Aisuko Li

Aisuko Li

Interested in Quantum computing and MIT-Scheme, Student of RMIT

cgroups

1 minute read

cgroups (abbreviated from control groups) is a Linux kernel feature that limits, account for, and isolates the resource usage of a collection of processes.

Features

  • resource limiting
    • groups can be set to not exceed a memory limit, which also includes the file system cache
  • prioritization
    • some groups may get a larger share of CPU utilization or disk I/O throughput
  • accounting
    • measures a group’s resource usage, which may be used, for example, for billing purposes
  • control

Use

A cgroup is a collection of processes that are bound by the same criteria and associated with a set of parameters or limits. And can be hierarchical, meaning that each group inherits limits from its parent group.

The kernel provides access to multiple controllers(also called subsystems) through the cgroup interface.

Cgroups can be used in multiple ways:

  • By accessing the cgroup virtual file system manually
  • By creating and managing groups on the fly using tools like cgcreate, cgexec, and cgclassify from libcgroup
  • Through the “rules engine daemon” that can automatically move processes of certain users, groups, or commands to cgroups as specified in its configuration

  • systemd-cgtop command can be used to show top control groups by their resource usage.

  • Checking which the process in the cgroups
cat /proc/<pid>/cgroup
  • Checking the SELinux labels
ps -eZ|grep systemd
  • Checking the capabilities
grep Cap /proc/<pid>/status
  • Checking the namespace that process in
ls -l /proc/<pid>/ns

What’s the capabilities?

In order to avoid that the containers attack to each other or the host. SELinux(seccomp capabilities) and the other help on this. Linux split the privileges of the traditional and root user to the different unit, called Capabilities.

Capabilities as the one of the attribute of the process(Linux does not really care about the process and threads), and every unit can be activate and deactivate.

So, we can see that the mechanism here:

  • If the process want to get high level permissions without the root. The mechanism will check the the capability with the privileges or not.

    • And the result will confirm that the activities can continue or aborted

    • For example

      • If we want to send kill(), we need have the capability named CAP_KILL.
      • If we want to setup the operate system time, we need to get capability named CAP_SYS_TIME

Conclusion

Above talks about the cgroups and what it can do. We will talk more deeply how the cgroups implementation in GNU-Linux.

Source Of Read

You May Also Enjoy

How to read a paper

1 minute read

Overview It is important for us to read a paper as soon as we can. So, here is a useful strategy.

Foreign Function Interface In Rust

less than 1 minute read

FFI The Foreign Function Interface (FFI) is a feature of many programming languages that allows them to call functions and use data structures defined in ano...