Understanding Linux cgroups: Concepts, Hierarchy, Filesystem, and Usage

cgroups (control groups) is a Linux kernel mechanism that allows fine‑grained limitation of resources such as CPU, memory, blkio, etc., and is the basis for lightweight containers like Docker.

The article first explains the concept and the various subsystems (cpu, cpuacct, cpuset, memory, blkio, devices, net_cls, freezer, ns) that each control a specific resource.

It then describes the hierarchical structure of cgroups, where each cgroup is represented by a kernel cgroup struct and can be arranged in a tree; each hierarchy can attach one or more subsystems, and weight values can be set per node.

The relationship between processes and cgroups is a many‑to‑many mapping via the css_set structure; a process belongs to a single css_set, which can contain many processes, and a css_set can be linked to nodes in multiple hierarchies.

cgroups are exposed to user space through a virtual file system (VFS). The VFS abstracts the underlying filesystem, and the cgroup filesystem implements the superblock, inode, dentry and file objects. Key kernel structures are shown:

static struct file_system_type cgroup_fs_type = {
    .name = "cgroup",
    .mount = cgroup_mount,
    .kill_sb = cgroup_kill_sb,
};

static const struct super_operations cgroup_ops = {
    .statfs = simple_statfs,
    .drop_inode = generic_delete_inode,
    .show_options = cgroup_show_options,
    .remount_fs = cgroup_remount,
};

static const struct inode_operations cgroup_dir_inode_operations = {
    .lookup = cgroup_lookup,
    .mkdir = cgroup_mkdir,
    .rmdir = cgroup_rmdir,
    .rename = cgroup_rename,
};

static const struct file_operations cgroup_file_operations = {
    .read = cgroup_file_read,
    .write = cgroup_file_write,
    .llseek = generic_file_llseek,
    .open = cgroup_file_open,
    .release = cgroup_file_release,
};

Users can mount the cgroup filesystem (e.g., mount -t cgroup -o cpu,memory /cgroup/cpu_mem ), create groups with cgcreate , set parameters by writing to files under the group directory or using cgset , and attach processes via cgclassify or cgexec .

Practical examples show how to limit a PHP task to 50 % CPU using a cpu subsystem group, and discuss how cgroups replace older tools like nice or cpulimit for group‑wide resource control.

The article concludes that cgroups provide powerful fine‑grained resource isolation, are implemented in the kernel and exposed through VFS, and are widely used in containers and cloud platforms.