This article systematically explains why Linux processes may disappear, covering OOM Killer, signal termination, cgroup limits, systemd timeouts, manual kills, and provides step‑by‑step diagnostic commands and preventive measures for RHEL, AlmaLinux, and Ubuntu environments.
Ubuntu 26.04 LTS introduces three non‑reversible changes—cgroup v1 removal, a Rust‑rewritten sudo, and Rust‑based coreutils—that will block upgrades unless administrators audit, migrate, and validate their environments before the April 23 deadline.
Learn a step‑by‑step process for migrating Kubernetes clusters (v1.24+) from the deprecated Docker runtime to the native Containerd CRI, covering compatibility checks, node preparation, installation, configuration, node draining, kubelet updates, validation, and common pitfalls such as cgroup driver mismatches.
This comprehensive guide explains the fundamentals of Linux memory cgroups, walks through their creation and configuration, details core kernel mechanisms such as OOM handling and hierarchical limits, and provides practical Bash scripts for Docker, Kubernetes, and multi‑tenant environments to help engineers reliably control memory usage.
This article explains Linux’s Completely Fair Scheduler, its data structures, how weight‑based CPU allocation works for containers via cgroup v1 and v2, and demonstrates the calculation of vruntime and practical examples of resource distribution across services.
This article explains Docker's architecture, covering how images serve as read‑only templates, how registries store and distribute images, and how containers use namespaces and cgroups to provide lightweight, isolated, and portable runtime environments for modern cloud‑native applications.
This guide walks through Docker container fundamentals, covering how to run containers with CMD or ENTRYPOINT, keep them alive, attach or exec into them, stop/start/restart, pause/unpause, remove, apply memory, CPU and block I/O limits, and explains the underlying cgroup and namespace technologies that enforce isolation and resource control.
This article explains why many Android threads appear idle despite free CPU cycles, by dissecting Linux's five scheduler classes, the distinction between RT and fair scheduling, the role of virtual runtime and weight, and how cgroup cpu.shares can reshape resource distribution, supported by concrete systrace experiments.
This article explains why Kubernetes containers often show near‑full memory usage by exploring Linux process address spaces, the distinction between RSS and page cache, how cgroup statistics are collected, and provides step‑by‑step C and Go examples to reproduce and diagnose the behavior.
This article explains how Kubernetes resource requests and limits map to Linux cgroup settings via the CFS scheduler, illustrates the underlying calculations for cpu.shares and cpu.cfs_quota_us, and discusses the impact on programming languages such as Go and Java within containers.
This article explains Linux's process scheduling policies—including real‑time, normal, batch, idle, and deadline—how priorities are assigned, the default CFS scheduler, and practical methods to adjust scheduling and CPU affinity using the chrt command, systemd settings, and cgroup cpuset controls.
This guide explains how to run Docker containers, keep them alive, enter them, manage their lifecycle, apply best practices, set resource limits for memory, CPU, and I/O, and understand the underlying cgroup and namespace technologies that isolate and control container behavior.
This article explains the background, purpose, and detailed implementation of the Linux kernel cgroup freezer subsystem, including its data structures, command‑line usage, signal‑based freeze workflow, and a practical experiment that demonstrates process suspension and power savings on ARM64.
This article introduces the "You Call This Thing Cloud Native" series by tracing the evolution of container technology—from early virtual machines and Linux namespaces to Docker’s image system—explaining why containers surged in popularity around 2013 and what fundamentals readers should grasp.
By deploying the self‑developed Amiya over‑commit component together with kernel‑level cgroup memory isolation, explicit task priorities, OOM‑priority killing, and asynchronous reclamation, Bilibili’s big‑data clusters boosted daily resource utilization by about 15 %, eliminated DataNode OOM kills, cut memory‑reclaim latency to zero, and achieved a further 9 % overall efficiency gain.
This article explains Docker’s core architecture—including images, containers, and registries—and details how Linux namespaces, cgroups, and UnionFS work together to provide resource isolation, limitation, and lightweight virtualization, while also offering promotional links to extensive architecture and interview collections.
From legacy spinning-disk optimizations to modern SSD-focused QoS, Linux’s I/O scheduler landscape has evolved through noop, deadline, cfq and now multiqueue designs such as Kyber, MQ-Deadline, and BFQ, each employing distinct latency, deadline, and budget-fairness algorithms, supporting cgroup/ionice priorities, and complemented by numerous experimental out-of-tree implementations.
This guide explains Docker's core architecture, lists the most frequently used Docker commands, compares containers with traditional virtual machines, and dives into the underlying Linux technologies—namespaces, cgroups, and union file systems—that make containerization possible.
This article provides a detailed, code‑driven explanation of how Linux cgroup’s CPU subsystem manages container CPU usage, covering cgroup creation, limit configuration, kernel object relationships, scheduler integration, bandwidth enforcement, and the role of period and slack timers.
This article explains how Linux ulimit and cgroup mechanisms can be used to restrict file descriptors, memory, and thread counts in containerized environments, compares Docker and Kubernetes configurations, presents experimental results on fd and thread limits, and offers practical recommendations for configuring default‑ulimits, pod‑max‑pids, and system limits.
