Ubuntu Server Guide

Merge lp:~serge-hallyn/serverguide/cgroups into lp:serverguide/trunk

  1. cgroups
  2. Merge into trunk
Proposed by Serge Hallyn
Status: Merged
Approved by: Doug Smythies
Approved revision: 193
Merge reported by: Doug Smythies
Merged at revision: not available
Proposed branch: lp:~serge-hallyn/serverguide/cgroups
Merge into: lp:serverguide/trunk
Diff against target: 258 lines (+243/-0)
2 files modified
serverguide/C/cgroups.xml (+242/-0)
serverguide/C/serverguide.xml (+1/-0)
To merge this branch: bzr merge lp:~serge-hallyn/serverguide/cgroups
Reviewer Review Type Date Requested Status
Doug Smythies Approve
Review via email: mp+210029@code.launchpad.net

Description of the change

This is a first draft for a new section on control groups, written mainly to document the cgmanager.

To post a comment you must log in.
Revision history for this message
Doug Smythies (dsmythies) wrote :

Hi Serge,
Thanks for another chunk for really great stuff.
I am not a subject matter expert on this, and defer to you on that part of it.

In lines 37, 38, and 39 in the below diff, the word "Section" needs to be deleted. Why? Because the PDF compile automatically puts it in so it then reads as "Section Section 1, “Cgroups overview” [p. 345] will describe cgroups" (for example). In my opinion, the HTML reads fine without the word "Section", as the HTML doesn't really have that concept anyhow (at least under the "new" theme). I can make this change if you are busy.

For the Resources item 5: Do we really want to refer to kernel V3.14- rc2? Is there not some more generic way to make the link?

Peter M: This addition will juggle the wiki page numbering. I'll fix it, but perhaps not right away.

review: Needs Fixing
Revision history for this message
Doug Smythies (dsmythies) wrote :

For the link, I think this is more generic:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/cgroups

lp:~serge-hallyn/serverguide/cgroups updated
193. By Serge Hallyn

use more general link for the kernel cgroup doc page

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Quoting Doug Smythies (<email address hidden>):
> For the link, I think this is more generic:
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/cgroups

Good point! updated that, thanks. (haven't addressed the rest of the
feedback yet)

Revision history for this message
Doug Smythies (dsmythies) wrote :

Serge, Thanks.
I'll make the other change.

review: Approve
Revision history for this message
Doug Smythies (dsmythies) wrote :

Oh Crap: I forgot that for consistency throughout the Serverguide, we don't name sections within chapters with the chapter name. I'm saying that, for example, the title for Chapter 21 Section 1 should be "Overview" instead of "Cgroups Overview". I'll fix it.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Quoting Doug Smythies (<email address hidden>):
> Oh Crap: I forgot that for consistency throughout the Serverguide, we don't name sections within chapters with the chapter name. I'm saying that, for example, the title for Chapter 21 Section 1 should be "Overview" instead of "Cgroups Overview". I'll fix it.

