Understand cgroups - demo and explanation
Control Groups, more commonly called cgroups, are a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
In the world of operating systems, cgroups (short for control groups) are an incredibly useful feature for managing system resources. They allow administrators to allocate resources such as CPU, memory, and disk I/O to specific processes or groups of processes. In this blog post, we will dive deeper into how cgroups work, and provide a demo of how to use them.
Explanation of Cgroups
Cgroups are a Linux kernel feature that allows the partitioning of resources such as CPU, memory, and disk I/O among groups of processes. Each cgroup has a set of rules that define how resources are distributed among its members. These rules can be adjusted dynamically, allowing administrators to fine-tune resource allocation to meet the needs of the system.
Cgroups can be used to limit the amount of CPU time a process can consume, the amount of memory it can use, or the amount of disk I/O it can perform. They can also be used to prioritize access to system resources, so that certain processes or groups of processes get more resources than others.
The purpose of cgroups
- Manage resource usage by either processes or users.
- Keep track of resource usage by users on multi-tenant systems to provide accurate billing.
- More easily isolate running processes from each other. This not only makes for better security but also allows us to have better containerization technologies than we had previously.
- Run servers that are densely packed with virtual machines and containers due to better resource management and process isolation.
- Enhance performance by ensuring that processes always run on the same CPU core or set of CPU cores, instead of allowing the Linux kernel to move them around to different cores.
- Whitelist or blacklist hardware devices.
- Set up network traffic shaping.
Structure of cgroups v1
## show a hierarchical listing of the cgroups that are running on the system systemd-cgls ## the cgroup filesystem cd /sys/fs ls -ld cgroup/ mount | grep 'cgroup'
Demo of Cgroups
apt install cgroup-tools ## view our active resource controllers lssubsys ## Controlling CPU usage ### for slice sudo systemctl set-property user-1001.slice CPUQuota=10% cd /etc/systemd/system.control ls /etc/systemd/system.control/user-1001.slice.d cd /sys/fs/cgroup/cpu/user.slice/user-1001.slice cat cpu.cfs_quota_us ### for service sudo systemctl edit --full --force cputest.service sudo systemctl set-property cputest.service CPUQuota=90% ### or in a service file with CPUQuota=90% ## Controlling memory usage sudo systemctl set-property --runtime user-1001.slice MemoryMax=1G ls /run/systemd/system.control/user-1001.slice.d ## Controlling blkio usage sudo systemctl set-property user-1001.slice BlockIOReadBandwidth="/dev/sda 1M" ### or in a service file with BlockIOReadBandwidth="/dev/sda 1M"
Improvement for cgroup v2
With cgroups v1, it’s not possible for a non-privileged user to set runtime resource limits when creating a container. cgroup v2 focuses on making it easier for non-privileged users to set runtime resource limits when creating a container.
Parameter differences between cgroup v1 and v2
- v1: CPUShares, StartupCPUShares, MemoryLimit, BlockIO prefix
- v2: CPUWeight, StartupCPUWeight, MemoryMax, IO prefix
- Linux Service Management Made Easy with systemd - Advanced techniques to effectively manage, control, and monitor Linux systems and services (Donald A. Tevault)
Small world. Big idea!
- Welcome to visit the knowledge base of SRE and DevOps!
- License under CC BY-NC 4.0
- No personal information is collected
- Made with Material for MkDocs and generative AI tools
- Copyright issue feedback me#imzye.com, replace # with @
- Get latest SRE news and discuss on Discord Channel