TencentOS “Wujing” provides a server‑memory multi‑level offloading framework that uses kernel‑side reclamation, heat‑aware page classification, SWAP balancing, and CXL promotion to shift cold pages to cheaper storage, cutting data‑center memory use by up to 50 % while preserving performance.
This article explains how to correctly obtain CPU utilization inside containers, compares host and container metrics, describes the use of lxcfs and cgroup files (including cgroup V1/V2) for accurate measurement, and clarifies why container statistics omit nice, irq, and softirq fields.
This article explains how Linux cgroup’s CPU controller works, covering the creation of cgroups, the kernel structures involved, how CPU time limits are configured via cfs_period_us and cfs_quota_us, how processes are attached to cgroups, and the scheduling mechanisms that enforce bandwidth limits in containers.
A detailed post‑mortem explains how excessive cgroup files, kubelet's sys‑CPU usage, soft‑interrupt scheduling delays, and a buggy page‑free routine caused intermittent hundreds‑of‑milliseconds network latency in an Alibaba Cloud ACK cluster, and how targeted CPU binding and kernel patches resolved the issue.
The article explains Linux cgroup architecture and initialization in kernel 5.10, covering its hierarchical composition, key data structures like css_set, the two‑phase boot‑time setup, creation of cgroups, and task assignment mechanisms for both cgroup v1 and v2.
This article explains how Linux's ulimit and cgroup mechanisms can be used to restrict file descriptors and thread counts in Docker and Kubernetes environments, compares configuration methods, presents experimental results, and offers practical recommendations for setting limits at the container, pod, and host levels.
This article explains why Java applications running in Kubernetes containers are often terminated with OOMKilled (exit code 137), analyzes the underlying JVM memory‑limit mismatches, and provides practical solutions using cgroup‑aware JVM flags and memory‑tuning techniques.
The article explains why Linux’s Completely Fair Scheduler introduced group scheduling, how Android configures task groups via cpu.shares and Process.java, and details the kernel structures (task_group, sched_entity, cfs_rq) and algorithms for weight calculation, load measurement, propagation, and hierarchical load balancing.
Koordinator v1.1 introduces load‑aware scheduling with workload‑type awareness, percentile‑based resource aggregation, cgroup v2 support, a new LowNodeLoad descheduler plugin for load‑aware rebalancing, expanded performance collectors, ServiceMonitor integration, and detailed configuration examples, aiming to improve latency‑sensitive workloads and overall cluster resource efficiency.
This article explains Linux's Pressure Stall Information (PSI) mechanism, its /proc and cgroup interfaces, how to monitor CPU, memory, and I/O pressure, and presents code‑level optimizations to reduce PSI overhead and improve system performance.
A whimsical tale explains how Docker solves application deployment pain by using chroot/pivot_root for filesystem isolation, Linux namespaces to hide host resources, and cgroups to limit CPU, memory, and I/O, illustrating core container technologies with practical code snippets.
This article explores how Kubernetes Pods differ from simple containers by examining their underlying implementation, shared network and IPC namespaces, cgroup hierarchies, and the role of the pause sandbox, while also demonstrating how similar pod-like behavior can be achieved using Docker and cgroup tools.
The article introduces Linux cgroups as a kernel feature for limiting resources, explains their terminology and functions, and demonstrates a hands‑on experiment that creates a CPU cgroup, sets cpu.cfs_quota_us to restrict a process to roughly 25 % CPU usage, confirming effective resource control.
The article explains how attackers can break out of Docker containers by exploiting misconfigurations, vulnerable Docker components, kernel bugs, or Kubernetes RBAC errors, illustrates real‑world exploits such as host‑proc mounts and CVE‑2019‑5736, and provides mitigation steps like limiting privileges, updating software, and securing configurations.
This article walks through the Linux 2.6.25 CGroup implementation by examining core kernel structures such as cgroup, cgroup_subsys_state, mem_cgroup, css_set, and cgroup_subsys, explaining how they form hierarchical resource control, how mounting and task attachment work, and how memory limits are enforced.
This article explains Linux processes and threads, their relationship, key kernel parameters like ulimit, threads‑max, and pid_max, and how to limit thread and PID usage in containers using cgroups, Docker, and Kubernetes to prevent resource exhaustion.
This article explains the role of Linux cgroup and namespace technologies in providing resource isolation and security for containers, traces their historical development from early chroot mechanisms to modern Docker and Kubernetes, and details cgroup architecture, core files, migration, delegation, and practical usage examples.
This article explains the problem of inaccurate /proc information in container environments, introduces LXCFS as a FUSE‑based solution that maps cgroup data to /proc, and provides step‑by‑step instructions for installing, mounting, and using LXCFS with Docker and Kubernetes.
This article explains the challenges of uncontrolled page‑cache growth in containerized workloads, reviews community attempts to limit it, and details TencentOS “Ruyi” memory‑QoS solutions—including cgroup‑level page‑cache limits, implementation details, and observed performance effects.
