> It's a bit unfortunate, that when you boot your system with the unified > hierarchy, you need to explicitly configure > "lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy=1" or hope > the host systemd instance has been built with unified hierarchy as default. > That means, once we flip the default in unstable/testing, creating and > running a buster container will require > "lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy=1"
Alternatively, we can also use "lxc.mount.auto = cgroup:rw:force". The default is "cgroup:mixed". This trick was told in the upstream: https://github.com/lxc/lxc/issues/3183#issuecomment-560163709 (this github issue was opened by you). By reading lxc.container.conf(5) man page, "cgroup:rw" seemed insecure to me on hosts with the hybrid hierarchy. But, comparison of /proc/mounts in containers with "cgroup:rw:force" and "cgroup:mixed" on the hybrid hierarchy on the host Linux, the effects of "cgroup:rw:force" and "cgroup:mixed" look the same (*), while "cgroup:rw:force" is more friendly on host with the unified hierarchy. (*) Is it really correct?? One way to sort out the situation is that changing the line lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed to lxc.mount.auto = cgroup:rw:force proc:mixed sys:mixed in /usr/share/lxc/config/common.conf. Then we almost achieve > Would be nice if lxc could do that automatically. We could send a wishlist but report to the Debian lxc package, as it still lives in the experimental. We can do some experiment now... Best regards, Ryutaroh
