Kernel Control Groups (“cgroups”) are a kernel feature that allows assigning and limiting hardware resources for processes. Processes can also be organized in a hierarchical tree structure.
Every process is assigned exactly one cgroups. cgroups are ordered in a hierarchical tree structure. Resource limitations can be set for single processes or for whole branches of the hierarchy tree. Limitations for CPU, memory, disk I/O, or network bandwidth usage can be set.
On openSUSE Leap, systemd
is using cgroups to organize all
processes in groups, which systemd
calls slices. systemd
also
provides an interface for setting cgroup properties.
The command systemd-cgls
displays the hierarchy
tree.
This chapter is an overview. For more details, refer to the listed references.
Limitations to cgroups
can be set with the
systemctl set-property
command. The syntax is:
root #
systemctl set-property [--runtime] NAME PROPERTY1=VALUE [PROPERTY2=VALUE]
Optionally, use the --runtime
option. With this
option, set limits are not persisting after the next reboot.
Replace NAME with a systemd
service
slice, scope, socket, mount, or swap name. Replace properties with
one or more of the following:
CPUAccounting=
[yes|no]
Turns on CPU usage accounting. This property takes
yes
and no
as arguments.
Example:
root #
systemctl set-property user.slice CPUAccounting=yes
CPUQuota=
PERCENTAGE
Assigns a CPU time to processes. The value is a percentage
followed by a %
as suffix. This requires
CPUAccounting=yes
.
Example:
root #
systemctl set-property user.slice CPUQuota=50%
MemoryAccounting=
[yes|no]
Turns on memory usage accounting. This property takes
yes
and no
as arguments.
Example:
root #
systemctl set-property user.slice MemoryAccounting=yes
MemoryLow=
BYTES
Unused memory from processes below this limit will not be
reclaimed for other use. Use suffixes K, M, G or T for
BYTES. This requires
MemoryAccounting=yes
.
Example:
root #
systemctl set-property nginx.service MemoryLow=512M
MemoryHigh=
BYTES
If more memory above this limit is used, memory is aggressively
taken away from the processes. Use suffixes K, M, G or T for
BYTES. This requires
MemoryAccounting=yes
.
Example:
root #
systemctl set-property nginx.service MemoryHigh=2G
MemoryMax=
BYTES
Set a maximum limit for used memory. Processes will be killed if
they use more memory than allowed. Use suffixes K, M, G or T for
BYTES. This requires
MemoryAccounting=yes
.
Example:
root #
systemctl set-property nginx.service MemoryMax=4G
DeviceAllow=
Allow read (r
), write (w
)
and mknod (m
) access. The command takes a
device node specifier and separated by a white space a list of
r
, w
or
m
.
Example:
root #
systemctl set-property system.slice DeviceAllow="/dev/sdb1 r"
DevicePolicy=
[auto|closed|strict]
When set to strict
, only access to devices
that are listed in DeviceAllow
is allowed.
closed
additionally allows access to standard
pseudo devices including /dev/null
,
/dev/zero
, /dev/full
,
/dev/random
, and
/dev/urandom
.
auto
allows access to all devices if no
specific rule is defined in DeviceAllow
.
auto
is the default setting.
For more details and a complete list of properties, see man
systemd.resource-control
.
Kernel documentation (package kernel-source
):
files in /usr/src/linux/Documentation/cgroups
.
http://lwn.net/Articles/604609/—Brown, Neil: Control Groups Series (2014, 7 parts).
http://lwn.net/Articles/243795/—Corbet, Jonathan: Controlling memory use in containers (2007).
http://lwn.net/Articles/236038/—Corbet, Jonathan: Process containers (2007).