Oh, thanks! Sorry I had every intention of making the other changes on
Monday.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== added file 'serverguide/C/cgroups.xml'
--- serverguide/C/cgroups.xml 1970-01-01 00:00:00 +0000
+++ serverguide/C/cgroups.xml 2014-03-07 23:59:35 +0000
@@ -0,0 +1,242 @@
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4<!ENTITY % globalent SYSTEM "../../libs/global.ent">
5%globalent;
6<!ENTITY % xinclude SYSTEM "../../libs/xinclude.mod">
7%xinclude;
8<!ENTITY language "&EnglishAmerican;">
9]>
10<chapter id="cgroups" status="review">
11 <title>Control Groups</title>
12
13 <para>
14Control groups (cgroups) are a kernel mechanism for grouping, tracking,
15and limiting the resource usage of tasks. The kernel-provided administration
16interface is through a virtual filesystem. Higher level cgroup
17administration tools have been developed, including libcgroup and
18lmctfy. Additionally, there is guidance at freedesktop.org
19for how applications can best cooperate using the cgroup filesystem
20interface (see Resources).
21 </para>
22
23 <para>
24As of Ubuntu 14.04, the cgroup manager (cgmanager) is available as
25another cgroup administion interface. It's goal is to respond to dbus
26requests from any user, allowing him to administer only those cgroups
27which have been delegated to him.
28 </para>
29
30 <para>
31Section <xref linkend="cgroups-overview"/> will describe cgroups in more detail.
32Section <xref linkend="cgroups-fs"/> will describe the long-standing cgroups filesystem
33interface. Section <xref linkend="cgroups-manager"/> will describe the cgroup
34manager.
35 </para>
36
37 <sect1 id="cgroups-overview" status="review">
38 <title>Cgroups overview</title>
39
40 <para>
41Cgroups are the generalized feature for grouping tasks. The actual
42resource tracking and limits are implemented by subsystems. A
43hierarchy is a set of subsystems mounted together. For instance,
44if the memory and devices subsystems are mounted together under
45/sys/fs/cgroups/set1, then any task which is in "/child1" will
46be subject to the corresponding limits of both subsystems.
47 </para>
48
49 <para>
50Each set of mounted subsystems consittutes a 'hierarchy'. With
51exceptions, cgroups which are children of "/child1" will be
52subject to all limits placed on "/child1", and their resource
53usage will be accounted to "/child1".
54 </para>
55
56 <para>
57The existing subsystems include:
58 </para>
59
60 <itemizedlist>
61<listitem><para><emphasis>cpusets</emphasis>: fascilitate assigning a set of
62CPUS and memory nodes to cgroups.
63 Tasks in a cpuset cgroup may only be scheduled on CPUS assigned to that
64 cpuset.</para></listitem>
65<listitem><para><emphasis> blkio </emphasis>: limits per-cgroup block io.</para></listitem>
66<listitem><para><emphasis> cpuacct </emphasis>: provides per-cgroup cpu usage accounting.</para></listitem>
67<listitem><para><emphasis> devices </emphasis>: controls the ability of tasks to create or use devices nodes
68 using either a blacklist or whitelist.</para></listitem>
69<listitem><para><emphasis> freezer </emphasis>: provides a way to 'freeze' and 'thaw' whole cgroups. Tasks
70 in the cgroup will not be scheduled while they are frozen.</para></listitem>
71<listitem><para><emphasis> hugetlb </emphasis>: fascilitates limiting hugetlb usage per cgroup.</para></listitem>
72<listitem><para><emphasis> memory </emphasis>: allows memory, kernel memory, and swap usage to be tracked
73 and limited.</para></listitem>
74<listitem><para><emphasis> net_cls </emphasis>: provides an interface for tagging packets based on the
75 sender cgroup. These tags can then be used by tc (traffic controller)
76 to assign priorities.</para></listitem>
77<listitem><para><emphasis> net_prio </emphasis>: allows setting network traffic priority on a per-cgroup
78 basis.</para></listitem>
79<listitem><para><emphasis> cpu </emphasis>: enables setting of scheduling preferences on per-cgroup basis.</para></listitem>
80<listitem><para><emphasis> perf_event </emphasis>: enables per-cpu mode to monitor only threads in certain
81 cgroups.</para></listitem>
82 </itemizedlist>
83
84 <para>
85In addition, named cgroups can be created with no bound
86subsystems for the sake of process tracking. As an example,
87systemd does this to track services and user sessions.
88 </para>
89
90 </sect1>
91
92 <sect1 id="cgroups-fs" status="review">
93 <title>Cgroup filesystem</title>
94
95 <para>
96A hierarchy is created by mounting an instance of the cgroup filesystem
97with each of the desired subsystems listed as a mount option. For instance,
98 </para>
99
100<screen><command>
101mount -t cgroup -o devices,memory,freezer cgroup /cgroup1
102</command></screen>
103
104 <para>
105would instantiate a hierarchy with the devices and memory cgroups comounted.
106A child cgroup "child1" can be created using 'mkdir'
107 </para>
108
109<screen><command>
110mkdir /cgroup1/child1
111</command></screen>
112
113 <para>
114and tasks can be moved into the new child cgroup by writing their process
115ids into the 'tasks' or 'cgroup.procs' file:
116 </para>
117
118<screen><command>
119sleep 100
120echo $! > /cgroup1/child1/cgroup.procs
121</command></screen>
122
123 <para>
124Other administration is done through files in the cgroup directories. For
125instance, to freeze all tasks in child1,
126 </para>
127
128<screen><command>
129echo FROZEN > /cgroup1/child1/freezer.state
130</command></screen>
131
132 <para>
