Mastering Linux Cgroups: A Complete Guide to Resource Management and Containerization

Cgroups (control groups) are a Linux kernel mechanism that groups processes to limit, account for, and isolate resource usage such as CPU, memory, and I/O, forming the foundation for container technologies like Docker.

1. Why understand Cgroups

Since Docker (2013) and Kubernetes (2014), containers have become core to cloud‑native ecosystems, relying on Cgroups and Namespace for resource isolation.

Cgroups manage resource allocation and limits; Namespace provides isolation so processes have independent global resources.

2. Cgroups Overview

Cgroups (control groups) allow administrators to finely control resource distribution, monitoring, and isolation across processes, originally proposed by Google and integrated into the Linux kernel.

Cgroups have two versions: v1 (feature‑rich but fragmented) and v2 (more coherent, production‑ready in kernel 4.5).

3. What is a Cgroup?

A Cgroup is a hierarchical tree where each node represents a process group linked to one or more subsystems that enforce resource policies.

subsystem : a kernel module (resource controller) attached to a Cgroup tree to enforce limits or accounting.

hierarchy : the Cgroup tree itself; a process belongs to a single node per hierarchy but can be part of multiple hierarchies.

4. Why need Cgroups?

They solve problems such as excessive resource consumption by antivirus scans, Docker containers, or Java applications by providing unified monitoring and control.

5. Implementation in CentOS 7

Systemd creates slice, scope, and service units that map to Cgroup hierarchies. By default three top‑level slices exist: system.slice, user.slice, and machine.slice, each receiving an equal share of CPU when the CPU is busy.

6. Functions of Cgroups

Resource limiting (e.g., memory caps).

Prioritization (CPU shares).

Accounting (recording CPU time).

Isolation (using namespaces).

Control (freezing/resuming tasks).

7. Related Concepts

Task : an individual process. Control group : a set of processes grouped by a policy. Hierarchy : the tree structure of control groups. Subsystem : a resource controller attached to a hierarchy.

8. Subsystems Overview

Typical subsystems under /sys/fs/cgroup include:

net_cls : classifies network packets for traffic control.

net_prio : sets network traffic priority.

memory : limits memory usage.

cpuset : assigns CPUs and memory nodes.

freezer : suspends/resumes tasks.

blkio : controls block device I/O.

cpu : controls CPU time.

cpuacct : reports CPU usage.

devices : restricts device access.

8.1 Viewing Supported Subsystems

#subsys_name hierarchy num_cgroups enabled
cpuset 11 1 1
cpu 3 64 1
cpuacct 3 64 1
blkio 8 64 1
memory 9 104 1
devices 5 64 1
freezer 10 4 1
net_cls 6 1 1
perf_event 7 1 1
net_prio 6 1 1
hugetlb 4 1 1
pids 2 68 1

8.2 CPU Subsystem Interface

The CPU subsystem uses five parameters: cpu.cfs_period_us: period of CPU bandwidth in microseconds. cpu.cfs_quota_us: allowed CPU time within the period. cpu.shares: relative weight for CPU allocation. cpu.rt_runtime_us: max continuous runtime for real‑time tasks. cpu.rt_period_us: period for real‑time runtime.

Sum_{i} runtime_{i} / global_period <= global_runtime / global_period

8.3 Installing Cgroups on CentOS

# Install if missing
yum install libcgroup
# Check status and start service
service cgconfig status
service cgconfig start
service cgconfig status
# Verify installation
grep cgroup /proc/filesystems

8.4 Finding Service Cgroup

systemctl status [pid] | grep CGroup
cat /proc/[pid]/cgroup
cd /sys/fs/ && find * -name "*.procs" -exec grep [pid] {} /dev/null \; 2>/dev/null

Example Bash script to locate a process by name:

#!/bin/bash
THISPID=`ps -eo pid,comm | grep $1 | awk '{print $1}'`
cat /proc/$THISPID/cgroup

9. Using Cgroups

9.1 Setting Cgroup via systemctl

$ systemctl set-property user-1000.slice CPUQuota=20%

Focus on Block, CPU, and Memory properties.

9.2 Limiting CPU Usage

Set cpu.cfs_period_us and cpu.cfs_quota_us to enforce hard limits.

9.3 Configuring via /etc/cgconfig.conf

mount {
  cpuset = /cgroup/cpuset ;
  cpu = /cgroup/cpu ;
  cpuacct = /cgroup/cpuacct ;
  memory = /cgroup/memory ;
  devices = /cgroup/devices ;
  freezer = /cgroup/freezer ;
  net_cls = /cgroup/net_cls ;
  blkio = /cgroup/blkio ;
}

Persist settings in /etc/cgconfig.conf and /etc/cgrules.conf.

10. Viewing Cgroups

10.1 Using systemd

$ systemd-cgls --no-page
$ systemd-cgtop

Enable accounting for a service, e.g., sshd.service:

$ systemctl set-property sshd.service CPUAccounting=true MemoryAccounting=true

10.2 Using /proc

$ cat /proc/777/cgroup
11:cpuset:/
10:freezer:/
9:memory:/system.slice/cron.service
...

10.3 Using /sys

$ cat /sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice/cpu.cfs_period_us
100000
$ cat /sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice/cpu.cfs_quota_us
20000