Ubuntucgroupsv2切换cgroupsv1

从 Ubuntu 21.10 版本开始，默认使用 cgroups v2。但是 cgroups v2 和某些组件并不匹配，如 Kubernetes，vulhub靶场的某些环境等，导致报错。想要从切换 cgroups v2 切换回 cgroups v1，可以通过修改内核启动参数来实现。

下面是 vulhub 中 “docker daemon API未授权访问漏洞 ”的环境启动时产生错误的日志：

WARNING: the "devices" cgroup should be in its own hierarchy. WARNING: it looks like the "devices" cgroup is not mounted. WARN[2024-10-05T15:09:55.408843886Z] could not change group /var/run/docker.sock to docker: group docker not found WARN[2024-10-05T15:09:55.408984854Z] [!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!] INFO[2024-10-05T15:09:55.409797972Z] libcontainerd: started new docker-containerd process pid=48 INFO[0000] starting containerd module=containerd revision=cfd04396dc68220d1cecbe686a6cc3aa5ce3667c version=v1.0.2 INFO[0000] loading plugin "io.containerd.content.v1.content"... module=containerd type=io.containerd.content.v1 INFO[0000] loading plugin "io.containerd.snapshotter.v1.btrfs"... module=containerd type=io.containerd.snapshotter.v1 WARN[0000] failed to load plugin io.containerd.snapshotter.v1.btrfs error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter" module=containerd INFO[0000] loading plugin "io.containerd.snapshotter.v1.overlayfs"... module=containerd type=io.containerd.snapshotter.v1 INFO[0000] loading plugin "io.containerd.metadata.v1.bolt"... module=containerd type=io.containerd.metadata.v1 WARN[0000] could not use snapshotter btrfs in metadata plugin error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter" module="containerd/io.containerd.metadata.v1.bolt" INFO[0000] loading plugin "io.containerd.differ.v1.walking"... module=containerd type=io.containerd.differ.v1 INFO[0000] loading plugin "io.containerd.gc.v1.scheduler"... module=containerd type=io.containerd.gc.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.containers"... module=containerd type=io.containerd.grpc.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.content"... module=containerd type=io.containerd.grpc.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.diff"... module=containerd type=io.containerd.grpc.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.events"... module=containerd type=io.containerd.grpc.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.healthcheck"... module=containerd type=io.containerd.grpc.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.images"... module=containerd type=io.containerd.grpc.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.leases"... module=containerd type=io.containerd.grpc.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.namespaces"... module=containerd type=io.containerd.grpc.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.snapshots"... module=containerd type=io.containerd.grpc.v1 INFO[0000] loading plugin "io.containerd.monitor.v1.cgroups"... module=containerd type=io.containerd.monitor.v1 INFO[0000] loading plugin "io.containerd.runtime.v1.linux"... module=containerd type=io.containerd.runtime.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.tasks"... module=containerd type=io.containerd.grpc.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.version"... module=containerd type=io.containerd.grpc.v1 INFO[0000] loading plugin "io.containerd.grpc.v1.introspection"... module=containerd type=io.containerd.grpc.v1 INFO[0000] serving... address="/var/run/docker/containerd/docker-containerd-debug.sock" module="containerd/debug" INFO[0000] serving... address="/var/run/docker/containerd/docker-containerd.sock" module="containerd/grpc" INFO[0000] containerd successfully booted in 0.003339s module=containerd INFO[2024-10-05T15:09:55.438998103Z] [graphdriver] using prior storage driver: overlay2 INFO[2024-10-05T15:09:55.458210278Z] Graph migration to content-addressability took 0.00 seconds WARN[2024-10-05T15:09:55.458755021Z] Your kernel does not support cgroup memory limit WARN[2024-10-05T15:09:55.458809364Z] Unable to find cpu cgroup in mounts WARN[2024-10-05T15:09:55.458815973Z] Unable to find blkio cgroup in mounts WARN[2024-10-05T15:09:55.458819288Z] Unable to find cpuset cgroup in mounts WARN[2024-10-05T15:09:55.458866471Z] mountpoint for pids not found Error starting daemon: Devices cgroup isn't mounted

核心问题：错误主要原因是cgroup v1和cgroup v2的目录结构不同，dockerd找不到期望的cgroup目录，导致失败。

修改方式如下：

步骤 1：编辑 GRUB 配置文件

打开终端，使用以下命令编辑 GRUB 配置文件：

sudo nano /etc/default/grub

找到 GRUB_CMDLINE_LINUX_DEFAULT 这一行。默认情况下，它可能看起来像这样：

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

在引号内添加 systemd.unified_cgroup_hierarchy=0，修改后的行如下：

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash systemd.unified_cgroup_hierarchy=0"

systemd.unified_cgroup_hierarchy=0 表示禁用 cgroups v2，启用 cgroups v1。

保存并退出编辑器： Ctrl + X，然后按 Y 确认保存，最后按 Enter 退出。

步骤 2：更新 GRUB 配置

运行以下命令更新 GRUB 配置：

sudo update-grub

你会看到类似以下的输出，表示 GRUB 配置已成功更新：

Generating grub configuration file ... Found linux image: /boot/vmlinuz-5.15.0-xx-generic Found initrd image: /boot/initrd.img-5.15.0-xx-generic done 步骤 3：重启系统

重启系统以应用更改：

sudo reboot

系统重启后，内核将使用 cgroups v1。

步骤 4：验证 cgroups 版本

重启后，打开终端，运行以下命令检查当前使用的 cgroups 版本：

stat -fc %T /sys/fs/cgroup/

如果输出为 tmpfs，则表示已成功切换回 cgroups v1。如果输出为 cgroup2fs，则表示仍在使用 cgroups v2。

注意事项:

兼容性问题：某些较新的应用程序可能依赖于 cgroups v2，切换回 cgroups v1 可能会导致这些应用程序无法正常工作。

恢复默认设置：如果需要恢复为 cgroups v2，只需将 systemd.unified_cgroup_hierarchy=0 从 GRUB 配置中移除，然后更新 GRUB 并重启系统即可。