Mastering cgroups, cgroupfs & Systemd: Choose & Configure Docker’s Cgroup Driver

What is cgroup

Cgroup is a Linux kernel feature that limits, accounts for, and isolates resource usage (CPU, memory, disk I/O, network, etc.) of a group of processes.

cgroups (Control Groups) provide a mechanism to organize system tasks and their subtasks into resource‑based groups, offering a unified framework for resource management. In essence, cgroups are kernel hooks attached to programs that trigger resource tracking and limiting.

What is cgroupfs

Docker’s default Cgroup Driver is cgroupfs.

$ docker info | grep cgroup
Cgroup Driver: cgroupfs

cgroupfs is a virtual file system that exposes the native cgroup interface, similar to procfs and sysfs, and is typically mounted at /sys/fs/cgroup.

What is Systemd?

Systemd also wraps the cgroup interface. Running as PID 1 at system startup, systemd provides a suite of management daemons, libraries, and utilities to control Linux system resources.

Why use systemd instead of cgroupfs

When a Linux distribution uses systemd as its init system, the init process creates a root control group and acts as the cgroup manager. Systemd tightly integrates with cgroups, assigning a cgroup to each systemd unit. You can also configure container runtimes and kubelet to use cgroupfs . Using both systemd and cgroupfs means two different cgroup managers. A single cgroup manager simplifies the view of resource allocation and provides a more consistent view of available and used resources. When two managers coexist, they can present divergent views, leading to instability under resource pressure.

Ubuntu, Debian, and CentOS 7 all use systemd as the init system. If both the container runtime and kubelet use cgroupfs while systemd also manages cgroups, the OS ends up with two resource‑allocation views, which can cause instability when CPU, memory, or other resources are scarce.

Note: Do not attempt to change the cgroup driver on a running cluster node; if needed, remove the node and re‑join it.

How to change Docker’s default cgroup driver

Add the following configuration and restart Docker:

"exec-opts": ["native.cgroupdriver=systemd"]

Example /etc/docker/daemon.json:

{
  "exec-opts": ["native.cgroupdriver=systemd"],
  "registry-mirrors": [
    "https://docker.mirrors.ustc.edu.cn",
    "http://hub-mirror.c.163.com"
  ],
  "max-concurrent-downloads": 10,
  "log-driver": "json-file",
  "log-level": "warn",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3"
  },
  "data-root": "/var/lib/docker"
}

Kubelet configuration for cgroup driver

Reference the official documentation.

Note: In version 1.22, if the KubeletConfiguration does not set the cgroupDriver field, kubeadm init will default it to systemd .

# kubeadm-config.yaml
kind: ClusterConfiguration
apiVersion: kubeadm.k8s.io/v1beta3
kubernetesVersion: v1.21.0
---
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
cgroupDriver: systemd

Then initialize the cluster with:

$ kubeadm init --config kubeadm-config.yaml