Shulou(Shulou.com)06/02 Report--

What is Cgroups?

Cgroups (Control Groups) is a mechanism provided by the linux kernel, which can integrate (or separate) a series of system tasks and their subtasks into different groups classified by resources according to requirements, so as to provide a unified framework for system resource management. In a nutshell, cgroups can limit and record the physical resources used by task groups. In essence, cgroups is a series of hook attached to the program by the kernel, which is triggered by the scheduling of resources while the program is running to achieve the purpose of resource tracking and restriction.

This paper takes Ubuntu 16.04system as an example to introduce cgroups, and all demo are demonstrated in this system.

Why should I know cgroups?

In the era of virtualization technology represented by container technology, it is very necessary to understand cgroups technology! For example, we can easily limit the CPU, memory and other resources that a container can use. How is this achieved? By understanding the cgroups technology, we can peep into the context of the whole resource restriction system in the linux system. Thus help us to better understand and use the linux system.

The main role of cgroups

The main purpose of implementing cgroups is to provide a unified interface for resource management at different user levels. From resource control for a single task to virtualization at the operating system level, cgroups provides four major functions:

Resource limits: cgroups can limit the total amount of resources that a task needs. For example, set the upper limit of memory used when the task is running, and send OOM once the limit is exceeded. Priority allocation: the number of CPU time slices allocated and disk IO bandwidth effectively equates to controlling the priority of the task to run. Resource statistics: cgoups can count the resource usage of the system, such as CPU usage time, memory usage and so on. This feature is very suitable for the current billing method of cloud products based on usage. Task control: cgroups can perform suspending, resuming and other operations on tasks.

Related concepts

Task (tasks) in linux systems, the scheduling and management of the kernel itself does not distinguish between processes and threads, but conceptually distinguishes processes and threads according to the parameters passed in clone. Task is used here to represent a process or thread of the system.

Resource control in Cgroup (control group) cgroups is implemented in cgroup. Cgroup represents a task group divided by some resource control standard, which contains one or more subsystems. A task can join a cgroup or migrate from one cgroup to another cgroup.

The subsystem in Subsystem (subsystem) cgroups is a resource scheduling controller (also known as controllers). For example, the CPU subsystem can control the time allocation of CPU, and the memory subsystem can limit the amount of memory used. Take Ubuntu 16.04.3 used by the author as an example, its kernel version is 4.10.0, and the supported subsystem is as follows (cat / proc/cgroups):

Blkio restricts the IO of block devices.

Cpu restricts the allocation of CPU time slices and mounts them in the same directory as cpuacct.

Cpuacct generates a report that tasks in cgroup consume CPU resources and are mounted in the same directory as cpu.

Cpuset assigns separate CPU (multiprocessor systems) and memory nodes to tasks in cgroup.

Devices allows or disables tasks in cgroup from accessing the device.

Freezer suspends / resumes tasks in cgroup.

Hugetlb limits the number of memory pages used.

Memory limits the available memory for tasks in cgroup and automatically generates resource occupancy reports.

Net_cls marks network packets with a level identifier (classid), which allows the Linux traffic controller (tc instruction) to identify packets from specific cgroup tasks and impose network restrictions.

Net_prio allows you to set the priority of network traffic (netowork traffic) based on cgroup.

Perf_event allows the use of perf tools to monitor cgroup.

Pids limits the number of tasks.

The Hierarchy (hierarchy) level has a series of cgroup arranged in a tree structure, and each level controls resources by binding the corresponding subsystem. The cgroup node in the hierarchy can contain zero or more child nodes, which inherit the subsystem mounted by the parent node. There can be multiple levels in an operating system.

File system Interface of cgroups

Cgroups provides APIs in the form of files. We can view the default mount point of cgroups through the mount command:

The copy code is as follows: $mount | grep cgroup

The files in the / sys/fs/cgroup directory in the tmpfs description on the first line are temporary files that exist in memory.

The mount point / sys/fs/cgroup/systemd in the second line is used to support cgroups in systemd system, and the author will make a special introduction to it in the future.

The rest of the mount points are the root hierarchy of the subsystems supported by the kernel.

It should be noted that in operating systems using the systemd system, the / sys/fs/cgroup directory is mounted by systemd during system startup, and the mount is read-only. In other words, it is not recommended that we create a new directory under the / sys/fs/cgroup directory and mount other subsystems. This is quite different from the previous operating system.

Let's explore what's under the / sys/fs/cgroup directory and its subdirectories:

The / sys/fs/cgroup directory is the root directory of each subsystem. Let's take the memory subsystem as an example and see what's in the memory directory.

These files are the root-level settings in cgroups's memory subsystem. For example, the number in memory.limit_in_bytes is used to limit the maximum available memory of the process, the weight of using swap is kept in memory.swappiness, and so on.

Since cgroups uses these files as API, I can apply cgroups by creating or modifying the contents of these files. What exactly should I do? For example, how can we limit the resources that a process can use? Next, we demonstrate how to use cgroups to restrict the resources that can be used by the process through a simple demo.

