| cgroups | |
|---|---|
| Original authors | v1: Paul Menage, Rohit Seth, Memory Controller by Balbir Singh, CPU controller by Srivatsa Vaddagiri v2: Tejun Heo |
| Developers | Tejun Heo, Johannes Weiner, Michal Hocko, Waiman Long, Roman Gushchin, Chris Down et al. |
| Initial release | 2007; 19 years ago (2007) |
| Written in | C |
| Operating system | Linux |
| Type | System software |
| License | GPL andLGPL |
| Website | Cgroup v1,Cgroup v2 |
cgroups (abbreviated fromcontrol groups) is aLinux kernel feature that limits, accounts for, and isolates theresource usage (CPU, memory, disk I/O, etc.)[1]: § Controllers of a collection ofprocesses.
Engineers atGoogle started the work on this feature in 2006 under the name "process containers".[2] In late 2007, the nomenclature changed to "control groups" to avoid confusion caused by multiple meanings of the term "container" in the Linux kernel context, and the control groups functionality was merged into theLinux kernel mainline in kernel version 2.6.24, which was released in January 2008.[3] Since then, developers have added controllers for the kernel's own memory allocation,[4] netfilterfirewalling,[5] theOOM killer,[6] and many other parts.
A major change in the history of cgroups iscgroup v2, which removes the ability to use multiple process hierarchies and to discriminate between threads as found in the original cgroup (now called "v1").[1]: § Issues with v1 and Rationales for v2 Work on the single, unified hierarchy started with the repurposing of v1's dummy hierarchy as a place for holding all controllers not yet used by others in 2014.[7] cgroup v2 was merged in Linux kernel 4.5 (2016).[8]
There are two versions of cgroups. They can co-exist in a system.
One of the design goals of cgroups is to provide a unified interface to many differentuse cases, from controlling single processes (by usingnice, for example) to fulloperating system-level virtualization (as provided byOpenVZ,Linux-VServer orLXC, for example). Cgroups provides:
A control group (abbreviated as cgroup) is a collection of processes that are bound by the same criteria and associated with a set of parameters or limits. These groups can be hierarchical, meaning that each group inherits limits from its parent group. The kernel provides access to multiple controllers (also called subsystems) through the cgroup interface;[3] for example, the "memory" controller limits memory use, "cpuacct" accounts CPU usage, etc.
Control groups can be used in multiple ways:
cgcreate,cgexec, andcgclassify (fromlibcgroup).The Linux kernel documentation contains some technical details of the setup and use of control groups version 1[21] and version 2.[1]
Both versions of cgroup act through a pseudo-filesystem (cgroup for v1 andcgroup2 for v2). Like all filesystems they can bemounted on any path, but the general convention is to mount one of the versions (generally v2) on/sys/fs/cgroup under thesysfs default location of/sys. As mentioned before the two cgroup versions can be active at the same time; this too applies to the filesystems so long as they are mounted to a different path.[21][1] For the description below we assume a setup where the v2 hierarchy lies in/sys/fs/cgroup. The v1 hierarchy, if ever required, will be mounted at a different location.
At initialization cgroup2 should have no defined control groups except the top-level one. In other words,/sys/fs/cgroup should have no directories, only a number of files that control the system as a whole. At this point, runningls /sys/fs/cgroup could list the following on one example system:
cgroup.controllerscgroup.max.depthcgroup.max.descendantscgroup.pressurecgroup.procscgroup.statcgroup.subtree_controlcgroup.threadscpu.pressurecpuset.cpus.effectivecpuset.cpus.isolatedcpuset.mems.effectivecpu.statcpu.stat.localio.cost.modelio.cost.qosio.pressureio.prio.classio.statirq.pressurememory.numa_statmemory.pressurememory.reclaimmemory.statmemory.zswap.writebackmisc.capacitymisc.currentmisc.peakThese files are named according to the controllers that handle them. For example,cgroup.* deal with the cgroup system itself andmemory.* deal with the memory subsystem. Example: to request the kernel to 1 gigabyte of memory from anywhere in the system, one can runecho "1G swappiness=50" > /sys/fs/cgroup/memory.reclaim.[1]
To create a subgroup, one simply creates a new directory under an existing group (including the top-level one). The files corresponding to available controls for this group are automatically created.[1] For example, runningmkdir /sys/fs/cgroup/example; ls /sys/fs/cgroup/example would produce a list of files largely similar to the one above, but with noticeable changes. On one example system, these files are added:
cgroup.eventscgroup.freezecgroup.killcgroup.typecpu.idlecpu.maxcpu.max.burstcpu.pressurecpu.uclamp.maxcpu.uclamp.mincpu.weightcpu.weight.nicememory.currentmemory.eventsmemory.events.localmemory.highmemory.lowmemory.maxmemory.minmemory.oom.groupmemory.peakmemory.swap.currentmemory.swap.eventsmemory.swap.highmemory.swap.maxmemory.swap.peakmemory.zswap.currentmemory.zswap.maxpids.currentpids.eventspids.events.localpids.maxpids.peakThese changes are not unexpected because some controls and statistics only make sense on a subset of processes (e.g.nice level being the CPU priority of processes relative to the rest of the system).[1]
Processes are assigned to subgroups by writing to/proc/<PID>/cgroup. The cgroup a process is in can be found by reading the same file.[1]
On systems based onsystemd, a hierarchy of subgroups is predefined to encapsulate every process directly and indirectly launched by systemd under a subgroup: the very basis of how systemd manages processes. An explanation of the nomenclature of these groups can be found in theRed Hat Enterprise Linux 7 manual.[22] Red Hat also provides a guide on creating a systemd service file that causes a process to run in a separate cgroup.[23]
systemd-cgtop[24] command can be used to show top control groups by their resource usage.
