According to LAWFAQS, control groups, or cgroups for short, are part of the Linux kernel with which the use of resources by processes can be restricted and monitored. They play an important role in resource management and container virtualization.
From the very beginning, Linux brought with it various mechanisms to control the use of system resources by processes. But tools and configuration files such as nice, ionice , cpulimit and /etc/security/limits.conf work inconsistently and are no longer flexible enough today. Modern cloud platforms with techniques such as containerization and virtual servers require more powerful methods for resource management and process management. Isolation.
Cgroups were developed by some programmers at Google in 2006 to provide solutions for a number of different use cases. Since kernel version 2.6.24, which was released in January 2008, cgroups have been an integral part of the Linux kernel.
How do cgroups work?
Processes or tasks are organized hierarchically under Linux from the start. Each task has to be started by a different one. In doing so, it inherits several properties such as nice level and I / O priority of the calling process. Similarly, control groups are hierarchically structured groups of processes. An essential difference is that there can be several group hierarchies, while there is always only one process tree.
With the help of cgroups, related processes can be grouped, for example according to work teams, software containers or virtual servers. In this way, control groups can be assigned to different subsystems for resource management. Each subsystem (also called a resource controller) corresponds to a resource managed by the kernel.
The most important subsystems include:
- cpu: limits or prioritizes the CPU usage by the processes in a group.
- cpusets: defines on which processor cores the tasks are allowed to run.
- blkio: limits access to block devices such as storage media.
- devices:controls which hardware devices may be used.
- memory:limits the memory requirement.
- net_prio: limits the data throughput of network connections.
- cpuacct: measures the processor time used for analyzes and billing.
- perf_event: enables performance analyzes.
Resource management with cgroups
Control groups provide several methods for setting up, configuring, and controlling groups. On the one hand, the kernel exports a virtual directory tree under “/ sys / fs / cgroup /”. Groups can be created, removed or renamed here with classic Unix commands such as “mkdir”, “rmdir” and “mv”. In order to add processes to groups and subsystems, the PIDs of the task can be written to appropriate files using “echo” or “printf”. Limits can be set in the same way.
Administration via systemd or libcgroup is more convenient. Both provide commands for dealing with cgroups, such as systemd-cgls, systemd-run, systemd-cgtop or cgcreate, cgexec and cgclassify. Furthermore, permanent control groups can be created with configuration files such as /etc/cgconfig.conf or systemd unit files. The latter is also of interest to application developers . You can offer unit files with default settings for your applications, system services or software containers.
Areas of application of control groups
Cgroups solve a number of different problems in a uniform way. Computer-intensive and memory-intensive programs such as web browsers, computer algebra systems or scientific simulation applications can be better controlled on private PCs or company workstations. They also enable a precise distribution of the scarce resources of smart devices, IoT devices and other embedded devices.
Control groups come into their own with servers and container virtualizations. Often several services such as web servers, databases and application servers run on one system, and with virtual hosting packages several users share the same hardware. Today more is needed here than the rudimentary or wasteful methods of isolation and resource distribution through chroot-cages and nice or virtual machines.
Control groups provide a finely granulated system for the allocation and monitoring of various resources. With the help of the accounting function, tariffs can be implemented on the basis of the resources used in virtual servers and SaaS systems.
Control groups can be combined with kernel namespaces , capabilities and security extensions such as SELinux or AppArmor. Although the resulting isolation is less strict than with full virtualization, it is sufficient in many cases. Container technologies like Docker , Snap , LXC and libvirt are all based on this combination.