Kernel Control Groups (“cgroups”) are a kernel feature that allows assigning and limiting hardware and system resources for processes. Processes can also be organized in a hierarchical tree structure.
Every process is assigned exactly one administrative cgroup. cgroups are ordered in a hierarchical tree structure. Resource limitations can be set for single processes or for whole branches of the hierarchy tree. Limitations for CPU, memory, disk I/O, or network bandwidth usage can be set.
On openSUSE Leap, systemd
uses cgroups to organize all
processes in groups, which systemd
calls slices. systemd
also
provides an interface for setting cgroup properties.
The command systemd-cgls
displays the hierarchy
tree.
This chapter is an overview. For more details, refer to the listed references.
Be aware that resource consumption implicitly depends on the environment where your workload executes (for example, the size of data structures in libraries/kernel, forking behavior of utilities, computational efficiency), hence it is recommended to (re)calibrate your limits should the environment change.
Limitations to cgroups
can be set with the
systemctl set-property
command. The syntax is:
root #
systemctl set-property [--runtime] NAME PROPERTY1=VALUE [PROPERTY2=VALUE]
Optionally, use the --runtime
option. With this
option, set limits do not persist after the next reboot.
Replace NAME with a systemd
service
slice, scope, socket, mount, or swap name. Replace properties with
one or more of the following:
CPUAccounting=
[yes|no]
Turns on CPU usage accounting. This property takes
yes
and no
as arguments.
Example:
root #
systemctl set-property user.slice CPUAccounting=yes
CPUQuota=
PERCENTAGE
Assigns a CPU time to processes. The value is a percentage
followed by a %
as suffix. This implies
CPUAccounting=yes
.
Example:
root #
systemctl set-property user.slice CPUQuota=50%
MemoryAccounting=
[yes|no]
Turns on memory usage accounting. This property takes
yes
and no
as arguments.
Example:
root #
systemctl set-property user.slice MemoryAccounting=yes
MemoryLow=
BYTES
Unused memory from processes below this limit will not be
reclaimed for other use. Use suffixes K, M, G or T for
BYTES. This implies
MemoryAccounting=yes
.
Example:
root #
systemctl set-property nginx.service MemoryLow=512M
This setting is available only if the unified control group hierarchy is
used, and disables MemoryLimit=
. To enable the unified
control group hierarchy, append
systemd.unified_cgroup_hierarchy=1
as a kernel command
line parameter to the GRUB 2 boot loader. Refer to Book “Reference”, Chapter 12 “The Boot Loader GRUB 2” for more details about configuring GRUB 2.
MemoryHigh=
BYTES
If more memory above this limit is used, memory is aggressively
taken away from the processes. Use suffixes K, M, G or T for
BYTES. This implies
MemoryAccounting=yes
.
Example:
root #
systemctl set-property nginx.service MemoryHigh=2G
This setting is available only if the unified control group hierarchy is
used, and disables MemoryLimit=
. To enable the unified
control group hierarchy, append
systemd.unified_cgroup_hierarchy=1
as a kernel command
line parameter to the GRUB 2 boot loader. Refer to Book “Reference”, Chapter 12 “The Boot Loader GRUB 2” for more details about configuring GRUB 2.
MemoryMax=
BYTES
Sets a maximum limit for used memory. Processes will be killed if
they use more memory than allowed. Use suffixes K, M, G or T for
BYTES. This implies
MemoryAccounting=yes
.
Example:
root #
systemctl set-property nginx.service MemoryMax=4G
DeviceAllow=
Allows read (r
), write (w
)
and mknod (m
) access. The command takes a
device node specifier and a list of r
, w
or
m
, separated by a white space.
Example:
root #
systemctl set-property system.slice DeviceAllow="/dev/sdb1 r"
DevicePolicy=
[auto|closed|strict]
When set to strict
, only access to devices
that are listed in DeviceAllow
is allowed.
closed
additionally allows access to standard
pseudo devices including /dev/null
,
/dev/zero
, /dev/full
,
/dev/random
, and
/dev/urandom
.
auto
allows access to all devices if no
specific rule is defined in DeviceAllow
.
auto
is the default setting.
For more details and a complete list of properties, see man
systemd.resource-control
.
Kernel documentation (package kernel-source
):
files in /usr/src/linux/Documentation/cgroups
.
http://lwn.net/Articles/604609/—Brown, Neil: Control Groups Series (2014, 7 parts).
http://lwn.net/Articles/243795/—Corbet, Jonathan: Controlling memory use in containers (2007).
http://lwn.net/Articles/236038/—Corbet, Jonathan: Process containers (2007).