cgroups (abbreviated from control groups) is a

Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ...

feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of

processes A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management *Business process, activities that produce a specific se ...

. Engineers at

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

started the work on this feature in 2006 under the name "process containers". In late 2007, the nomenclature changed to "control groups" to avoid confusion caused by multiple meanings of the term " container" in the Linux kernel context, and the control groups functionality was merged into the Linux kernel mainline in kernel version 2.6.24, which was released in January 2008. Since then, developers have added many new features and controllers, such as support for kernfs in 2014, firewalling, and unified hierarchy. cgroup v2 was merged in Linux kernel 4.5 with significant changes to the interface and internal functionality.

Versions

There are two versions of cgroups. Cgroups was originally written by Paul Menage and Rohit Seth, and mainlined into the Linux kernel in 2007. Afterwards this is called cgroups version 1. Development and maintenance of cgroups was then taken over by Tejun Heo. Tejun Heo redesigned and rewrote cgroups. This rewrite is now called version 2, the documentation of cgroup-v2 first appeared in Linux kernel 4.5 released on 14 March 2016. Unlike v1, cgroup v2 has only a single process hierarchy and discriminates between processes, not threads.

Features

One of the design goals of cgroups is to provide a unified interface to many different

use case In software and systems engineering, the phrase use case is a polyseme with two senses: # A usage scenario for a piece of software; often used in the plural to suggest situations where a piece of software may be useful. # A potential scenari ...

s, from controlling single processes (by using

nice Nice ( , ; Niçard: , classical norm, or , nonstandard, ; it, Nizza ; lij, Nissa; grc, Νίκαια; la, Nicaea) is the prefecture of the Alpes-Maritimes department in France. The Nice agglomeration extends far beyond the administrative c ...

, for example) to full operating system-level virtualization (as provided by OpenVZ, Linux-VServer or

LXC Linux Containers (LXC) is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel. The Linux kernel provides the cgroups functionality that allows l ...

, for example). Cgroups provides: ; Resource limiting : groups can be set to not exceed a configured

memory Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembered ...

limit, which also includes the file system cache, I/O bandwidth limit, CPU quota limit, or CPU set limit. ; Prioritization : some groups may get a larger share of CPU utilization or disk I/O throughput ; Accounting : measures a group's resource usage, which may be used, for example, for billing purposes ; Control : freezing groups of processes, their checkpointing and restarting

Use

Linux kernel and daemons with exclusive access

A control group (abbreviated as cgroup) is a collection of processes that are bound by the same criteria and associated with a set of parameters or limits. These groups can be hierarchical, meaning that each group inherits limits from its parent group. The kernel provides access to multiple controllers (also called subsystems) through the cgroup interface; for example, the "memory" controller limits memory use, "cpuacct" accounts CPU usage, etc. Control groups can be used in multiple ways: * By accessing the cgroup virtual file system manually. * By creating and managing groups on the fly using tools like cgcreate, cgexec, and cgclassify (from libcgroup). * Through the "rules engine daemon" that can automatically move processes of certain users, groups, or commands to cgroups as specified in its configuration. * Indirectly through other software that uses cgroups, such as Docker, Firejail,

, libvirt, systemd, Open Grid Scheduler/Grid Engine, and Google's developmentally defunct lmctfy. The Linux kernel documentation contains some technical details of the setup and use of control groups version 1 and version 2. systemd-cgtop command can be used to show top control groups by their resource usage.

Redesign

Redesign of cgroups started in 2013, with additional changes brought by versions 3.15 and 3.16 of the Linux kernel.

Namespace isolation

While not technically part of the cgroups work, a related feature of the Linux kernel is ''namespace isolation'', where groups of processes are separated such that they cannot "see" resources in other groups. For example, a PID namespace provides a separate enumeration of

process identifier In computing, the process identifier (a.k.a. process ID or PID) is a number used by most operating system kernels—such as those of Unix, macOS and Windows—to uniquely identify an active process. This number may be used as a parameter in vario ...

s within each namespace. Also available are mount, user, UTS, network and SysV IPC namespaces. * The ''PID namespace'' provides isolation for the allocation of

s (PIDs), lists of processes and their details. While the new namespace is isolated from other siblings, processes in its "parent" namespace still see all processes in child namespaces—albeit with different PID numbers. * ''Network namespace'' isolates the

network interface controller A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network. E ...

s (physical or virtual), iptables firewall rules, routing tables etc. Network namespaces can be connected with each other using the "veth" virtual Ethernet device. * ''"UTS" namespace'' allows changing the

hostname In computer networking, a hostname (archaically nodename) is a label that is assigned to a device connected to a computer network and that is used to identify the device in various forms of electronic communication, such as the World Wide Web. Hos ...

