Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to openSUSE Leap 15.0

9 Kernel Control Groups

Abstract

Kernel Control Groups (cgroups) are a kernel feature that allows assigning and limiting hardware resources for processes. Processes can also be organized in a hierarchical tree structure.

9.1 Overview

Every process is assigned exactly one cgroups. cgroups are ordered in a hierarchical tree structure. Resource limitations can be set for single processes or for whole branches of the hierarchy tree. Limitations for CPU, memory, disk I/O, or network bandwidth usage can be set.

On openSUSE Leap, systemd is using cgroups to organize all processes in groups, which systemd calls slices. systemd also provides an interface for setting cgroup properties.

The command systemd-cgls displays the hierarchy tree.

This chapter is an overview. For more details, refer to the listed references.

9.2 Setting Hardware Limits

Limitations to cgroups can be set with the systemctl set-property command. The syntax is:

root # systemctl set-property [--runtime] NAME PROPERTY1=VALUE [PROPERTY2=VALUE]

Optionally, use the --runtime option. With this option, set limits are not persisting after the next reboot.

Replace NAME with a systemd service slice, scope, socket, mount, or swap name. Replace properties with one or more of the following:

CPUAccounting=[yes|no]

Turns on CPU usage accounting. This property takes yes and no as arguments.

Example:

root # systemctl set-property user.slice CPUAccounting=yes
CPUQuota=PERCENTAGE

Assigns a CPU time to processes. The value is a percentage followed by a % as suffix. This requires CPUAccounting=yes.

Example:

root # systemctl set-property user.slice CPUQuota=50%
MemoryAccounting=[yes|no]

Turns on memory usage accounting. This property takes yes and no as arguments.

Example:

root # systemctl set-property user.slice MemoryAccounting=yes
MemoryLow=BYTES

Unused memory from processes below this limit will not be reclaimed for other use. Use suffixes K, M, G or T for BYTES. This requires MemoryAccounting=yes.

Example:

root # systemctl set-property nginx.service MemoryLow=512M
MemoryHigh=BYTES

If more memory above this limit is used, memory is aggressively taken away from the processes. Use suffixes K, M, G or T for BYTES. This requires MemoryAccounting=yes.

Example:

root # systemctl set-property nginx.service MemoryHigh=2G
MemoryMax=BYTES

Set a maximum limit for used memory. Processes will be killed if they use more memory than allowed. Use suffixes K, M, G or T for BYTES. This requires MemoryAccounting=yes.

Example:

root # systemctl set-property nginx.service MemoryMax=4G
DeviceAllow=

Allow read (r), write (w) and mknod (m) access. The command takes a device node specifier and separated by a white space a list of r, w or m.

Example:

root # systemctl set-property system.slice DeviceAllow="/dev/sdb1 r"
DevicePolicy=[auto|closed|strict]

When set to strict, only access to devices that are listed in DeviceAllow is allowed. closed additionally allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom. auto allows access to all devices if no specific rule is defined in DeviceAllow. auto is the default setting.

For more details and a complete list of properties, see man systemd.resource-control.

9.3 For More Information