cgroups
cgroups
(abbreviated from control groups) is a Linux kernel feature that limits, account for, and isolates the resource usage of a collection of processes.
Features
- resource limiting
- groups can be set to not exceed a memory limit, which also includes the file system cache
- prioritization
- some groups may get a larger share of CPU utilization or disk I/O throughput
- accounting
- measures a group’s resource usage, which may be used, for example, for billing purposes
- control
- freezing groups of processes, their Application checkpointing and restarting
Use
A cgroup is a collection of processes that are bound by the same criteria and associated with a set of parameters or limits. And can be hierarchical, meaning that each group inherits limits from its parent group.
The kernel provides access to multiple controllers(also called subsystems
) through the cgroup interface.
Cgroups can be used in multiple ways:
- By accessing the cgroup virtual file system manually
- By creating and managing groups on the fly using tools like
cgcreate
,cgexec
, andcgclassify
fromlibcgroup
- Through the “rules engine daemon” that can automatically move processes of certain users, groups, or commands to cgroups as specified in its configuration
-
systemd-cgtop
command can be used to show top control groups by their resource usage. - Checking which the process in the
cgroups
cat /proc/<pid>/cgroup
- Checking the SELinux labels
ps -eZ|grep systemd
- Checking the capabilities
grep Cap /proc/<pid>/status
- Checking the namespace that
process
in
ls -l /proc/<pid>/ns
What’s the capabilities?
In order to avoid that the containers attack to each other or the host. SELinux(seccomp capabilities) and the other help on this. Linux split the privileges of the traditional and root user to the different unit, called Capabilities.
Capabilities as the one of the attribute of the process(Linux does not really care about the process and threads), and every unit can be activate and deactivate.
So, we can see that the mechanism here:
- If the process want to get high level permissions without the root. The mechanism will check the the capability with the privileges or not.
-
And the result will confirm that the activities can continue or aborted
-
For example
- If we want to send
kill()
, we need have the capability namedCAP_KILL
. - If we want to setup the operate system time, we need to get capability named
CAP_SYS_TIME
- If we want to send
-
Conclusion
Above talks about the cgroups
and what it can do. We will talk more deeply how the cgroups implementation in GNU-Linux.
Source Of Read