Menu
Home Explore People Places Arts History Plants & Animals Science Life & Culture Technology
On this page
cgroups
Resource limit method in Linux

cgroups (control groups) is a Linux kernel feature that limits and isolates the resource usage of a collection of processes, such as CPU, memory, and disk I/O. Initiated by Google in 2006 as "process containers," it was renamed to avoid confusion with containers and merged into the Linux kernel mainline in 2008. Since then, additional controllers have been added for memory, firewalling, and the OOM killer. A significant update, cgroup v2, introduced a unified hierarchy to replace v1’s multiple process hierarchies and was merged in Linux kernel 4.5 in 2016.

We don't have any images related to cgroups yet.
We don't have any YouTube videos related to cgroups yet.
We don't have any PDF documents related to cgroups yet.
We don't have any Books related to cgroups yet.
We don't have any archived web articles related to cgroups yet.

Versions

There are two versions of cgroups. They can co-exist in a system.

  • The original version of cgroups was written by Paul Menage and Rohit Seth. It was merged into the mainline Linux kernel in 2007 (2.6.2). Development and maintenance of cgroups was then taken over by Tejun Heo, who instituted major redesigns without breaking the interface (see § Redesigns of v1). It was renamed "Control Group version 1" (cgroup-v1) after cgroups-v2 appeared in Linux 4.5.10
  • Tejun Heo found that further redesign of v1 could not proceed without breaking the interface. As a result, he added a separate, new system called "Control Group version 2" (cgroup-v2). Unlike v1, cgroup v2 has only a single process hierarchy (because a controller can only be assigned to one hierarchy, processes in separate hierarchies cannot be managed by the same controller; this change sidesteps the issue). It also removes the ability to discriminate between threads, choosing to work on a granularity of processes instead (disabling an "abuse" of the system which lead to convoluted APIs).11: § Issues with v1 and Rationales for v2  The first version of the unified hierarchy The document first appeared in Linux kernel 4.5 released on 14 March 2016.12

Features

One of the design goals of cgroups is to provide a unified interface to many different use cases, from controlling single processes (by using nice, for example) to full operating system-level virtualization (as provided by OpenVZ, Linux-VServer or LXC, for example). Cgroups provides:

Resource limiting groups can be set not to exceed a configured memory limit, which also includes the file system cache,1314 I/O bandwidth limit,15 CPU quota limit,16 CPU set limit,17 or maximum open files.18 Prioritization some groups may get a larger share of CPU utilization19 or disk I/O throughput20 Accounting measures a group's resource usage, which may be used, for example, for billing purposes21 Control freezing groups of processes, their checkpointing and restarting22

Use

A control group (abbreviated as cgroup) is a collection of processes that are bound by the same criteria and associated with a set of parameters or limits. These groups can be hierarchical, meaning that each group inherits limits from its parent group. The kernel provides access to multiple controllers (also called subsystems) through the cgroup interface;23 for example, the "memory" controller limits memory use, "cpuacct" accounts CPU usage, etc.

Control groups can be used in multiple ways:

  • By accessing the cgroup virtual file system manually.
  • By creating and managing groups on the fly using tools like cgcreate, cgexec, and cgclassify (from libcgroup).
  • Through the "rules engine daemon" that can automatically move processes of certain users, groups, or commands to cgroups as specified in its configuration.
  • Indirectly through other software that uses cgroups, such as Docker, Firejail, LXC,24 libvirt, systemd, Open Grid Scheduler/Grid Engine,25 and Google's developmentally defunct lmctfy.

The Linux kernel documentation contains some technical details of the setup and use of control groups version 126 and version 2.27

Interfaces

Both versions of cgroup act through a pseudo-filesystem (cgroup for v1 and cgroup2 for v2). Like all filesystems they can be mounted on any path, but the general convention is to mount one of the versions (generally v2) on /sys/fs/cgroup under the sysfs default location of /sys. As mentioned before the two cgroup versions can be active at the same time; this too applies to the filesystems so long as they are mounted to a different path.2829 For the description below we assume a setup where the v2 hierarchy lies in /sys/fs/cgroup. The v1 hierarchy, if ever required, will be mounted at a different location.

