Merge lp:~serge-hallyn/serverguide/cgroups into lp:serverguide/trunk
- cgroups
- Merge into trunk
Status: | Merged |
---|---|
Approved by: | Doug Smythies |
Approved revision: | 193 |
Merge reported by: | Doug Smythies |
Merged at revision: | not available |
Proposed branch: | lp:~serge-hallyn/serverguide/cgroups |
Merge into: | lp:serverguide/trunk |
Diff against target: |
258 lines (+243/-0) 2 files modified
serverguide/C/cgroups.xml (+242/-0) serverguide/C/serverguide.xml (+1/-0) |
To merge this branch: | bzr merge lp:~serge-hallyn/serverguide/cgroups |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Doug Smythies | Approve | ||
Review via email: mp+210029@code.launchpad.net |
Commit message
Description of the change
This is a first draft for a new section on control groups, written mainly to document the cgmanager.
Doug Smythies (dsmythies) wrote : | # |
For the link, I think this is more generic:
https:/
- 193. By Serge Hallyn
-
use more general link for the kernel cgroup doc page
Serge Hallyn (serge-hallyn) wrote : | # |
Quoting Doug Smythies (<email address hidden>):
> For the link, I think this is more generic:
>
> https:/
Good point! updated that, thanks. (haven't addressed the rest of the
feedback yet)
Doug Smythies (dsmythies) wrote : | # |
Serge, Thanks.
I'll make the other change.
Doug Smythies (dsmythies) wrote : | # |
Oh Crap: I forgot that for consistency throughout the Serverguide, we don't name sections within chapters with the chapter name. I'm saying that, for example, the title for Chapter 21 Section 1 should be "Overview" instead of "Cgroups Overview". I'll fix it.
Serge Hallyn (serge-hallyn) wrote : | # |
Quoting Doug Smythies (<email address hidden>):
> Oh Crap: I forgot that for consistency throughout the Serverguide, we don't name sections within chapters with the chapter name. I'm saying that, for example, the title for Chapter 21 Section 1 should be "Overview" instead of "Cgroups Overview". I'll fix it.
Oh, thanks! Sorry I had every intention of making the other changes on
Monday.
Preview Diff
1 | === added file 'serverguide/C/cgroups.xml' | |||
2 | --- serverguide/C/cgroups.xml 1970-01-01 00:00:00 +0000 | |||
3 | +++ serverguide/C/cgroups.xml 2014-03-07 23:59:35 +0000 | |||
4 | @@ -0,0 +1,242 @@ | |||
5 | 1 | <?xml version="1.0" encoding="UTF-8"?> | ||
6 | 2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" | ||
7 | 3 | "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ | ||
8 | 4 | <!ENTITY % globalent SYSTEM "../../libs/global.ent"> | ||
9 | 5 | %globalent; | ||
10 | 6 | <!ENTITY % xinclude SYSTEM "../../libs/xinclude.mod"> | ||
11 | 7 | %xinclude; | ||
12 | 8 | <!ENTITY language "&EnglishAmerican;"> | ||
13 | 9 | ]> | ||
14 | 10 | <chapter id="cgroups" status="review"> | ||
15 | 11 | <title>Control Groups</title> | ||
16 | 12 | |||
17 | 13 | <para> | ||
18 | 14 | Control groups (cgroups) are a kernel mechanism for grouping, tracking, | ||
19 | 15 | and limiting the resource usage of tasks. The kernel-provided administration | ||
20 | 16 | interface is through a virtual filesystem. Higher level cgroup | ||
21 | 17 | administration tools have been developed, including libcgroup and | ||
22 | 18 | lmctfy. Additionally, there is guidance at freedesktop.org | ||
23 | 19 | for how applications can best cooperate using the cgroup filesystem | ||
24 | 20 | interface (see Resources). | ||
25 | 21 | </para> | ||
26 | 22 | |||
27 | 23 | <para> | ||
28 | 24 | As of Ubuntu 14.04, the cgroup manager (cgmanager) is available as | ||
29 | 25 | another cgroup administion interface. It's goal is to respond to dbus | ||
30 | 26 | requests from any user, allowing him to administer only those cgroups | ||
31 | 27 | which have been delegated to him. | ||
32 | 28 | </para> | ||
33 | 29 | |||
34 | 30 | <para> | ||
35 | 31 | Section <xref linkend="cgroups-overview"/> will describe cgroups in more detail. | ||
36 | 32 | Section <xref linkend="cgroups-fs"/> will describe the long-standing cgroups filesystem | ||
37 | 33 | interface. Section <xref linkend="cgroups-manager"/> will describe the cgroup | ||
38 | 34 | manager. | ||
39 | 35 | </para> | ||
40 | 36 | |||
41 | 37 | <sect1 id="cgroups-overview" status="review"> | ||
42 | 38 | <title>Cgroups overview</title> | ||
43 | 39 | |||