This article demonstrates how to accurately measure and restrict the CPU consumption of a CPU‑intensive third‑party SDK by creating and configuring cgroup and cpuset groups, binding the process to a single core, and verifying the limits with stress testing tools.
This article explains TencentOS “Ruyi” network QoS, detailing its resource isolation concepts, tc+htb and cgroup configurations, performance testing, and the advantages of the Ruyi netqos scheme over traditional tc solutions for mixed online and offline container workloads.
This article presents a systematic investigation of MySQL's open_files_limit setting across three scenarios—conflict between my.cnf and systemd service, effectiveness when using mysqld_safe, and the impact of Docker's own limits—revealing which source actually controls the maximum number of open files.
Linux cgroups are a kernel mechanism that groups processes into hierarchical directories, each subsystem (e.g., freezer, CPU, memory, IO) exposing control files such as cgroup.procs and freezer.state, with core data structures like cgroup_subsys, cgroup, css_set linking threads to multiple subsystems and enabling resource policies, freezing, throttling, and allocation.
This article explains how Docker leverages Linux namespaces to isolate system resources, outlines the six core namespaces and newer additions, clarifies common misconceptions such as the Mount namespace flag, and details the internal nsproxy structure that links processes to their namespaces.
This article explains how Docker relies on Linux's eight namespace types and cgroups to achieve fine‑grained isolation, demonstrates practical unshare commands for PID, mount, UTS, IPC, user, and network namespaces, and highlights the role of namespaces in container security and resource management.
This article explains how to enable Linux CGroup support in Hadoop Yarn NodeManager to limit container CPU usage, detailing required configuration properties, hierarchy setup, CPU limit parameters, and a critical kernel version caveat.
This article explains how to modify systemd unit files or use systemctl commands to set resource isolation parameters such as CPUQuota and MemoryLimit, demonstrates the changes with a MySQL CPU‑usage experiment, and describes the underlying cgroup and systemd mechanisms on Linux 7.
This article explains why container resource view isolation is needed, outlines common scenarios where lack of isolation causes issues, and demonstrates how to achieve isolation using Lxcfs together with a Kubernetes mutating admission webhook, including configuration details and sample scripts.
This article explains how lxcfs, a FUSE‑based user‑space filesystem, isolates the /proc and /sys virtual files for containers, details its implementation for reading cpuonline and load average, and provides code examples of the core functions that enable per‑container system metric visibility.
This article explains how lxcfs uses FUSE and cgroup technology to isolate /proc and /sys files inside containers, showing the implementation details of cpuonline and loadavg handling, and includes key source code snippets that illustrate the isolation mechanism.
This article demonstrates creating Node.js Worker Threads to compute Fibonacci numbers, explains message passing via workerData and parentPort, explores shared memory with SharedArrayBuffer, and shows how to isolate and limit thread CPU usage using Linux CGroup controls, including retrieving thread IDs via a custom native addon.
This article shares Alibaba Cloud Container Platform's practical experience in improving container resource utilization by dynamically adjusting cgroup limits, describing real‑world challenges, the design of a policy‑engine solution, experimental results, lessons learned, and future directions for cloud‑native workloads.
Tencent’s TLinux team introduced a kernel‑level mixed‑deployment framework that adds an offline scheduling class and load‑balancing algorithm, enabling online tasks to instantly pre‑empt offline work and boosting whole‑machine CPU utilization to as high as 90% while preserving latency‑sensitive service performance.
This article analyzes the lack of thread‑count limits in a Kubernetes‑based private cloud platform, reproduces the issue with a Python multiprocessing script, and proposes a solution that combines the cgroup pids subsystem with inotify to enforce per‑container thread limits and provide real‑time alerts.
This guide explains Docker's Namespace and Cgroup mechanisms, shows how to configure them to limit resources and isolate containers, and demonstrates practical commands for protecting container security while highlighting their limitations.
This article examines the unique challenges of monitoring containers, outlines three categories of metrics to collect, compares host‑centric and layered monitoring architectures, provides detailed methods for gathering CPU, memory, I/O and network data via cgroup files and Docker commands, and shares practical insights, tooling recommendations, and a Q&A session for effective container observability.
This article compares traditional hypervisor‑based virtualization with Docker container technology, detailing how containers use shared kernels, namespaces, cgroups, AUFS, and device mapper to achieve lightweight isolation and higher resource efficiency.
This article provides a comprehensive technical overview of Linux virtualization technologies, covering hardware-assisted CPU VT, chroot system call, cgroup resource control, namespace isolation, and their integration in container solutions like LXC and Docker, with code snippets and architecture diagrams.
This article details how the e‑commerce company 1号店 selected the Storm framework to create a low‑cost, highly available, and easily scalable distributed stream‑processing system, covering architecture design, resource isolation with CGroup, custom UI improvements, and operational lessons for handling massive traffic spikes.
This article provides a comprehensive overview of systemd, the modern Linux init system, covering its design goals, compatibility with SysVinit, parallel boot advantages, on‑demand activation, CGroup‑based process tracking, unit types, dependency handling, snapshot and journal capabilities, as well as practical guidance for developers and system administrators.
