On several of my systems with Ubuntu 22.04, /sys/fs/cgroup is mounted like this:
$ mount|grep cgroup
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)
On other systems it looks like this:
$ mount|grep cgroup
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
I am wondering what causes the missing nsdelegate mount option (and memory_recursiveprot) on some systems and how to re-add it.
This option is available since Linux 4.something and used by systemd automatically since systemd 235. Ubuntu 22.04 of course uses versions that are much newer, so AFAIK this option should automatically be used. And if I search for it on askubuntu, I also get posts from users with 22.04 that have this option enabled. So I believe having it should be the default, and something disables it on some of my systems, but I do not know what.
Of the systems that have it and those that have not, both are server VMs (no GUI) booted from the official Ubuntu cloud image. Both use the Ubuntu kernel 5.15.0-79-generic and systemd 249.11-0ubuntu3.9. Neither of the systems has container software such as Docker or Podman installed.
I never explicitly configured anything in this regard, and I do have the standard cgroup setup with the unified hierarchy (cgroupsv2 only, no legacy or hybrid) as can be seen from the mount output. I tried grepping for cgroup2 and nsdelegate in /etc but did not find anything except /etc/mtab. The kernel command line is BOOT_IMAGE=/boot/vmlinuz-5.15.0-79-generic root=UUID=b7781a48-a7ce-4094-b5a6-00bf8cb6803d ro console=tty1 console=ttyS0.
My current assumption is that systemd mounts cgroup2 normally with nsdelegate, and then some other software remounts it without. This has to happen already during boot, as the option is missing immediately on the first login. But how to find out more?
