1# cgroup v2
2
3runc fully supports cgroup v2 (unified mode) since v1.0.0-rc93.
4
5To use cgroup v2, you might need to change the configuration of the host init system.
6Fedora (>= 31) uses cgroup v2 by default and no extra configuration is required.
7On other systemd-based distros, cgroup v2 can be enabled by adding `systemd.unified_cgroup_hierarchy=1` to the kernel cmdline.
8
9## Am I using cgroup v2?
10
11Yes if `/sys/fs/cgroup/cgroup.controllers` is present.
12
13## Host Requirements
14### Kernel
15* Recommended version: 5.2 or later
16* Minimum version: 4.15
17
18Kernel older than 5.2 is not recommended due to lack of freezer.
19
20Notably, kernel older than 4.15 MUST NOT be used (unless you are running containers with user namespaces), as it lacks support for controlling permissions of devices.
21
22### Systemd
23On cgroup v2 hosts, it is highly recommended to run runc with the systemd cgroup driver (`runc --systemd-cgroup`), though not mandatory.
24
25The recommended systemd version is 244 or later. Older systemd does not support delegation of `cpuset` controller.
26
27Make sure you also have the `dbus-user-session` (Debian/Ubuntu) or `dbus-daemon` (CentOS/Fedora) package installed, and that `dbus` is running. On Debian-flavored distros, this can be accomplished like so:
28
29```console
30$ sudo apt install -y dbus-user-session
31$ systemctl --user start dbus
32```
33
34## Rootless
35On cgroup v2 hosts, rootless runc can talk to systemd to get cgroup permissions to be delegated.
36
37```console
38$ runc spec --rootless
39$ jq '.linux.cgroupsPath="user.slice:runc:foo"' config.json | sponge config.json
40$ runc --systemd-cgroup run foo
41```
42
43The container processes are executed in a cgroup like `/user.slice/user-$(id -u).slice/user@$(id -u).service/user.slice/runc-foo.scope`.
44
45### Configuring delegation
46Typically, only `memory` and `pids` controllers are delegated to non-root users by default.
47
48```console
49$ cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers
50memory pids
51```
52
53To allow delegation of other controllers, you need to change the systemd configuration as follows:
54
55```console
56# mkdir -p /etc/systemd/system/user@.service.d
57# cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF
58[Service]
59Delegate=cpu cpuset io memory pids
60EOF
61# systemctl daemon-reload
62```
View as plain text