. * '' Mount namespace'' allows creating a different file system layout, or making certain mount points read-only. * ''IPC namespace'' isolates the System V inter-process communication between namespaces. * ''User namespace'' isolates the user IDs between namespaces. * ''Cgroup namespace'' Namespaces are created with the "unshare" command or syscall, or as new flags in a "clone" syscall. The "ns" subsystem was added early in cgroups development to integrate namespaces and control groups. If the "ns" cgroup was mounted, each namespace would also create a new group in the cgroup hierarchy. This was an experiment that was later judged to be a poor fit for the cgroups API, and removed from the kernel. Linux namespaces were inspired by the more general namespace functionality used heavily throughout Plan 9 from Bell Labs.

Unified hierarchy

Kernfs was introduced into the Linux kernel with version 3.14 in March 2014, the main author being Tejun Heo. One of the main motivators for a separate kernfs is the cgroups file system. Kernfs is basically created by splitting off some of the

sysfs sysfs is a pseudo file system provided by the Linux kernel that exports information about various kernel subsystems, hardware devices, and associated device drivers from the kernel's device model to user space through virtual files. In addit ...

logic into an independent entity, thus easing for other kernel subsystems the implementation of their own virtual file system with handling for device connect and disconnect, dynamic creation and removal, and other attributes. Redesign continued into version 3.15 of the Linux kernel.

Kernel memory control groups (kmemcg)

''Kernel memory control groups'' (''kmemcg'') were merged into version 3.8 () of the Linux kernel mainline. The kmemcg controller can limit the amount of memory that the kernel can utilize to manage its own internal processes.

cgroup awareness of OOM killer

Linux Kernel 4.19 (October 2018) introduced

cgroup cgroups (abbreviated from control groups) is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. Engineers at Google started the work on this ...

awareness of

OOM killer Out of memory (OOM) is an often undesired state of computer operation where no additional memory can be allocated for use by programs or the operating system. Such a system will be unable to load any additional programs, and since many programs ...

implementation which adds an ability to kill a cgroup as a single unit and so guarantee the integrity of the workload.

Adoption

Various projects use cgroups as their basis, including CoreOS, Docker (in 2013),

Hadoop Apache Hadoop () is a collection of open-source software utilities that facilitates using a network of many computers to solve problems involving massive amounts of data and computation. It provides a software framework for distributed storage ...

, Jelastic,

Kubernetes Kubernetes (, commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintai ...

, lmctfy (Let Me Contain That For You),

(LinuX Containers), systemd, Mesos and Mesosphere, and

HTCondor HTCondor is an open-source high-throughput computing software framework for coarse-grained distributed parallelization of computationally intensive tasks. It can be used to manage workload on a dedicated cluster of computers, or to farm out wor ...

. Major Linux distributions also adopted it such as

Red Hat Enterprise Linux Red Hat Enterprise Linux (RHEL) is a Commercial software, commercial Open-source software, open-source Linux distribution developed by Red Hat for the commerce, commercial market. Red Hat Enterprise Linux is released in server versions for x86-6 ...

(RHEL) 6.0 in November 2010, three years before adoption by the mainline Linux kernel. On 29 October 2019, the

Fedora Project The Fedora Project is an independent project to co-ordinate the development of Fedora Linux, a Linux-based operating system, operating with the vision of "''a world where everyone benefits from free and open source software built by inclusive, w ...

modified Fedora 31 to use CgroupsV2 by default

References

External links

Official Linux kernel documentation on cgroups v1
and

Red Hat Resource Management Guide on cgroups

Linux kernel Namespaces and cgroups by Rami Rosen
(2013)
Namespaces and cgroups, the basis of Linux containers (including cgroups v2)
slides of a talk by Rami Rosen, Netdev 1.1, Seville, Spain, 2016 * /lwn.net/Articles/679786 Understanding the new control groups API LWN.net, by Rami Rosen, March 2016
Large-scale cluster management at Google with Borg
April 2015, by Abhishek Verma, Luis Pedrosa, Madhukar Korupolu, David Oppenheimer, Eric Tune and John Wilkes
Job Objects
similar feature on Windows {{Linux kernel Interfaces of the Linux kernel Linux kernel features Operating system security Virtualization software for Linux