At initialization cgroup2 should have no defined control groups except the top-level one. In other words, /sys/fs/cgroup should have no directories, only a number of files that control the system as a whole. At this point, running ls /sys/fs/cgroup could list the following on one example system:

  • cgroup.controllers
  • cgroup.max.depth
  • cgroup.max.descendants
  • cgroup.pressure
  • cgroup.procs
  • cgroup.stat
  • cgroup.subtree_control
  • cgroup.threads
  • cpu.pressure
  • cpuset.cpus.effective
  • cpuset.cpus.isolated
  • cpuset.mems.effective
  • cpu.stat
  • cpu.stat.local
  • io.cost.model
  • io.cost.qos
  • io.pressure
  • io.prio.class
  • io.stat
  • irq.pressure
  • memory.numa_stat
  • memory.pressure
  • memory.reclaim
  • memory.stat
  • memory.zswap.writeback
  • misc.capacity
  • misc.current
  • misc.peak

These files are named according to the controllers that handle them. For example, cgroup.* deal with the cgroup system itself and memory.* deal with the memory subsystem. Example: to request the kernel to 1 gigabyte of memory from anywhere in the system, one can run echo "1G swappiness=50" > /sys/fs/cgroup/memory.reclaim.30

To create a subgroup, one simply creates a new directory under an existing group (including the top-level one). The files corresponding to available controls for this group are automatically created.31 For example, running mkdir /sys/fs/cgroup/example; ls /sys/fs/cgroup/example would produce a list of files largely similar to the one above, but with noticeable changes. On one example system, these files are added:

  • cgroup.events
  • cgroup.freeze
  • cgroup.kill
  • cgroup.type
  • cpu.idle
  • cpu.max
  • cpu.max.burst
  • cpu.pressure
  • cpu.uclamp.max
  • cpu.uclamp.min
  • cpu.weight
  • cpu.weight.nice
  • memory.current
  • memory.events
  • memory.events.local
  • memory.high
  • memory.low
  • memory.max
  • memory.min
  • memory.oom.group
  • memory.peak
  • memory.swap.current
  • memory.swap.events
  • memory.swap.high
  • memory.swap.max
  • memory.swap.peak
  • memory.zswap.current
  • memory.zswap.max
  • pids.current
  • pids.events
  • pids.events.local
  • pids.max
  • pids.peak

These changes are not unexpected because some controls and statistics only make sense on a subset of processes (e.g. nice level being the CPU priority of processes relative to the rest of the system).32

Processes are assigned to subgroups by writing to /proc/<PID>/cgroup. The cgroup a process is in can be found by reading the same file.33

On systems based on systemd, a hierarchy of subgroups is predefined to encapsulate every process directly and indirectly launched by systemd under a subgroup: the very basis of how systemd manages processes. An explanation of the nomenclature of these groups can be found in the Red Hat Enterprise Linux 7 manual.34 Red Hat also provides a guide on creating a systemd service file that causes a process to run in a separate cgroup.35

systemd-cgtop36 command can be used to show top control groups by their resource usage.

V1 coexistence

On a system with v2, v1 can still be mounted and given access to controllers not in use by v2. However, a modern system typically already places all controllers in use in v2, so there is no controller available for v1 at all even if a hierarchy is created. It is possible to clear all uses of a controller from v2 and hand it to v1, but moving controllers between hierarchies after the system is up and running is cumbersome and not recommended.37

Major evolutions

Redesigns of v1

Redesign of cgroups started in 2013,38 with additional changes brought by versions 3.15 and 3.16 of the Linux kernel.394041

The following changes concern the kernel before 4.5/4.6, i.e. when cgroups-v2 were added. In other words they describe how cgroups-v1 had been changed, though most of them have also been inherited into v2 (after all, v1 and v2 share the same codebase).

Namespace isolation

Main article: Linux namespaces

While not technically part of the cgroups work, a related feature of the Linux kernel is namespace isolation, where groups of processes are separated such that they cannot "see" resources in other groups. For example, a PID namespace provides a separate enumeration of process identifiers within each namespace. Also available are mount, user, UTS (Unix Time Sharing), network and SysV IPC namespaces.

  • The PID namespace provides isolation for the allocation of process identifiers (PIDs), lists of processes and their details. While the new namespace is isolated from other siblings, processes in its "parent" namespace still see all processes in child namespaces—albeit with different PID numbers.42
  • Network namespace isolates the network interface controllers (physical or virtual), iptables firewall rules, routing tables etc. Network namespaces can be connected with each other using the "veth" virtual Ethernet device.43
  • "UTS" namespace allows changing the hostname.
  • Mount namespace allows creating a different file system layout, or making certain mount points read-only.44
  • IPC namespace isolates the System V inter-process communication between namespaces.
  • User namespace isolates the user IDs between namespaces.45
  • Cgroup namespace46

Namespaces are created with the "unshare" command or syscall, or as "new" flags in a "clone" syscall.47

The "ns" subsystem was added early in cgroups development to integrate namespaces and control groups. If the "ns" cgroup was mounted, each namespace would also create a new group in the cgroup hierarchy. This was an experiment that was later judged to be a poor fit for the cgroups API, and removed from the kernel.

