Mastering Linux Cgroups: Control CPU, Memory, and I/O for Containers

What are Cgroups?

Cgroups (control groups) are a Linux kernel mechanism that groups processes and limits, accounts, and isolates their resource usage such as CPU, memory, and I/O, forming the foundation for container technologies like Docker.

Why Learn About Cgroups?

Since Docker (2013) and Kubernetes (2014) popularized containers, resource isolation relies on cgroups and namespaces. Cgroups let administrators fine‑tune allocation, ordering, denial, management, and monitoring of system resources.

Cgroups manage resource allocation and limits; Namespace provides isolation so processes have independent global resources.

Cgroups Overview

Cgroups (control groups) allow limiting, recording, and isolating resource consumption of a group of processes. They are the basis for lightweight virtualization (LXC) and container runtimes.

Version Differences

Cgroups v1 offers many features but is fragmented, making maintenance hard. Cgroups v2, introduced in kernel 4.5, consolidates functionality, though not all features are fully supported yet. Mixing v1 and v2 is possible but complex and generally avoided.

Key Concepts

Task : a single process in the kernel.

Control group : a set of processes grouped by a common resource policy.

Hierarchy : a tree of control groups; each node inherits attributes from its parent.

Subsystem (resource controller): a kernel module (e.g., cpu, memory) attached to a hierarchy to enforce limits.

Relationships

When a new hierarchy is created, all tasks belong to the root cgroup of that hierarchy.

A subsystem can be attached to only one hierarchy.

A hierarchy may have multiple subsystems.

A task can belong to multiple cgroups, but each must be in a different hierarchy.

Child processes inherit their parent’s cgroup membership.

Cgroup Subsystems

Typical subsystems under /sys/fs/cgroup include:

net_cls : tags network packets for traffic control.

net_prio : sets network traffic priority.

memory : limits memory usage.

cpuset : assigns specific CPUs and memory nodes.

freezer : suspends and resumes tasks.

blkio : controls block device I/O.

cpu : controls CPU time allocation.

cpuacct : accounts CPU usage.

devices : restricts device access.

Viewing Supported Subsystems

#subsys_name hierarchy num_cgroups enabled
cpuset 11 1 1
cpu 3 64 1
cpuacct 3 64 1
blkio 8 64 1
memory 9 104 1
devices 5 64 1
freezer 10 4 1
net_cls 6 1 1
perf_event 7 1 1
net_prio 6 1 1
hugetlb 4 1 1
pids 2 68 1

CPU Subsystem Details

The CPU controller uses five interfaces: cpu.cfs_period_us: length of a scheduling period (µs). cpu.cfs_quota_us: total CPU time allowed per period (µs, -1 = unlimited). cpu.shares: relative weight for proportional sharing. cpu.rt_period_us and cpu.rt_runtime_us: real‑time scheduling limits.

Example: Limiting CPU for a User Slice

Set a 20 % CPU quota for the slice user-1000.slice:

systemctl set-property user-1000.slice CPUQuota=20%

Installing and Managing Cgroups on CentOS

Install the tools:

yum install libcgroup
service cgconfig status   # check status
service cgconfig start    # start service

Check which cgroup a service runs in:

systemctl status <pid> | grep CGroup
cat /proc/<pid>/cgroup

Configuration Files

System‑wide configuration lives in /etc/cgconfig.conf and /etc/cgrules.conf. Example mount section:

mount {
  cpuset   = /cgroup/cpuset;
  cpu      = /cgroup/cpu;
  cpuacct  = /cgroup/cpuacct;
  memory   = /cgroup/memory;
  devices  = /cgroup/devices;
  freezer  = /cgroup/freezer;
  net_cls  = /cgroup/net_cls;
  blkio    = /cgroup/blkio;
}

Viewing Cgroup Hierarchies

Use systemd-cgls for a static tree view and systemd-cgtop for live resource usage.

$ systemd-cgls --no-page
$ systemd-cgtop

Inspect a process’s cgroup membership via /proc/[pid]/cgroup or the /sys/fs/cgroup filesystem.

Practical Commands

List supported subsystems: cat /proc/cgroups Show CPU limits for a slice:

cat /sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice/cpu.cfs_period_us

Enable accounting for a service:

systemctl set-property sshd.service CPUAccounting=true MemoryAccounting=true

For a complete guide, see the original article at https://blog.csdn.net/chenlycly/article/details/125956805 .