View the cgroups to which the process belongs

You can see which cgroup the specified process belongs to through / proc/ [pid] / cgroup:

Each row contains three columns separated by colons, which mean:

The ID of the cgroup tree corresponds to the ID in the / proc/cgroups file. All subsystem bound to the cgroup tree, separated by commas from multiple subsystem. Here name=systemd means that it is not bound to any subsystem, but it just gives him the name systemd. The path of the process in the cgroup tree, that is, the cgroup to which the process belongs, is relative to the mount point.

Since cgroups uses these files as API, I can apply cgroups by creating or modifying the contents of these files. What exactly should I do? For example, how can we limit the resources that a process can use? Next, we demonstrate how to use cgroups to restrict the resources that can be used by the process through a simple demo.

Cgroups tool

Before introducing the application of cgroups through systemd, let's demonstrate demo using cgexec in the cgroup-bin toolkit. Ubuntu does not have the cgroup-bin toolkit installed by default, please install it with the following command:

The copy code is as follows: $sudo apt install cgroup-bin

Demo: limit the CPU available to the process

When we use cgroups, it is best not to modify the configuration files of each subsystem directly under the root directory of each subsystem. The recommended way is to define different nodes in the subsystem tree for different requirements. For example, we can create a new directory named nick_cpu under the / sys/fs/cgroup/cpu directory:

$cd / sys/fs/cgroup/cpu$ sudo mkdir nick_cpu

Then look at the contents of the newly created directory:

Isn't it a little surprising that cgroups's file system automatically creates these configuration files when you create a file directory!

Let's limit the CPU cycle to 1/10 of the total with the following settings:

$sudo su$ echo 100000 > nick_cpu/cpu.cfs_period_us$ echo 10000 > nick_cpu/cpu.cfs_quota_us

Do the above two parameters look familiar? Yes, the "--cpu-period=100000-- cpu-quota=200000" introduced by the author in the article "Docker: limiting the CPU available to containers" is implemented by them.

Then create a CPU-intensive program:

Void main () {unsigned int i, end; end = 1024 * 1024 * 1024; for (I = 0; I

< end; ) { i ++; }} 保存为文件 cputime.c 编译并通过不同的方式执行： $ gcc cputime.c -o cputime$ sudo su$ time ./cputime$ time cgexec -g cpu:nick_cpu ./cputime time 命令可以为我们报告程序执行消耗的时间，其中的 real 就是我们真实感受到的时间。使用 cgexec 能够把我们添加的 cgroup 配置 nick_cpu 应用到运行 cputime 程序的进程上。 上图显示，默认的执行只需要 2s 左右。通过 cgroups 限制 CPU 资源后需要运行 23s。 demo：限制进程可用的内存 这次我们来限制进程可用的最大内存，在 /sys/fs/cgroup/memory 下创建目录nick_memory： $ cd /sys/fs/cgroup/memory$ sudo mkdir nick_memory 下面的设置把进程的可用内存限制在最大 300M，并且不使用 swap： # 物理内存 + SWAP nick_memory/memory.limit_in_bytes$ echo 0 >

Nick_memory/memory.swappiness

Then create a program that continuously allocates memory, which allocates memory five times, each requesting 100m:

# include#include#include#define CHUNK_SIZE 1024 * 1024 * 100void main () {char * p; int i; for (I = 0; I < 5; I + +) {p = malloc (sizeof (char) * CHUNK_SIZE); if (p = = NULL) {printf ("fail to malloc!"); return;} / / memset () function to set the first n bytes of the specified memory to a specific value memset (p, 0, CHUNK_SIZE) Printf ("malloc memory% d MB\ n", (I + 1) * 100);}}

Save the above code as a mem.c file, and then compile:

$gcc mem.c-o mem

Execute the generated mem program:

$. / mem

Everything is going well at this time, and then try to add the constraints just now:

$cgexec-g memory:nick_memory. / mem

Processes with restricted resources are forcibly killed when requesting memory because there is not enough memory and the use of swap is prohibited.

Let's use the stress program to test a similar scenario (apply for 500m of memory through the stress program):

Sudo cgexec-g memory:nick_memory stress-- vm 1-- vm-bytes 500000000-- vm-keep-- verbose

The stress program can provide more detailed information, and the process is killed by receiving a SIGKILL (signal 9) signal.

In practical applications, it is often necessary to limit a variety of resources at the same time, such as both CPU resources and memory resources. Using cgexec to implement such a use case is actually very simple, just specify multiple-g options:

$cgexec-g cpu:nick_cpu-g memory:nick_memory. / cpumem

Summary

Cgroups is a function provided by the linux kernel, which is not easy to understand because it involves a lot of concepts. This article attempts to demonstrate the use of cgroups with the simplest demo while introducing conceptual content. I hope the intuitive demo can help you understand cgroups.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.