Linux namespaces were inspired by the more general namespace functionality used heavily throughout Plan 9 from Bell Labs.48

Conversion to kernfs

Kernfs was introduced into the Linux kernel with version 3.14 in March 2014, the main author being Tejun Heo.49 One of the main motivators for a separate kernfs is the cgroups file system. Kernfs is basically created by splitting off some of the sysfs logic into an independent entity, thus easing for other kernel subsystems the implementation of their own virtual file system with handling for device connect and disconnect, dynamic creation and removal, and other attributes. This does not affect how cgroups is used, but makes maintaining the code easier.50

New features introduced during v1

Kernel memory control groups (kmemcg) were merged into version 3.8 (2013 February 18; 12 years ago (18-02-2013)) of the Linux kernel mainline.515253 The kmemcg controller can limit the amount of memory that the kernel can utilize to manage its own internal processes.

Support for per-group netfilter setup was added in 2014.54

The unified hierarchy was added in 2014. It repurposes of v1's dummy hierarchy to hold all controllers not yet used by others. This changed dummy hierarchy would become the only available hierarchy in v2.55

Changes after v2

Unlike v1, cgroup v2 has only a single process hierarchy and discriminates between processes, not threads.

cgroup awareness of OOM killer

Linux Kernel 4.19 (October 2018) introduced cgroup awareness of OOM killer implementation which adds an ability to kill a cgroup as a single unit and so guarantee the integrity of the workload.56

Adoption

Various projects use cgroups as their basis, including CoreOS, Docker (in 2013), Hadoop, Jelastic, Kubernetes,57 lmctfy (Let Me Contain That For You), LXC (Linux Containers), systemd, Mesos and Mesosphere,58 and HTCondor.

Major Linux distributions also adopted it such as Red Hat Enterprise Linux (RHEL) 6.0 in November 2010, three years before adoption by the mainline Linux kernel.59

On 29 October 2019, the Fedora Project modified Fedora 31 to use CgroupsV2 by default60

See also

  • Free and open-source software portal
  • Linux portal

References

  1. "Control Group v2". docs.kernel.org.Sections referenced in this document: Controllers Issues with v1 and Rationales for v2 https://docs.kernel.org/admin-guide/cgroup-v2.html

  2. Jonathan Corbet (29 May 2007). "Process containers". LWN.net. //lwn.net/Articles/236038/

  3. Jonathan Corbet (29 October 2007). "Notes from a container". LWN.net. Retrieved 14 April 2015. The original 'containers' name was considered to be too generic – this code is an important part of a container solution, but it's far from the whole thing. So containers have now been renamed 'control groups' (or 'cgroups') and merged for 2.6.24. //lwn.net/Articles/256389/

  4. "memcg: add documentation about the kmem controller". kernel.org. 18 December 2012. http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d5bdae7d59451b9d63303f7794ef32bb76ba6330

  5. "netfilter: x_tables: lightweight process control group matching". 23 April 2014. Archived from the original on 24 April 2014. https://web.archive.org/web/20140424095421/http://www.spinics.net/lists/netdev/msg264727.html

  6. "Linux_4.19 - Linux Kernel Newbies". https://kernelnewbies.org/Linux_4.19#Memory_management

  7. "Control Group v2". docs.kernel.org.Sections referenced in this document: Controllers Issues with v1 and Rationales for v2 https://docs.kernel.org/admin-guide/cgroup-v2.html

  8. "cgroup: prepare for the default unified hierarchy". 13 March 2014. https://lkml.org/lkml/2014/3/13/503

  9. "Documentation/cgroup-v2.txt as appeared in Linux kernel 4.5". 14 March 2016. https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/diff/Documentation/cgroup-v2.txt?id=v4.5&id2=v4.4

  10. "diff between Linux kernel 4.4 and 4.5". 14 March 2016. https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/diff/Documentation/cgroup-v1?id=v4.5&id2=v4.4

  11. "Control Group v2". docs.kernel.org.Sections referenced in this document: Controllers Issues with v1 and Rationales for v2 https://docs.kernel.org/admin-guide/cgroup-v2.html

  12. "Documentation/cgroup-v2.txt as appeared in Linux kernel 4.5". 14 March 2016. https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/diff/Documentation/cgroup-v2.txt?id=v4.5&id2=v4.4

  13. Jonathan Corbet (31 July 2007). "Controlling memory use in containers". LWN. //lwn.net/Articles/243795/

  14. Balbir Singh, Vaidynathan Srinivasan (July 2007). "Containers: Challenges with the memory resource controller and its performance" (PDF). Ottawa Linux Symposium. http://www.kernel.org/doc/ols/2007/ols2007v2-pages-209-222.pdf