44 | 40 | <para> | ||
45 | 41 | Cgroups are the generalized feature for grouping tasks. The actual | ||
46 | 42 | resource tracking and limits are implemented by subsystems. A | ||
47 | 43 | hierarchy is a set of subsystems mounted together. For instance, | ||
48 | 44 | if the memory and devices subsystems are mounted together under | ||
49 | 45 | /sys/fs/cgroups/set1, then any task which is in "/child1" will | ||
50 | 46 | be subject to the corresponding limits of both subsystems. | ||
51 | 47 | </para> | ||
52 | 48 | |||
53 | 49 | <para> | ||
54 | 50 | Each set of mounted subsystems consittutes a 'hierarchy'. With | ||
55 | 51 | exceptions, cgroups which are children of "/child1" will be | ||
56 | 52 | subject to all limits placed on "/child1", and their resource | ||
57 | 53 | usage will be accounted to "/child1". | ||
58 | 54 | </para> | ||
59 | 55 | |||
60 | 56 | <para> | ||
61 | 57 | The existing subsystems include: | ||
62 | 58 | </para> | ||
63 | 59 | |||
64 | 60 | <itemizedlist> | ||
65 | 61 | <listitem><para><emphasis>cpusets</emphasis>: fascilitate assigning a set of | ||
66 | 62 | CPUS and memory nodes to cgroups. | ||
67 | 63 | Tasks in a cpuset cgroup may only be scheduled on CPUS assigned to that | ||
68 | 64 | cpuset.</para></listitem> | ||
69 | 65 | <listitem><para><emphasis> blkio </emphasis>: limits per-cgroup block io.</para></listitem> | ||
70 | 66 | <listitem><para><emphasis> cpuacct </emphasis>: provides per-cgroup cpu usage accounting.</para></listitem> | ||
71 | 67 | <listitem><para><emphasis> devices </emphasis>: controls the ability of tasks to create or use devices nodes | ||
72 | 68 | using either a blacklist or whitelist.</para></listitem> | ||
73 | 69 | <listitem><para><emphasis> freezer </emphasis>: provides a way to 'freeze' and 'thaw' whole cgroups. Tasks | ||
74 | 70 | in the cgroup will not be scheduled while they are frozen.</para></listitem> | ||
75 | 71 | <listitem><para><emphasis> hugetlb </emphasis>: fascilitates limiting hugetlb usage per cgroup.</para></listitem> | ||
76 | 72 | <listitem><para><emphasis> memory </emphasis>: allows memory, kernel memory, and swap usage to be tracked | ||
77 | 73 | and limited.</para></listitem> | ||
78 | 74 | <listitem><para><emphasis> net_cls </emphasis>: provides an interface for tagging packets based on the | ||
79 | 75 | sender cgroup. These tags can then be used by tc (traffic controller) | ||
80 | 76 | to assign priorities.</para></listitem> | ||
81 | 77 | <listitem><para><emphasis> net_prio </emphasis>: allows setting network traffic priority on a per-cgroup | ||
82 | 78 | basis.</para></listitem> | ||
83 | 79 | <listitem><para><emphasis> cpu </emphasis>: enables setting of scheduling preferences on per-cgroup basis.</para></listitem> | ||
84 | 80 | <listitem><para><emphasis> perf_event </emphasis>: enables per-cpu mode to monitor only threads in certain | ||
85 | 81 | cgroups.</para></listitem> | ||
86 | 82 | </itemizedlist> | ||
87 | 83 | |||
88 | 84 | <para> | ||
89 | 85 | In addition, named cgroups can be created with no bound | ||
90 | 86 | subsystems for the sake of process tracking. As an example, | ||
91 | 87 | systemd does this to track services and user sessions. | ||
92 | 88 | </para> | ||
93 | 89 | |||
94 | 90 | </sect1> | ||
95 | 91 | |||
96 | 92 | <sect1 id="cgroups-fs" status="review"> | ||
97 | 93 | <title>Cgroup filesystem</title> | ||
98 | 94 | |||
99 | 95 | <para> | ||
100 | 96 | A hierarchy is created by mounting an instance of the cgroup filesystem | ||
101 | 97 | with each of the desired subsystems listed as a mount option. For instance, | ||
102 | 98 | </para> | ||
103 | 99 | |||
104 | 100 | <screen><command> | ||
105 | 101 | mount -t cgroup -o devices,memory,freezer cgroup /cgroup1 | ||
106 | 102 | </command></screen> | ||
107 | 103 | |||
108 | 104 | <para> | ||
109 | 105 | would instantiate a hierarchy with the devices and memory cgroups comounted. | ||
110 | 106 | A child cgroup "child1" can be created using 'mkdir' | ||
111 | 107 | </para> | ||
112 | 108 | |||
113 | 109 | <screen><command> | ||
114 | 110 | mkdir /cgroup1/child1 | ||
115 | 111 | </command></screen> | ||
116 | 112 | |||
117 | 113 | <para> | ||
118 | 114 | and tasks can be moved into the new child cgroup by writing their process | ||