On a system with v2, v1 can still be mounted and given access to controllersnot in use by v2. However, a modern system typically already places all controllers in use in v2, so there is no controller available for v1 at all even if a hierarchy is created. It is possible to clear all uses of a controller from v2 and hand it to v1, but moving controllers between hierarchies after the system is up and running is cumbersome and not recommended.[1]
Redesign of cgroups started in 2013,[25] with additional changes brought by versions 3.15 and 3.16 of the Linux kernel.[26][27][28]
The following changes concern the kernel before 4.5/4.6, i.e. when cgroups-v2 were added. In other words they describe how cgroups-v1 had been changed, though most of them have also been inherited into v2 (after all, v1 and v2 share the same codebase).
While not technically part of the cgroups work, a related feature of the Linux kernel isnamespace isolation, where groups of processes are separated such that they cannot "see" resources in other groups. For example, a PID namespace provides a separate enumeration ofprocess identifiers within each namespace. Also available are mount, user, UTS (Unix Time Sharing), network and SysV IPC namespaces.
Namespaces are created with the "unshare" command orsyscall, or as "new" flags in a "clone" syscall.[34]
The "ns" subsystem was added early in cgroups development to integrate namespaces and control groups. If the "ns" cgroup was mounted, each namespace would also create a new group in the cgroup hierarchy. This was an experiment that was later judged to be a poor fit for the cgroups API, and removed from the kernel.
Linux namespaces were inspired by the more general namespace functionality used heavily throughoutPlan 9 from Bell Labs.[35]
Kernfs was introduced into the Linux kernel with version 3.14 in March 2014, the main author being Tejun Heo.[36] One of the main motivators for a separate kernfs is the cgroups file system. Kernfs is basically created by splitting off some of thesysfs logic into an independent entity, thus easing for other kernel subsystems the implementation of their own virtual file system with handling for device connect and disconnect, dynamic creation and removal, and other attributes. This does not affect how cgroups is used, but makes maintaining the code easier.[37]
Kernel memory control groups (kmemcg) were merged into version 3.8 (2013 February 18; 13 years ago (18-02-2013)) of theLinux kernel mainline.[38][39][4] The kmemcg controller can limit the amount of memory that the kernel can utilize to manage its own internal processes.
Support for per-groupnetfilter setup was added in 2014.[5]
The unified hierarchy was added in 2014. It repurposes of v1's dummy hierarchy to hold all controllers not yet used by others. This changed dummy hierarchy would become the only available hierarchy in v2.[7]
Unlike v1, cgroup v2 has only a single process hierarchy and discriminates between processes, not threads.
Linux Kernel 4.19 (October 2018) introduced cgroup awareness ofOOM killer implementation which adds an ability to kill a cgroup as a single unit and so guarantee the integrity of the workload.[6]
Various projects use cgroups as their basis, includingCoreOS,Docker (in 2013),Hadoop,Jelastic,Kubernetes,[40]lmctfy (Let Me Contain That For You),LXC (Linux Containers),systemd,Mesos and Mesosphere,[40]HTCondor, andFlatpak.
Major Linux distributions also adopted it such asRed Hat Enterprise Linux (RHEL) 6.0 in November 2010, three years before adoption by the mainline Linux kernel.[41]
On 29 October 2019, theFedora Project modified Fedora 31 to use CgroupsV2 by default.[42]
Sections referenced in this document:
The original 'containers' name was considered to be too generic – this code is an important part of a container solution, but it's far from the whole thing. So containers have now been renamed 'control groups' (or 'cgroups') and merged for 2.6.24.