  15. Carvalho, André (18 October 2017). "Using cgroups to limit I/O". andrestc.com. Retrieved 12 September 2022. https://andrestc.com/post/cgroups-io/

  16. Luu, Dan. "The container throttling problem". danluu.com. Retrieved 12 September 2022. https://danluu.com/cgroup-throttling/

  17. Derr, Simon (2004). "CPUSETS". Retrieved 12 September 2022. https://www.kernel.org/doc/Documentation/cgroup-v1/cpusets.txt

  18. "setrlimit(2) — Arch manual pages". man.archlinux.org. Retrieved 27 November 2023. https://man.archlinux.org/man/setrlimit.2.en

  19. Jonathan Corbet (23 October 2007). "Kernel space: Fair user scheduling for Linux". Network World. Archived from the original on 19 October 2013. Retrieved 22 August 2012. https://web.archive.org/web/20131019123524/http://www.networkworld.com/news/2007/101207-kernel.html

  20. Kamkamezawa Hiroyu (19 November 2008). Cgroup and Memory Resource Controller (PDF). Japan Linux Symposium. Archived from the original (PDF presentation slides) on 22 July 2011. https://web.archive.org/web/20110722113016/http://www.linuxfoundation.jp/jp_uploads/seminar20081119/CgroupMemcgMaster.pdf

  21. Hansen D, IBM Linux Technology Center (2009). Resource Management (PDF presentation slides). Linux Foundation. https://events.static.linuxfound.org/slides/lfcs09_hansen2.pdf

  22. Hansen D, IBM Linux Technology Center (2009). Resource Management (PDF presentation slides). Linux Foundation. https://events.static.linuxfound.org/slides/lfcs09_hansen2.pdf

  23. Jonathan Corbet (29 October 2007). "Notes from a container". LWN.net. Retrieved 14 April 2015. The original 'containers' name was considered to be too generic – this code is an important part of a container solution, but it's far from the whole thing. So containers have now been renamed 'control groups' (or 'cgroups') and merged for 2.6.24. //lwn.net/Articles/256389/

  24. Matt Helsley (3 February 2009). "LXC: Linux container tools". IBM developerWorks. http://www.ibm.com/developerworks/linux/library/l-lxc-containers/

  25. "Grid Engine cgroups Integration". Scalable Logic. 22 May 2012. http://blogs.scalablelogic.com/2012/05/grid-engine-cgroups-integration.html

  26. "Control Groups version 1". docs.kernel.org. https://docs.kernel.org/admin-guide/cgroup-v1/index.htm

  27. "Control Group v2". docs.kernel.org.Sections referenced in this document: Controllers Issues with v1 and Rationales for v2 https://docs.kernel.org/admin-guide/cgroup-v2.html

  28. "Control Groups version 1". docs.kernel.org. https://docs.kernel.org/admin-guide/cgroup-v1/index.htm

  29. "Control Group v2". docs.kernel.org.Sections referenced in this document: Controllers Issues with v1 and Rationales for v2 https://docs.kernel.org/admin-guide/cgroup-v2.html

  30. "Control Group v2". docs.kernel.org.Sections referenced in this document: Controllers Issues with v1 and Rationales for v2 https://docs.kernel.org/admin-guide/cgroup-v2.html

  31. "Control Group v2". docs.kernel.org.Sections referenced in this document: Controllers Issues with v1 and Rationales for v2 https://docs.kernel.org/admin-guide/cgroup-v2.html

  32. "Control Group v2". docs.kernel.org.Sections referenced in this document: Controllers Issues with v1 and Rationales for v2 https://docs.kernel.org/admin-guide/cgroup-v2.html

  33. "Control Group v2". docs.kernel.org.Sections referenced in this document: Controllers Issues with v1 and Rationales for v2 https://docs.kernel.org/admin-guide/cgroup-v2.html

  34. "1.2. Default Cgroup Hierarchies | Resource Management Guide | Red Hat Enterprise Linux | 7 | Red Hat Documentation". docs.redhat.com. {{cite web}}: no-break space character in |title= at position 5 (help) https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/resource_management_guide/sec-default_cgroup_hierarchies

  35. "Managing cgroups with systemd". www.redhat.com. https://www.redhat.com/en/blog/cgroups-part-four

  36. "Systemd-cgtop". https://www.freedesktop.org/software/systemd/man/systemd-cgtop.html

