Documentation for CGroup toggle in toolkit/docs/formats/imageconfig.md to generate Mariner images with cgroupv2 (#4908)

2023-02-23 10:49:13 -08:00 · 2023-02-23 10:49:13 -08:00 · 6e9502545b
parent d4fb9144a8
commit 6e9502545b
1 changed files with 12 additions and 0 deletions
--- a/toolkit/docs/formats/imageconfig.md
+++ b/toolkit/docs/formats/imageconfig.md
@ -337,6 +337,10 @@ The Security Enhanced Linux (SELinux) feature is enabled by using the `SELinux`
 This will instruct init (systemd) to set the configured mode on boot.  The `force_enforcing` option will set enforcing in the config and also add `enforcing=1` in the kernel command line,
 which is a higher precedent than the config file. This ensures SELinux boots in enforcing even if the /etc/selinux/config was altered.

+The version for CGroup in Mariner images can be enabled by using the `CGroup` key with value containing which version to use on boot. The value that can be chosen is either `version_one` or `version_two`. 
+The `version_two` value will set the cgroupv2 to be used in Mariner by setting the config value `systemd.unified_cgroup_hierarchy=1` in the default kernel command line. The value `version_one` or no value set will keep cgroupv1 (current default) to be enabled on boot.
+For more information about cgroups with Kubernetes, see [About cgroupv2](https://kubernetes.io/docs/concepts/architecture/cgroups/).
+
 A sample KernelCommandLine enabling a basic IMA mode and passing two additional parameters:

 ``` json
@ -354,6 +358,14 @@ A sample KernelCommandLine enabling SELinux and booting in enforcing mode:
 },
 ```

+A sample KernelCommandLine enabling CGroup and booting with cgroupv2 enabled:
+
+``` json
+"KernelCommandLine": {
+    "CGroup": "version_two"
+},
+```
+
 ### HidepidDisabled

 An optional flag that removes the `hidepid` option from `/proc`. `Hidepid` prevents proc IDs from being visible to all users. Set this flag if mounting `/proc` in postinstall scripts to ensure the mount options are set correctly.