Understanding Linux cgroups: Concepts, Hierarchy, and Usage

cgroups (control groups) is a Linux kernel feature that limits, accounts for, and isolates resource usage (CPU, memory, disk I/O, network, etc.) of process groups.

Key subsystems include: cpu (limits CPU usage), cpuacct (CPU accounting), cpuset (assigns CPUs/memory nodes), memory (limits memory), blkio (limits block I/O), devices (controls device access), net_cls (tags network packets), freezer (suspends/resumes tasks), and ns (namespace isolation).

The kernel organizes cgroup structures into a hierarchical tree (cgroups hierarchy). Each hierarchy can have one or more subsystems attached; attached subsystems enforce resource limits on the tasks within that hierarchy.

Processes are linked to cgroup nodes via the css_set structure, allowing a many‑to‑many relationship: a task can belong to multiple hierarchies (different resources) and a cgroup node can contain many tasks.

To expose this functionality to user space, the kernel implements a cgroups filesystem on top of VFS. Mounting the filesystem (e.g., mount -t cgroup -o cpu,cpuset,memory /cgroup/cpu_and_mem) creates the hierarchy and provides files such as tasks, cgroup.procs, and subsystem‑specific control files ( cpu.cfs_quota_us, memory.limit_in_bytes, etc.) for configuration.

Typical workflow: create a cgroup node with cgcreate -g cpu:test, set limits via echo 50000 > /cgroup/cpu/test/cpu.cfs_quota_us (50% CPU), add processes by writing their PIDs to tasks or using cgclassify -g cpu:test <pid>, and run a command in the context with cgexec -g cpu:test command args.

An example from the article limits a background task to 50% CPU: create cgcreate abc:abc -g cpu:halfapi, set echo 50000 > /cgroup/cpu/halfapi/cpu.cfs_quota_us, then launch with

cgexec -g "cpu:/halfapi" php halfapi.php half >/dev/null 2>&1

.

By enabling fine‑grained resource control, cgroups underpin technologies like Docker containers, Linux‑based PaaS, and cloud‑native platforms that need to isolate and limit workloads.