Understand cgroups - demo and explanation

Control Groups, more commonly called cgroups. It is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.

purpose of cgroups

• Manage resource usage by either processes or users.
• Keep track of resource usage by users on multi-tenant systems to provide accurate billing.
• More easily isolate running processes from each other. This not only makes for better security but also allows us to have better containerization technologies than we had previously.
• Run servers that are densely packed with virtual machines and containers due to better resource management and process isolation.
• Enhance performance by ensuring that processes always run on the same CPU core or set of CPU cores, instead of allowing the Linux kernel to move them around to different cores.
• Whitelist or blacklist hardware devices.
• Set up network traffic shaping.

cgroups v1

Structure of cgroups v1

• cgroups
• services
• scopes
• slices

## show a hierarchical listing of the cgroups that are running on the system
systemd-cgls

## the cgroup filesystem
cd /sys/fs
ls -ld cgroup/

mount | grep 'cgroup'

Controlling Resource Usage

apt install cgroup-tools
## view our active resource controllers
lssubsys

## Controlling CPU usage
### for slice
sudo systemctl set-property user-1001.slice CPUQuota=10%
cd /etc/systemd/system.control
ls /etc/systemd/system.control/user-1001.slice.d
cd /sys/fs/cgroup/cpu/user.slice/user-1001.slice
cat cpu.cfs_quota_us
### for service
sudo systemctl edit --full --force cputest.service
sudo systemctl set-property cputest.service CPUQuota=90%
### or in a service file with CPUQuota=90%

## Controlling memory usage
sudo systemctl set-property --runtime user-1001.slice MemoryMax=1G
ls /run/systemd/system.control/user-1001.slice.d

## Controlling blkio usage
sudo systemctl set-property user-1001.slice BlockIOReadBandwidth="/dev/sda 1M"
### or in a service file with BlockIOReadBandwidth="/dev/sda 1M"

cgroups v2

Improvement for cgroup v2

with cgroups Version 1, it’s not possible for a non-privileged user to set runtime resource limits when creating a container.

Parameter differences between cgroup v1 and v2

• v1: CPUShares, StartupCPUShares, MemoryLimit, BlockIO prefix
• v2: CPUWeight, StartupCPUWeight, MemoryMax, IO prefix

Reference

• Linux Service Management Made Easy with systemd - Advanced techniques to effectively manage, control, and monitor Linux systems and services (Donald A. Tevault)