tags : Linux, Containers
What?
- A Linux kernel feature which allow processes to be organized into hierarchical groups whose usage of various types of resources can then be limited and monitored.
- See Control Group v2 — The Linux Kernel documentation
Core
- cgroup core is primarily responsible for hierarchically organizing processes.
Controller
- cgroup controller is usually responsible for distributing a specific type of system resource along the hierarchy
- Although there are utility controllers which serve purposes other than resource distribution.
Interface
- The kernel’s cgroup interface is provided through a pseudo-filesystem called
cgroupfs.
Namespace
- See Linux Namespaces
- The
CLONE_NEWCGROUPprovides a mechanism to virtualize the “view” of the “/proc/$PID/cgroup” file and cgroup mounts. Without it it will show complete path of the cgroup of a process. Which may leak potential system level information to the isolated processes. - In a container setup where we’re trying to isolate things, we want to use a namespace for cgroups so that it has an isolated view of cgroups.
cgroups vs ulimit
ulimit
- See ulimits
- A limit of 2 GiB main memory applies to a single process (and its threads). And a child process of this process inherits also a limit of 2 GiB main memory, but this is 2 GiB for its own usage.
- In other words, each process would have a limit of 2 GiB, and together they could consume up to 4 GiB of main memory.
cgroups
- So, control groups allow to limit resources over a group of processes.
- Limiting the main memory to 2 GiB for a group containing 3 processes, means the main memory used by all 3 processes together may not exceed 2 GiB.
cgroupv1 & cgroupv2
- If
/sys/fs/cgroup/cgroup.controllersis present on your system, you are using v2, otherwise you are using v1. - cgroup2 · Control and maximize resource utilization
- About cgroup v2 | Kubernetes
- Control Group v2 — The Linux Kernel documentation