133A great deal of information about cgroups and its subsystems can be found
134under the cgroups documentation directory in the kernel source tree (see
135Resources).
136 </para>
137
138 </sect1>
139
140 <sect1 id="cgroups-delegation" status="review">
141 <title>Cgroups Delegation</title>
142
143 <para>
144Cgroup files and directories can be owned by non-root users, enabling
145delegation of cgroup administration. In general, the kernel enforces
146the hierarchical constraints on limits, so that for instance if
147devices cgroup <filename>/child1</filename> cannot access a disk drive, then
148<filename>/child1/child2</filename> cannot give itself those rights.
149 </para>
150
151 <para>
152As of Ubuntu 14.04, users are automatically placed in a set of cgroups
153which they own, safely allowing them to contrain their own jobs using child
154cgroups. This feature is relied upon, for instance, for unprivileged
155container creation in lxc.
156 </para>
157
158 </sect1>
159
160 <sect1 id="cgroups-manager" status="review">
161 <title>Cgroup Manager</title>
162
163 <para>
164The cgroup manager (cgmanager) provides a D-Bus service allowing
165programs and users to administer cgroups without needing direct
166knowledge of or access to the cgroup filesystem. For requests
167from tasks in the same namespaces as the manager, the manager can
168directly perform the needed security checks to ensure that requests
169are legitimate. For other requests - such as those from a task in
170a container - enhanced D-Bus requests must be made, where process-,
171user- and group-ids are passed as SCM_CREDENTIALS, so that the kernel
172maps the identifiers to their global host values.
173 </para>
174
175 <para>
176To fascilitate the use of simple D-Bus calls from all users, a
177'cgroup manager proxy' (cgproxy) is automatically started when in
178a container. The proxy accepts standard D-Bus requests from tasks
179in the same namespaces as itself, and converts them to
180SCM-enhanced D-Bus requests which it passes on to the cgmanager.
181 </para>
182
183 <para>
184A simple example of creating a new cgroup in which to run a
185cpu-intensive compile would look like:
186 </para>
187
188<screen><command>
189dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
190 --type=method_call /org/linuxcontainers/cgmanager \
191 org.linuxcontainers.cgmanager0_0.Create string:'cpuset' string:"build1"
192dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
193 --type=method_call /org/linuxcontainers/cgmanager \
194 org.linuxcontainers.cgmanager0_0.MovePid string:'cpuset' \
195 string:"build1" int32:$$
196dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
197 --type=method_call /org/linuxcontainers/cgmanager \
198 org.linuxcontainers.cgmanager0_0.SetValue string:'cpuset' \
199 string:"build1" string:"cpuset.cpus" string:"1"
200make
201</command></screen>
202
203 <para>
204The above can also be done much more simply by using lmctfy or
205cgroup-bin, once they are converted to use the cgmanager.
206 </para>
207
208 </sect1>
209
210 <sect1 id="cgroups-resources" status="review">
211 <title>Resources</title>
212
213 <itemizedlist>
214 <listitem>
215 <para>Manual pages referenced above can be found at:</para>
216 <screen>
217<ulink url="http://manpages.ubuntu.com/manpages/en/man5/cgconfig.conf.5.html">cgconfig.conf</ulink>
218<ulink url="http://manpages.ubuntu.com/manpages/en/man8/cgmanager.8.html">cgmanager</ulink>
219<ulink url="http://manpages.ubuntu.com/manpages/en/man8/cgproxy.8.html">cgproxy</ulink>
220</screen>
221 </listitem>
222
223 <listitem>
224 <para>The upstream cgmanager project is hosted at <ulink
225 url="http://cgmanager.linuxcontainers.org">linuxcontainers.org</ulink>.</para>
226 </listitem>
227
228 <listitem>
229 <para>The upstream kernel documentation page on cgroups can be seen <ulink
230 url="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/cgroups">here
231 </ulink>.</para>
232 </listitem>
233
234 <listitem>
235 <para>The freedesktop.org control group usage guidelines can be seen <ulink
236 url="http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups/">here</ulink>.</para>
237 </listitem>
238
239 </itemizedlist>
240 </sect1>
241
242</chapter>
0243
=== modified file 'serverguide/C/serverguide.xml'
--- serverguide/C/serverguide.xml 2013-02-09 00:40:31 +0000
+++ serverguide/C/serverguide.xml 2014-03-07 23:59:35 +0000
@@ -41,6 +41,7 @@
41 <xi:include href="samba.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>41 <xi:include href="samba.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
42 <xi:include href="backups.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>42 <xi:include href="backups.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
43 <xi:include href="virtualization.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>43 <xi:include href="virtualization.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
44 <xi:include href="cgroups.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
44 <xi:include href="clustering.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>45 <xi:include href="clustering.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
45 <xi:include href="vpn.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>46 <xi:include href="vpn.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
46 <xi:include href="other-apps.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>47 <xi:include href="other-apps.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>

Subscribers

People subscribed via source and target branches