  37. "Control Group v2". docs.kernel.org.Sections referenced in this document: Controllers Issues with v1 and Rationales for v2 https://docs.kernel.org/admin-guide/cgroup-v2.html

  38. "All About the Linux Kernel: Cgroup's Redesign". Linux.com. 15 August 2013. Archived from the original on 28 April 2019. Retrieved 19 May 2014. https://web.archive.org/web/20190428203713/https://www.linuxfoundation.org/blog/2013/08/all-about-the-linux-kernel-cgroups-redesign/

  39. "The unified control group hierarchy in 3.16". LWN.net. 11 June 2014. //lwn.net/Articles/601840/

  40. "Pull cgroup updates for 3.15 from Tejun Heo". kernel.org. 3 April 2014. http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=32d01dc7be4e725ab85ce1d74e8f4adc02ad68dd

  41. "Pull cgroup updates for 3.16 from Tejun Heo". kernel.org. 9 June 2014. http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=14208b0ec56919f5333dd654b1a7d10765d0ad05

  42. Pavel Emelyanov, Kir Kolyshkin (19 November 2007). "PID namespaces in the 2.6.24 kernel". LWN.net. //lwn.net/Articles/259217/

  43. Jonathan Corbet (30 January 2007). "Network namespaces". LWN.net. //lwn.net/Articles/219794/

  44. Serge E. Hallyn, Ram Pai (17 September 2007). "Applying mount namespaces". IBM developerWorks. http://www.ibm.com/developerworks/linux/library/l-mount-namespaces.html

  45. Michael Kerrisk (27 February 2013). "Namespaces in operation, part 5: User namespaces". lwn.net Linux Info from the Source. //lwn.net/Articles/532593/

  46. "LKML: Linus Torvalds: Linux 4.6-rc1". https://lkml.org/lkml/2016/3/26/132/

  47. Janak Desai (11 January 2006). "Linux kernel documentation on unshare". http://www.mjmwired.net/kernel/Documentation/unshare.txt

  48. "The Use of Name Spaces in Plan 9". 1992. Archived from the original on 6 September 2014. Retrieved 15 February 2015. https://web.archive.org/web/20140906153815/http://www.cs.bell-labs.com/sys/doc/names.html

  49. "kernfs, sysfs, driver-core: implement synchronous self-removal". LWN.net. 3 February 2014. Retrieved 7 April 2014. //lwn.net/Articles/584019/

  50. "Linux kernel source tree: kernel/git/torvalds/linux.git: cgroups: convert to kernfs". kernel.org. 11 February 2014. Retrieved 23 May 2014. https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2bd59d48ebfb3df41ee56938946ca0dd30887312

  51. "memcg: kmem controller infrastructure". kernel.org source code. 18 December 2012. http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7ae1e1d0f8ac2927ed7e3ca6d15e42d485903459

  52. "memcg: kmem accounting basic infrastructure". kernel.org source code. 18 December 2012. http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=510fc4e11b772fd60f2c545c64d4c55abd07ce36

  53. "memcg: add documentation about the kmem controller". kernel.org. 18 December 2012. http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d5bdae7d59451b9d63303f7794ef32bb76ba6330

  54. "netfilter: x_tables: lightweight process control group matching". 23 April 2014. Archived from the original on 24 April 2014. https://web.archive.org/web/20140424095421/http://www.spinics.net/lists/netdev/msg264727.html

  55. "cgroup: prepare for the default unified hierarchy". 13 March 2014. https://lkml.org/lkml/2014/3/13/503

  56. "Linux_4.19 - Linux Kernel Newbies". https://kernelnewbies.org/Linux_4.19#Memory_management

  57. "Mesosphere to Bring Google's Kubernetes to Mesos". Mesosphere.io. 10 July 2014. Archived from the original on 6 September 2015. Retrieved 13 July 2014. https://web.archive.org/web/20150906165229/https://mesosphere.com/blog/2014/07/10/mesosphere-announces-kubernetes-on-mesos/

  58. "Mesosphere to Bring Google's Kubernetes to Mesos". Mesosphere.io. 10 July 2014. Archived from the original on 6 September 2015. Retrieved 13 July 2014. https://web.archive.org/web/20150906165229/https://mesosphere.com/blog/2014/07/10/mesosphere-announces-kubernetes-on-mesos/

  59. "6.0 Release Notes" (PDF). redhat.com. Retrieved 12 September 2023. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/pdf/6.0_release_notes/red_hat_enterprise_linux-6-6.0_release_notes-en-us.pdf

  60. "1732114 – Modify Fedora 31 to use CgroupsV2 by default". https://bugzilla.redhat.com/show_bug.cgi?id=1732114