cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage of a collection of processes. Engineers at Google started the work on this feature in 2006 under the name "process containers". In late 2007, the nomenclature changed to "control groups" to avoid confusion caused by multiple meanings of the term "container" in the Linux kernel context, and the control groups functionality was merged into the Linux kernel mainline in kernel version 2.6.24, which was released in January 2008. Since then, developers have added many new features and controllers, such as support for kernfs in 2014, firewalling, and unified hierarchy. cgroup v2 was merged in Linux kernel 4.5 with significant changes to the interface and internal functionality.
Versions
There are two versions of cgroups. Cgroups was originally written by Paul Menage and Rohit Seth, and mainlined into the Linux kernel in 2007. Afterwards this is called cgroups version 1. Then development and maintenance of cgroups was taken over by Tejun Heo. Tejun Heo redesigned and rewrote cgroups. This rewrite is now called version 2, the documentation of cgroups-v2 first appeared in Linux kernel 4.5 released on 14 March 2016. Unlike v1, cgroup v2 has only a single process hierarchy and discriminates between processes, not threads.
Features
One of the design goals of cgroups is to provide a unified interface to many different use cases, from controlling single processes to full operating system-level virtualization. Cgroups provides: ; Resource limiting ; Prioritization ; Accounting ; Control
Use
A control group is a collection of processes that are bound by the same criteria and associated with a set of parameters or limits. These groups can be hierarchical, meaning that each group inherits limits from its parent group. The kernel provides access to multiple controllers through the cgroup interface; for example, the "memory" controller limits memory use, "cpuacct" accounts CPU usage, etc. Control groups can be used in multiple ways:
By creating and managing groups on the fly using tools like cgcreate, cgexec, and cgclassify.
Through the "rules engine daemon" that can automatically move processes of certain users, groups, or commands to cgroups as specified in its configuration.
The Linux kernel documentation contains some technical details of the setup and use of control groups version 1 and version 2. systemd-cgtop command can be used to show top control groups by their resource usage.
Redesign
Redesign of cgroups started in 2013, with additional changes brought by versions 3.15 and 3.16 of the Linux kernel.
Namespace isolation
While not technically part of the cgroups work, a related feature of the Linux kernel is namespace isolation, where groups of processes are separated such that they cannot "see" resources in other groups. For example, a PID namespace provides a separate enumeration of process identifiers within each namespace. Also available are mount, user, UTS, network and SysV IPC namespaces.
The PID namespace provides isolation for the allocation of process identifiers, lists of processes and their details. While the new namespace is isolated from other siblings, processes in its "parent" namespace still see all processes in child namespaces—albeit with different PID numbers.
Network namespace isolates the network interface controllers, iptables firewall rules, routing tables etc. Network namespaces can be connected with each other using the "veth" virtual Ethernet device.
User namespace isolates the user IDs between namespaces.
Cgroup namespace
Namespaces are created with the "unshare" command or syscall, or as new flags in a "clone" syscall. The "ns" subsystem was added early in cgroups development to integrate namespaces and control groups. If the "ns" cgroup was mounted, each namespace would also create a new group in the cgroup hierarchy. This was an experiment that was later judged to be a poor fit for the cgroups API, and removed from the kernel. Linux namespaces were inspired by the more general namespace functionality used heavily throughout Plan 9 from Bell Labs.
Unified hierarchy
was introduced into the Linux kernel with version 3.14 in March 2014, the main author being Tejun Heo. One of the main motivators for a separate kernfs is the cgroups file system. Kernfs is basically created by splitting off some of the sysfs logic into an independent entity, thus easing for other kernel subsystems the implementation of their own virtual file system with handling for device connect and disconnect, dynamic creation and removal, and other attributes. Redesign continued into version 3.15 of the Linux kernel.
Kernel memory control groups (kmemcg)
Kernel memory control groups were merged into version 3.8 of the Linux kernel mainline. The kmemcg controller can limit the amount of memory that the kernel can utilize to manage its own internal processes.
Linux Kernel 4.19 introduced cgroup awareness of OOM killer implementation which adds an ability to kill a cgroup as a single unit and so guarantee the integrity of the workload.