119 | 115 | ids into the 'tasks' or 'cgroup.procs' file: | ||
120 | 116 | </para> | ||
121 | 117 | |||
122 | 118 | <screen><command> | ||
123 | 119 | sleep 100 | ||
124 | 120 | echo $! > /cgroup1/child1/cgroup.procs | ||
125 | 121 | </command></screen> | ||
126 | 122 | |||
127 | 123 | <para> | ||
128 | 124 | Other administration is done through files in the cgroup directories. For | ||
129 | 125 | instance, to freeze all tasks in child1, | ||
130 | 126 | </para> | ||
131 | 127 | |||
132 | 128 | <screen><command> | ||
133 | 129 | echo FROZEN > /cgroup1/child1/freezer.state | ||
134 | 130 | </command></screen> | ||
135 | 131 | |||
136 | 132 | <para> | ||
137 | 133 | A great deal of information about cgroups and its subsystems can be found | ||
138 | 134 | under the cgroups documentation directory in the kernel source tree (see | ||
139 | 135 | Resources). | ||
140 | 136 | </para> | ||
141 | 137 | |||
142 | 138 | </sect1> | ||
143 | 139 | |||
144 | 140 | <sect1 id="cgroups-delegation" status="review"> | ||
145 | 141 | <title>Cgroups Delegation</title> | ||
146 | 142 | |||
147 | 143 | <para> | ||
148 | 144 | Cgroup files and directories can be owned by non-root users, enabling | ||
149 | 145 | delegation of cgroup administration. In general, the kernel enforces | ||
150 | 146 | the hierarchical constraints on limits, so that for instance if | ||
151 | 147 | devices cgroup <filename>/child1</filename> cannot access a disk drive, then | ||
152 | 148 | <filename>/child1/child2</filename> cannot give itself those rights. | ||
153 | 149 | </para> | ||
154 | 150 | |||
155 | 151 | <para> | ||
156 | 152 | As of Ubuntu 14.04, users are automatically placed in a set of cgroups | ||
157 | 153 | which they own, safely allowing them to contrain their own jobs using child | ||
158 | 154 | cgroups. This feature is relied upon, for instance, for unprivileged | ||
159 | 155 | container creation in lxc. | ||
160 | 156 | </para> | ||
161 | 157 | |||
162 | 158 | </sect1> | ||
163 | 159 | |||
164 | 160 | <sect1 id="cgroups-manager" status="review"> | ||
165 | 161 | <title>Cgroup Manager</title> | ||
166 | 162 | |||
167 | 163 | <para> | ||
168 | 164 | The cgroup manager (cgmanager) provides a D-Bus service allowing | ||
169 | 165 | programs and users to administer cgroups without needing direct | ||
170 | 166 | knowledge of or access to the cgroup filesystem. For requests | ||
171 | 167 | from tasks in the same namespaces as the manager, the manager can | ||
172 | 168 | directly perform the needed security checks to ensure that requests | ||
173 | 169 | are legitimate. For other requests - such as those from a task in | ||
174 | 170 | a container - enhanced D-Bus requests must be made, where process-, | ||
175 | 171 | user- and group-ids are passed as SCM_CREDENTIALS, so that the kernel | ||
176 | 172 | maps the identifiers to their global host values. | ||
177 | 173 | </para> | ||
178 | 174 | |||
179 | 175 | <para> | ||
180 | 176 | To fascilitate the use of simple D-Bus calls from all users, a | ||
181 | 177 | 'cgroup manager proxy' (cgproxy) is automatically started when in | ||
182 | 178 | a container. The proxy accepts standard D-Bus requests from tasks | ||
183 | 179 | in the same namespaces as itself, and converts them to | ||
184 | 180 | SCM-enhanced D-Bus requests which it passes on to the cgmanager. | ||
185 | 181 | </para> | ||
186 | 182 | |||
187 | 183 | <para> | ||
188 | 184 | A simple example of creating a new cgroup in which to run a | ||
189 | 185 | cpu-intensive compile would look like: | ||
190 | 186 | </para> | ||
191 | 187 | |||
192 | 188 | <screen><command> | ||
193 | 189 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ | ||
194 | 190 | --type=method_call /org/linuxcontainers/cgmanager \ | ||
195 | 191 | org.linuxcontainers.cgmanager0_0.Create string:'cpuset' string:"build1" | ||
196 | 192 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ | ||
197 | 193 | --type=method_call /org/linuxcontainers/cgmanager \ | ||
198 | 194 | org.linuxcontainers.cgmanager0_0.MovePid string:'cpuset' \ | ||
199 | 195 | string:"build1" int32:$$ | ||
200 | 196 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ | ||
201 | 197 | --type=method_call /org/linuxcontainers/cgmanager \ | ||
202 | 198 | org.linuxcontainers.cgmanager0_0.SetValue string:'cpuset' \ | ||
