从 Ubuntu 21.10 版本开始,默认使用 cgroups v2。但是 cgroups v2 和某些组件并不匹配,如 Kubernetes,vulhub靶场的某些环境等,导致报错。想要从切换 cgroups v2 切换回 cgroups v1,可以通过修改内核启动参数来实现。
下面是 vulhub 中 “docker daemon API未授权访问漏洞 ”的环境启动时产生错误的日志:
WARNING: the "devices" cgroup should be in its own hierarchy.
WARNING: it looks like the "devices" cgroup is not mounted.
WARN[2024-10-05T15:09:55.408843886Z] could not change group /var/run/docker.sock to docker: group docker not found
WARN[2024-10-05T15:09:55.408984854Z] [!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]
INFO[2024-10-05T15:09:55.409797972Z] libcontainerd: started new docker-containerd process pid=48
INFO[0000] starting containerd module=containerd revision=cfd04396dc68220d1cecbe686a6cc3aa5ce3667c version=v1.0.2
INFO[0000] loading plugin "io.containerd.content.v1.content"... module=containerd type=io.containerd.content.v1
INFO[0000] loading plugin "io.containerd.snapshotter.v1.btrfs"... module=containerd type=io.containerd.snapshotter.v1
WARN[0000] failed to load plugin io.containerd.snapshotter.v1.btrfs error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter" module=containerd
INFO[0000] loading plugin "io.containerd.snapshotter.v1.overlayfs"... module=containerd type=io.containerd.snapshotter.v1
INFO[0000] loading plugin "io.containerd.metadata.v1.bolt"... module=containerd type=io.containerd.metadata.v1
WARN[0000] could not use snapshotter btrfs in metadata plugin error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter" module="containerd/io.containerd.metadata.v1.bolt"
INFO[0000] loading plugin "io.containerd.differ.v1.walking"... module=containerd type=io.containerd.differ.v1
INFO[0000] loading plugin "io.containerd.gc.v1.scheduler"... module=containerd type=io.containerd.gc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.containers"... module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.content"... module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.diff"... module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.events"... module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.healthcheck"... module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.images"... module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.leases"... module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.namespaces"... module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.snapshots"... module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.monitor.v1.cgroups"... module=containerd type=io.containerd.monitor.v1
INFO[0000] loading plugin "io.containerd.runtime.v1.linux"... module=containerd type=io.containerd.runtime.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.tasks"... module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.version"... module=containerd type=io.containerd.grpc.v1
INFO[0000] loading plugin "io.containerd.grpc.v1.introspection"... module=containerd type=io.containerd.grpc.v1
INFO[0000] serving... address="/var/run/docker/containerd/docker-containerd-debug.sock" module="containerd/debug"
INFO[0000] serving... address="/var/run/docker/containerd/docker-containerd.sock" module="containerd/grpc"
INFO[0000] containerd successfully booted in 0.003339s module=containerd
INFO[2024-10-05T15:09:55.438998103Z] [graphdriver] using prior storage driver: overlay2
INFO[2024-10-05T15:09:55.458210278Z] Graph migration to content-addressability took 0.00 seconds
WARN[2024-10-05T15:09:55.458755021Z] Your kernel does not support cgroup memory limit
WARN[2024-10-05T15:09:55.458809364Z] Unable to find cpu cgroup in mounts
WARN[2024-10-05T15:09:55.458815973Z] Unable to find blkio cgroup in mounts
WARN[2024-10-05T15:09:55.458819288Z] Unable to find cpuset cgroup in mounts
WARN[2024-10-05T15:09:55.458866471Z] mountpoint for pids not found
Error starting daemon: Devices cgroup isn't mounted
核心问题:错误主要原因是cgroup v1和cgroup v2的目录结构不同,dockerd找不到期望的cgroup目录,导致失败。
修改方式如下:
步骤 1:编辑 GRUB 配置文件
打开终端,使用以下命令编辑 GRUB 配置文件:
sudo nano /etc/default/grub
找到 GRUB_CMDLINE_LINUX_DEFAULT 这一行。默认情况下,它可能看起来像这样:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
在引号内添加 systemd.unified_cgroup_hierarchy=0,修改后的行如下:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash systemd.unified_cgroup_hierarchy=0"
systemd.unified_cgroup_hierarchy=0 表示禁用 cgroups v2,启用 cgroups v1。
保存并退出编辑器: Ctrl + X,然后按 Y 确认保存,最后按 Enter 退出。
步骤 2:更新 GRUB 配置
运行以下命令更新 GRUB 配置:
sudo update-grub
你会看到类似以下的输出,表示 GRUB 配置已成功更新:
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.15.0-xx-generic
Found initrd image: /boot/initrd.img-5.15.0-xx-generic
done
步骤 3:重启系统
重启系统以应用更改:
sudo reboot
系统重启后,内核将使用 cgroups v1。
步骤 4:验证 cgroups 版本
重启后,打开终端,运行以下命令检查当前使用的 cgroups 版本:
stat -fc %T /sys/fs/cgroup/
如果输出为 tmpfs,则表示已成功切换回 cgroups v1。如果输出为 cgroup2fs,则表示仍在使用 cgroups v2。
注意事项:
兼容性问题:某些较新的应用程序可能依赖于 cgroups v2,切换回 cgroups v1 可能会导致这些应用程序无法正常工作。
恢复默认设置:如果需要恢复为 cgroups v2,只需将 systemd.unified_cgroup_hierarchy=0 从 GRUB 配置中移除,然后更新 GRUB 并重启系统即可。