Skip to content

Understand cgroups - demo and explanation

Control Groups, more commonly called cgroups, are a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.

homepage-banner

Introduction

In the world of operating systems, cgroups (short for control groups) are an incredibly useful feature for managing system resources. They allow administrators to allocate resources such as CPU, memory, and disk I/O to specific processes or groups of processes. In this blog post, we will dive deeper into how cgroups work, and provide a demo of how to use them.

Explanation of Cgroups

Cgroups are a Linux kernel feature that allows the partitioning of resources such as CPU, memory, and disk I/O among groups of processes. Each cgroup has a set of rules that define how resources are distributed among its members. These rules can be adjusted dynamically, allowing administrators to fine-tune resource allocation to meet the needs of the system.

Cgroups can be used to limit the amount of CPU time a process can consume, the amount of memory it can use, or the amount of disk I/O it can perform. They can also be used to prioritize access to system resources, so that certain processes or groups of processes get more resources than others.

The purpose of cgroups

  • Manage resource usage by either processes or users.
  • Keep track of resource usage by users on multi-tenant systems to provide accurate billing.
  • More easily isolate running processes from each other. This not only makes for better security but also allows us to have better containerization technologies than we had previously.
  • Run servers that are densely packed with virtual machines and containers due to better resource management and process isolation.
  • Enhance performance by ensuring that processes always run on the same CPU core or set of CPU cores, instead of allowing the Linux kernel to move them around to different cores.
  • Whitelist or blacklist hardware devices.
  • Set up network traffic shaping.

cgroups v1

Structure of cgroups v1

  • cgroups
  • services
  • scopes
  • slices
## show a hierarchical listing of the cgroups that are running on the system
systemd-cgls

## the cgroup filesystem
cd /sys/fs
ls -ld cgroup/

mount | grep 'cgroup'

Demo of Cgroups

apt install cgroup-tools
## view our active resource controllers
lssubsys

## Controlling CPU usage
### for slice
sudo systemctl set-property user-1001.slice CPUQuota=10%
cd /etc/systemd/system.control
ls /etc/systemd/system.control/user-1001.slice.d
cd /sys/fs/cgroup/cpu/user.slice/user-1001.slice
cat cpu.cfs_quota_us
### for service
sudo systemctl edit --full --force cputest.service
sudo systemctl set-property cputest.service CPUQuota=90%
### or in a service file with CPUQuota=90%

## Controlling memory usage
sudo systemctl set-property --runtime user-1001.slice MemoryMax=1G
ls /run/systemd/system.control/user-1001.slice.d

## Controlling blkio usage
sudo systemctl set-property user-1001.slice BlockIOReadBandwidth="/dev/sda 1M"
### or in a service file with BlockIOReadBandwidth="/dev/sda 1M"

cgroups v2

Improvement for cgroup v2

With cgroups v1, it’s not possible for a non-privileged user to set runtime resource limits when creating a container. cgroup v2 focuses on making it easier for non-privileged users to set runtime resource limits when creating a container.

Parameter differences between cgroup v1 and v2

  • v1: CPUShares, StartupCPUShares, MemoryLimit, BlockIO prefix
  • v2: CPUWeight, StartupCPUWeight, MemoryMax, IO prefix

Reference

  • Linux Service Management Made Easy with systemd - Advanced techniques to effectively manage, control, and monitor Linux systems and services (Donald A. Tevault)
Leave a message