203 | 199 | string:"build1" string:"cpuset.cpus" string:"1" | ||
204 | 200 | make | ||
205 | 201 | </command></screen> | ||
206 | 202 | |||
207 | 203 | <para> | ||
208 | 204 | The above can also be done much more simply by using lmctfy or | ||
209 | 205 | cgroup-bin, once they are converted to use the cgmanager. | ||
210 | 206 | </para> | ||
211 | 207 | |||
212 | 208 | </sect1> | ||
213 | 209 | |||
214 | 210 | <sect1 id="cgroups-resources" status="review"> | ||
215 | 211 | <title>Resources</title> | ||
216 | 212 | |||
217 | 213 | <itemizedlist> | ||
218 | 214 | <listitem> | ||
219 | 215 | <para>Manual pages referenced above can be found at:</para> | ||
220 | 216 | <screen> | ||
221 | 217 | <ulink url="http://manpages.ubuntu.com/manpages/en/man5/cgconfig.conf.5.html">cgconfig.conf</ulink> | ||
222 | 218 | <ulink url="http://manpages.ubuntu.com/manpages/en/man8/cgmanager.8.html">cgmanager</ulink> | ||
223 | 219 | <ulink url="http://manpages.ubuntu.com/manpages/en/man8/cgproxy.8.html">cgproxy</ulink> | ||
224 | 220 | </screen> | ||
225 | 221 | </listitem> | ||
226 | 222 | |||
227 | 223 | <listitem> | ||
228 | 224 | <para>The upstream cgmanager project is hosted at <ulink | ||
229 | 225 | url="http://cgmanager.linuxcontainers.org">linuxcontainers.org</ulink>.</para> | ||
230 | 226 | </listitem> | ||
231 | 227 | |||
232 | 228 | <listitem> | ||
233 | 229 | <para>The upstream kernel documentation page on cgroups can be seen <ulink | ||
234 | 230 | url="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/cgroups">here | ||
235 | 231 | </ulink>.</para> | ||
236 | 232 | </listitem> | ||
237 | 233 | |||
238 | 234 | <listitem> | ||
239 | 235 | <para>The freedesktop.org control group usage guidelines can be seen <ulink | ||
240 | 236 | url="http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups/">here</ulink>.</para> | ||
241 | 237 | </listitem> | ||
242 | 238 | |||
243 | 239 | </itemizedlist> | ||
244 | 240 | </sect1> | ||
245 | 241 | |||
246 | 242 | </chapter> | ||
247 | 0 | 243 | ||
248 | === modified file 'serverguide/C/serverguide.xml' | |||
249 | --- serverguide/C/serverguide.xml 2013-02-09 00:40:31 +0000 | |||
250 | +++ serverguide/C/serverguide.xml 2014-03-07 23:59:35 +0000 | |||
251 | @@ -41,6 +41,7 @@ | |||
252 | 41 | <xi:include href="samba.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> | 41 | <xi:include href="samba.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> |
253 | 42 | <xi:include href="backups.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> | 42 | <xi:include href="backups.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> |
254 | 43 | <xi:include href="virtualization.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> | 43 | <xi:include href="virtualization.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> |
255 | 44 | <xi:include href="cgroups.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> | ||
256 | 44 | <xi:include href="clustering.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> | 45 | <xi:include href="clustering.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> |
257 | 45 | <xi:include href="vpn.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> | 46 | <xi:include href="vpn.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> |
258 | 46 | <xi:include href="other-apps.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> | 47 | <xi:include href="other-apps.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/> |
Hi Serge,
Thanks for another chunk for really great stuff.
I am not a subject matter expert on this, and defer to you on that part of it.
In lines 37, 38, and 39 in the below diff, the word "Section" needs to be deleted. Why? Because the PDF compile automatically puts it in so it then reads as "Section Section 1, “Cgroups overview” [p. 345] will describe cgroups" (for example). In my opinion, the HTML reads fine without the word "Section", as the HTML doesn't really have that concept anyhow (at least under the "new" theme). I can make this change if you are busy.
For the Resources item 5: Do we really want to refer to kernel V3.14- rc2? Is there not some more generic way to make the link?
Peter M: This addition will juggle the wiki page numbering. I'll fix it, but perhaps not right away.