Unverified Commit cd90d5e2 authored by Arian van Putten's avatar Arian van Putten Committed by GitHub
Browse files

Merge pull request #331248 from arianvp/systemd-unified-only 

Remove support for legacy cgroup hierachy
parents 4cb20719 85e4fc50

nixos/doc/manual/release-notes/rl-2411.section.md

+5 −0
Original line number Diff line number Diff line
@@ -96,6 +96,11 @@ 


- `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`.



- `systemd.enableUnifiedCgroupHierarchy` option has been removed.

  In systemd 256 support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd by default will refuse to boot under it.

  To forcibly reenable cgroup v1 support, you can `set boot.kernelParams = [ "systemd.unified_cgroup_hierachy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]`.

  NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own.



- `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can

  use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`).

nixos/modules/programs/benchexec.nix

+1 −8
Original line number Diff line number Diff line
@@ -59,14 +59,7 @@ in 
        '';

      })

      (builtins.filter builtins.isInt cfg.users)

    ) ++ [

      {

        assertion = config.systemd.enableUnifiedCgroupHierarchy == true;

        message = ''

          The BenchExec module `${opt.enable}` only supports control groups 2 (`${options.systemd.enableUnifiedCgroupHierarchy} = true`).

        '';

      }

    ];

    );



    environment.systemPackages = [ cfg.package ];

nixos/modules/services/misc/ananicy.nix

+1 −3
Original line number Diff line number Diff line
@@ -116,7 +116,7 @@ in 
      } // (if ((lib.getName cfg.package) == (lib.getName pkgs.ananicy-cpp)) then {

        # https://gitlab.com/ananicy-cpp/ananicy-cpp/-/blob/master/src/config.cpp#L12

        loglevel = mkOD "warn"; # default is info but its spammy

        cgroup_realtime_workaround = mkOD config.systemd.enableUnifiedCgroupHierarchy;

        cgroup_realtime_workaround = true;

        log_applied_rule = mkOD false;

      } else {

        # https://github.com/Nefelim4ag/Ananicy/blob/master/ananicy.d/ananicy.conf
@@ -125,8 +125,6 @@ in 
      });



    systemd = {

      # https://gitlab.com/ananicy-cpp/ananicy-cpp/#cgroups applies to both ananicy and -cpp

      enableUnifiedCgroupHierarchy = mkDefault false;

      packages = [ cfg.package ];

      services."${servicename}" = {

        wantedBy = [ "default.target" ];

nixos/modules/system/boot/systemd.nix

+5 −14
Original line number Diff line number Diff line
@@ -341,14 +341,6 @@ in 
      '';

    };



    enableUnifiedCgroupHierarchy = mkOption {

      default = true;

      type = types.bool;

      description = ''

        Whether to enable the unified cgroup hierarchy (cgroupsv2); see {manpage}`cgroups(7)`.

      '';

    };



    extraConfig = mkOption {

      default = "";

      type = types.lines;
@@ -694,12 +686,6 @@ in 
    # https://github.com/systemd/systemd/pull/12226

    boot.kernel.sysctl."kernel.pid_max" = mkIf pkgs.stdenv.is64bit (lib.mkDefault 4194304);



    boot.kernelParams = optional (!cfg.enableUnifiedCgroupHierarchy) "systemd.unified_cgroup_hierarchy=0";



    # Avoid potentially degraded system state due to

    # "Userspace Out-Of-Memory (OOM) Killer was skipped because of a failed condition check (ConditionControlGroupController=v2)."

    systemd.oomd.enable = mkIf (!cfg.enableUnifiedCgroupHierarchy) false;



    services.logrotate.settings = {

      "/var/log/btmp" = mapAttrs (_: mkDefault) {

        frequency = "monthly";
@@ -723,5 +709,10 @@ in 
      (mkRenamedOptionModule [ "boot" "systemd" "services" ] [ "systemd" "services" ])

      (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])

      (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.")

      (mkRemovedOptionModule ["systemd" "enableUnifiedCgroupHierarchy"] ''

          In 256 support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd by default will refuse to boot under it.

          To forcibly reenable cgroup v1 support, you can set boot.kernelParams = [ "systemd.unified_cgroup_hierachy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ].

          NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own.

      '')

    ];

}

nixos/modules/virtualisation/lxd.nix

+1 −4
Original line number Diff line number Diff line
@@ -166,10 +166,6 @@ in { 
      };

    };



    # TODO: remove once LXD gets proper support for cgroupsv2

    # (currently most of the e.g. CPU accounting stuff doesn't work)

    systemd.enableUnifiedCgroupHierarchy = false;



    systemd.sockets.lxd = {

      description = "LXD UNIX socket";

      wantedBy = [ "sockets.target" ];
@@ -214,6 +210,7 @@ in { 
        LimitNOFILE = "1048576";

        LimitNPROC = "infinity";

        TasksMax = "infinity";

        Delegate = true; # LXD needs to manage cgroups in its subtree



        # By default, `lxd` loads configuration files from hard-coded

        # `/usr/share/lxc/config` - since this is a no-go for us, we have to