cgroups is a Linux kernel

Linux kernel

The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....

 feature to limit, account and isolate resource usage

Resource (computer science)

A resource, or system resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource...

 (CPU, memory, disk I/O, etc.) of process

Process (computing)

In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...

 groups. This work was started by Rohit Seth in 2006 under the name "process containers"; in late 2007 it was renamed to cgroups and merged to kernel version 2.6.24. Since then, many new features and controllers have been added.

Features

One of the design goals of cgroups was to provide a unified interface to many different use cases, from controlling single processes (like nice

Nice (Unix)

nice is a program found on Unix and Unix-like operating systems such as Linux. nice directly maps to a kernel call of the same name. For a given process, it changes the priority in the kernel's scheduler. A niceness of −20 is the highest priority and 19 or 20 is the lowest priority...

) to whole operating system-level virtualization

Operating system-level virtualization

Operating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...

 (like OpenVZ

OpenVZ

OpenVZ is an operating system-level virtualization technology based on the Linux kernel and operating system. OpenVZ allows a physical server to run multiple isolated operating system instances, known as containers, Virtual Private Servers , or Virtual Environments...

, Linux-VServer

Linux-VServer

Linux-VServer is a virtual private server implementation that was created by adding operating system-level virtualization capabilities to the Linux kernel. It is developed and distributed as open source software.The project was started by Jacques Gélinas...

). Cgroups provides:

• Resource limiting: groups can be set to not exceed a set memory limit — this also includes file system cache
  Page cache
  In computing, page cache, sometimes ambiguously called disk cache, is a "transparent" buffer of disk-backed pages kept in main memory by the operating system for quicker access. Page cache is typically implemented in kernels with the paging memory management, and is completely transparent to...
  
  . The original paper was presented at Linux Symposium
  Linux Symposium
  The Linux Symposium is a Linux and Open Source conference held annually in Canada. It features 100+ paper presentations, tutorials, birds of a feather sessions and mini summits on a wide range of topics...
  
   and can be found at Containers: Challenges with the memory resource controller and its performance
• Prioritization: some groups may get a larger share of CPU or disk I/O throughput.
• Accounting: to measure how much resources certain systems use for e.g. billing purposes.
• Isolation: separate namespace
  Namespace (computer science)
  A namespace is an abstract container or environment created to hold a logical grouping of unique identifiers or symbols . An identifier defined in a namespace is associated only with that namespace. The same identifier can be independently defined in multiple namespaces...
  
  s for groups, so they don't see each other's processes, network connections or files.
• Control: freezing groups or checkpointing and restarting.

Usage

A control group is a collection of processes that are bound by the same criteria. These groups can be hierarchical, where each group inherits limits from its parent group. The kernel provides access to multiple controllers (subsystems) through the cgroup interface. For instance, the "memory" controller limits memory use, the "ns" controller separates processes into isolated namespaces, "cpuacct" accounts CPU usage, etc.

Control groups can be used in multiple ways:

• By accessing the cgroup virtual file system manually
• Create and manage groups on the fly using tools like cgcreate, cgexec, cgclassify (from libcgroup)
• The "rules engine daemon" that can automatically move processes of certain users, groups or commands to cgroups as specified in configuration
• Indirectly through other software that uses cgroups, such as Linux Containers (LXC) virtualization or libvirt
  Libvirt
  libvirt is an open source API, daemon and management tool for managing platform virtualization. It can be used to manage Linux KVM, Xen, VMware ESX and other virtualization technologies...
  
  

Namespace isolation

While not technically part of the cgroups work, a related feature is namespace isolation, where groups of processes are separated such that they cannot "see" resources in other groups. For example, a PID namespace provides a separate enumeration of process identifier

Process identifier

In computing, the process identifier is a number used by most operating system kernels to uniquely identify a process...

s within each namespace. Also available are mount, UTS, network and SysV IPC namespaces. If the "ns" cgroup is mounted, each namespace will also create a new group in the cgroup hierarchy.

• The PID namespace provides isolation for the allocation of process identifier
  Process identifier
  In computing, the process identifier is a number used by most operating system kernels to uniquely identify a process...
  
  s (PIDs), lists of processes and their details. While the new namespace is isolated from other siblings, processes in its "parent" namespace still see all processes in child namespaces—albeit with different PID numbers.
• Network namespace isolates the network interface controllers (physical or virtual), iptables
  Iptables
  iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores...
  
   firewall rules, routing tables etc. Network namespaces can be connected with each other using the "veth" virtual Ethernet device.
• "UTS" namespace allows changing the hostname
  Hostname
  A hostname is a label that is assigned to a device connected to a computer network and that is used to identify the device in various forms of electronic communication such as the World Wide Web, e-mail or Usenet...
  
  
• Mount
  Mount (computing)
  Mounting takes place before a computer can use any kind of storage device . The user or their operating system must make it accessible through the computer's file system. A user can access only files on mounted media.- Mount point :A mount point is a physical location in the partition used as a...
  
   namespace allows creating a different file system layout, or making certain mount points read-only.
• IPC namespace isolates the System V inter-process communication
  Inter-process communication
  In computing, Inter-process communication is a set of methods for the exchange of data among multiple threads in one or more processes. Processes may be running on one or more computers connected by a network. IPC methods are divided into methods for message passing, synchronization, shared...
  
   between namespaces.

Namespaces are created with the "unshare" command or syscall, or as new flags in a "clone" syscall.

External links

• Linux kernel documentation on cgroups