Linux Control Groups, commonly known as Cgroups play a role, in Linux for managing system resources. They provide a structure to control and monitor resources like CPU and memory allowing administrators to assign and limit resources for processes or process groups. This article explores the intricacies including how to create and manage them as their significance in containerization.
Introduction to Hierarchies
It organize system resources into hierarchies with each hierarchy being managed by its controller. Every Linux process belongs to a Cgroup for each type of resource inheriting the Cgroups from its parent process when created.
The Linux kernel communicates information through pseudofilesystems, usually located at `/sys/fs/cgroup`. You can list the different types of Cgroups on your system with the following command:
root@vagrant:/sys/fs/cgroup$ ls
blkio cpu,cpuacct freezer net_cls perf_event systemd
cpu cpuset hugetlb net_cls,net_prio pids unified
cpuacct devices memory net_prio rdmaThese directories represent various resource controllers, such as CPU, memory, and more.
Managing
Managing involves reading and writing to the files and directories within these hierarchies. Let’s examine the memory hierarchy as an example:
root@vagrant:/sys/fs/cgroup$ ls memory/
cgroup.clone_children memory.limit_in_bytes
cgroup.event_control memory.max_usage_in_bytes
cgroup.procs memory.move_charge_at_immigrateSome files within the Cgroup hierarchy are writable and allow you to manipulate the Cgroup’s behavior, while others contain information provided by the kernel to report on the their state.
For instance, `memory.limit_in_bytes` is a writable parameter that sets the memory limit for processes in the group, while `memory.max_usage_in_bytes` reports the highest memory usage within the group.
By default, the top-level memory directory contains information about all running processes. If you want to limit
memory usage for specific processes, you must create a new Cgroup and then assign those processes to it.
Creating Control groups
Creating a new Cgroup is as simple as creating a subdirectory within the resource-specific hierarchy. The kernel automatically populates this directory with files that represent parameters and statistics for the Cgroup. Here’s how you can create a new memory
root@vagrant:/sys/fs/cgroup$ mkdir memory/lizNow, you have a new Cgroup named “liz” under the memory hierarchy.
Setting Resource Limits
Resource limits are essential for preventing processes from consuming excessive resources. You can set memory limits for a Cgroup by modifying the `memory.limit_in_bytes` file within the Cgroup directory. For example:
root@vagrant:/sys/fs/cgroup/memory/liz$ echo 100000 > memory.limit_in_bytesThis command limits the memory usage of the “liz” Cgroup to 100,000 bytes. Processes within this will not be allowed to exceed this limit.
Assigning Processes to Control groups
To assign a process to a specific Cgroup, you need to write the process ID (PID) into the `cgroup.procs` file within the its directory. Here’s how you can do it:
root@vagrant:/sys/fs/cgroup/memory/liz$ echo 29903 > cgroup.procsIn this example, we assign the process with PID 29903 to the “liz” Cgroup. This process is now subject to the memory limits set for that Cgroup.
Control groups in Docker
Docker leverages Cgroups to control and limit resources for containers. When you start a Docker container, Docker automatically creates and manages Cgroups for that container. These are organized under the “docker” hierarchy.
For instance, you can see the memory Cgroups for Docker containers like this:
root@vagrant:/sys/fs/cgroup$ ls */docker | grep docker
blkio/docker:
cpuacct/docker:
cpu,cpuacct/docker:
cpu/docker:
cpuset/docker:
devices/docker:
freezer/docker:
hugetlb/docker:
memory/docker:
net_cls/docker:
net_cls,net_prio/docker:
net_prio/docker:
perf_event/docker:
pids/docker:
systemd/docker:
Docker allows you to set resource limits for containers at runtime using flags like `–memory` and `–cpu`. These limits translate to constraints set within the Cgroups for that container.
Cgroups Version 2 (Cgroups v2)
It have evolved, and a version 2 was introduced in the Linux kernel in 2016. While it offers enhanced capabilities, it’s not as widely adopted as v1 in container runtimes like Docker at the time of writing.
One significant difference with v2 is that a process can’t join different groups for different controllers. Instead, it joins a single group that encompasses all controllers for that group.
Conclusion
These are a powerful resource management tool in the Linux ecosystem, playing a crucial role in controlling resource allocation and usage for processes and containers. Understanding how to create, manage, and set limits on essential for system administrators and anyone working with containers. These are a fundamental building block for achieving resource isolation and ensuring system stability, making them a valuable tool for optimizing system performance and security.
Do you like to read more educational content? Read our blogs at Cloudastra Technologies or contact us for business enquiry at Cloudastra Contact Us.