupsv2). + See the <link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora Article for 31</link> + for details on why this is desirable, and how it impacts containers. + </para> + <para> + If you want to run containers with a runtime that does not yet support cgroupsv2, + you can switch back to the old behaviour by setting + <xref linkend="opt-systemd.enableUnifiedCgroupHierarchy"/> = <literal>false</literal>; + and rebooting. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix index 55a48ea3c9c6..4953f517e93b 100644 --- a/nixos/modules/security/hidepid.nix +++ b/nixos/modules/security/hidepid.nix @@ -23,5 +23,9 @@ with lib; boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ]; systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ]; + + # Disable cgroupsv2, which doesn't work with hidepid. + # https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203 + systemd.enableUnifiedCgroupHierarchy = false; }; } diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index c22264b3e92d..cbf9e7b49d36 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -550,6 +550,14 @@ in ''; }; + systemd.enableUnifiedCgroupHierarchy = mkOption { + default = true; + type = types.bool; + description = '' + Whether to enable the unified cgroup hierarchy (cgroupsv2). + ''; + }; + systemd.coredump.enable = mkOption { default = true; type = types.bool; @@ -1178,6 +1186,7 @@ in boot.kernel.sysctl = mkIf (!cfg.coredump.enable) { "kernel.core_pattern" = "core"; }; + boot.kernelParams = optional (!cfg.enableUnifiedCgroupHierarchy) "systemd.unified_cgroup_hierarchy=0"; }; # FIXME: Remove these eventually. diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index d87ada35a0ae..ec257801b330 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -155,6 +155,9 @@ in users.groups.docker.gid = config.ids.gids.docker; systemd.packages = [ cfg.package ]; + # TODO: remove once docker 20.10 is released + systemd.enableUnifiedCgroupHierarchy = false; + systemd.services.docker = { wantedBy = optional cfg.enableOnBoot "multi-user.target"; environment = proxy_env; diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 85c78ce1421b..084ac1da9af0 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -281,9 +281,9 @@ stdenv.mkDerivation { "-Dmount-path=${utillinux}/bin/mount" "-Dumount-path=${utillinux}/bin/umount" "-Dcreate-log-dirs=false" - # Upstream uses cgroupsv2 by default. To support docker and other - # container managers we still need v1. - "-Ddefault-hierarchy=hybrid" + + # Use cgroupsv2. This is already the upstream default, but better be explicit. + "-Ddefault-hierarchy=unified" # Upstream defaulted to disable manpages since they optimize for the much # more frequent development builds "-Dman=true" |