Understanding and Using Linux Cgroups for Container Resource Management

When developing software, monitoring the released application is essential for extending its lifecycle, and container technologies make system customization and packaging easier; mastering container monitoring relies on understanding Cgroups, the Linux kernel feature that limits, records, and isolates resource usage of process groups.

Cgroups (control groups) were proposed by Google engineers and integrated into the Linux kernel, providing the foundation for virtualization tools like Docker and LXC by enabling resource control, accounting, prioritization, and process management.

The main functions of Cgroups include resource limiting (e.g., memory caps that trigger OOM), prioritization (CPU time slices and I/O bandwidth), accounting (tracking CPU time, memory usage, etc.), and process control (suspend/resume).

Cgroups consist of tasks (processes), cgroups (resource control units), subsystems (resource controllers such as cpu, memory, blkio), and hierarchies (tree structures of cgroups). A hierarchy can attach multiple subsystems, but each subsystem can belong to only one hierarchy.

Key rules:

One hierarchy may have multiple subsystems attached.

A subsystem can be attached to only one hierarchy.

When a new hierarchy is created, all tasks belong to its root cgroup; a task can exist in only one cgroup per hierarchy but may belong to cgroups in different hierarchies.

Child tasks inherit their parent’s cgroup but can be moved independently.

Creating and managing Cgroups typically involves shell commands:

1. Create a hierarchy and attach subsystems using mount commands.

2. Create control groups with mkdir under the hierarchy.

3. Set parameters, e.g., limiting CPUs with echo 0-1 > cpuset.cpus in a cgroup.

4. Move processes to a cgroup by writing their PID to the tasks file.

Examples using Docker:

• Create containers with --cpu-shares to set CPU weight, then inspect cpu.shares files under /sys/fs/cgroup/cpu/docker/ .

• Limit container memory with --memory=1024M and observe memory stats; exceeding the limit triggers a kill.

Using Kubernetes, containers are placed under /sys/fs/cgroup/cpu/kubepods/ , with CPU shares and memory limits defined in pod YAML files.

Common subsystems include blkio, cpu, cpuacct, cpuset, memory, devices, net_cls, freezer, and ns, each providing specific resource controls.