feat: enable cgroup v2 by default for all installers (PE-8520)#608
Merged
Conversation
Kubernetes 1.35 (k3s v1.35.2+k3s1) enforces a hard validation that
refuses to start kubelet on hosts running cgroup v1. This caused
edge clusters to enter a permanent crash-restart loop on upgrade
(PE-8520).
Add systemd.unified_cgroup_hierarchy=1 to the kernel cmdline in
three places:
- Earthfile: unconditionally patch /etc/cos/bootargs.cfg during image
build so all installed/running OS images boot with cgroup v2. This
covers the grubmenu.cfg boot entries (kairos.reset, registration)
which inherit from ${extra_cmdline}.
- overlay/files-iso/boot/grub2/grub.cfg: add the parameter to all
three installer menu entries so the live installer environment also
runs under cgroup v2.
- Dockerfile: activate the previously-commented cgroup v2 sed line
for custom image builds via the Dockerfile path.
cgroup v2 has been GA since Kubernetes 1.25 and is safe for all
supported k8s versions in CanvOS (>= 1.28). Kubernetes 1.31 deprecated
cgroup v1; 1.35 makes it a hard failure.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR ensures CanvOS installer media and built images boot with cgroup v2 (unified hierarchy) enabled by default, addressing Kubernetes 1.35+ kubelet behavior that refuses to start on cgroup v1 hosts.
Changes:
- Add
systemd.unified_cgroup_hierarchy=1to all ISO installer GRUB menu entries. - Inject
systemd.unified_cgroup_hierarchy=1into/etc/cos/bootargs.cfgduring Earthly base image builds. - Enable the same bootargs injection in the Dockerfile path with an idempotency guard.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
overlay/files-iso/boot/grub2/grub.cfg |
Adds the unified cgroup hierarchy kernel parameter to all ISO installer boot entries. |
Earthfile |
Ensures generated images have the unified cgroup hierarchy parameter added to bootargs.cfg. |
Dockerfile |
Enables cgroup v2 injection for Dockerfile-based builds with an idempotent check. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
akhilesh2410
approved these changes
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Kubernetes 1.35 enforces a hard kubelet validation that refuses to start on cgroup v1 hosts. This caused edge clusters running k3s v1.35.2+k3s1 to enter a permanent crash-restart loop on upgrade
Root cause: OS images (e.g. SLE Micro 5.4 / Kairos v4.0.3) boot in cgroup v1 hybrid mode because
systemd.unified_cgroup_hierarchy=1was not set in the kernel cmdline.Fix: Add
systemd.unified_cgroup_hierarchy=1unconditionally to all installer paths:Earthfile— patches/etc/cos/bootargs.cfgduring image build, so all installed OS images boot with cgroup v2. Covers allgrubmenu.cfgentries (kairos.reset,stylus.registration) which inherit from${extra_cmdline}.overlay/files-iso/boot/grub2/grub.cfg— adds the parameter to all 3 ISO installer menu entries (default, manual, interactive), so the live installer environment also runs under cgroup v2.Dockerfile— activates the previously-commented cgroup v2 sed line for custom image builds using the Dockerfile path directly.Backward compatibility: cgroup v2 went GA in Kubernetes 1.25. This change is safe for all k8s versions supported in CanvOS (≥ 1.28). Kubernetes 1.31 deprecated cgroup v1; 1.35 makes it a hard failure.
Changed Files
Earthfilesystemd.unified_cgroup_hierarchy=1intobootargs.cfgpost-buildoverlay/files-iso/boot/grub2/grub.cfgDockerfileTest plan
/proc/cmdlineon the installed OS containssystemd.unified_cgroup_hierarchy=1stat -fc %T /sys/fs/cgroupreturnscgroup2fs(nottmpfs) after installReferences