Documentation for CGroup toggle in toolkit/docs/formats/imageconfig.m…

…d to generate Mariner images with cgroupv2 (microsoft#4908)
archana25-ms · Feb 23, 2023 · 6e95025 · 6e95025
1 parent d4fb914
commit 6e95025
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/toolkit/docs/formats/imageconfig.md b/toolkit/docs/formats/imageconfig.md
@@ -337,6 +337,10 @@ The Security Enhanced Linux (SELinux) feature is enabled by using the `SELinux`
 This will instruct init (systemd) to set the configured mode on boot.  The `force_enforcing` option will set enforcing in the config and also add `enforcing=1` in the kernel command line,
 which is a higher precedent than the config file. This ensures SELinux boots in enforcing even if the /etc/selinux/config was altered.
 
+The version for CGroup in Mariner images can be enabled by using the `CGroup` key with value containing which version to use on boot. The value that can be chosen is either `version_one` or `version_two`. 
+The `version_two` value will set the cgroupv2 to be used in Mariner by setting the config value `systemd.unified_cgroup_hierarchy=1` in the default kernel command line. The value `version_one` or no value set will keep cgroupv1 (current default) to be enabled on boot.
+For more information about cgroups with Kubernetes, see [About cgroupv2](https://kubernetes.io/docs/concepts/architecture/cgroups/).
+
 A sample KernelCommandLine enabling a basic IMA mode and passing two additional parameters:
 
 ``` json
@@ -354,6 +358,14 @@ A sample KernelCommandLine enabling SELinux and booting in enforcing mode:
 },
 ```
 
+A sample KernelCommandLine enabling CGroup and booting with cgroupv2 enabled:
+
+``` json
+"KernelCommandLine": {
+    "CGroup": "version_two"
+},
+```
+
 ### HidepidDisabled
 
 An optional flag that removes the `hidepid` option from `/proc`. `Hidepid` prevents proc IDs from being visible to all users. Set this flag if mounting `/proc` in postinstall scripts to ensure the mount options are set correctly.