| ================ |
| Control Group v2 |
| ================ |
| |
| :Date: October, 2015 |
| :Author: Tejun Heo <tj@kernel.org> |
| |
| This is the authoritative documentation on the design, interface and |
| conventions of cgroup v2. It describes all userland-visible aspects |
| of cgroup including core and specific controller behaviors. All |
| future changes must be reflected in this document. Documentation for |
| v1 is available under :ref:`Documentation/admin-guide/cgroup-v1/index.rst <cgroup-v1>`. |
| |
| .. CONTENTS |
| |
| 1. Introduction |
| 1-1. Terminology |
| 1-2. What is cgroup? |
| 2. Basic Operations |
| 2-1. Mounting |
| 2-2. Organizing Processes and Threads |
| 2-2-1. Processes |
| 2-2-2. Threads |
| 2-3. [Un]populated Notification |
| 2-4. Controlling Controllers |
| 2-4-1. Enabling and Disabling |
| 2-4-2. Top-down Constraint |
| 2-4-3. No Internal Process Constraint |
| 2-5. Delegation |
| 2-5-1. Model of Delegation |
| 2-5-2. Delegation Containment |
| 2-6. Guidelines |
| 2-6-1. Organize Once and Control |
| 2-6-2. Avoid Name Collisions |
| 3. Resource Distribution Models |
| 3-1. Weights |
| 3-2. Limits |
| 3-3. Protections |
| 3-4. Allocations |
| 4. Interface Files |
| 4-1. Format |
| 4-2. Conventions |
| 4-3. Core Interface Files |
| 5. Controllers |
| 5-1. CPU |
| 5-1-1. CPU Interface Files |
| 5-2. Memory |
| 5-2-1. Memory Interface Files |
| 5-2-2. Usage Guidelines |
| 5-2-3. Memory Ownership |
| 5-3. IO |
| 5-3-1. IO Interface Files |
| 5-3-2. Writeback |
| 5-3-3. IO Latency |
| 5-3-3-1. How IO Latency Throttling Works |
| 5-3-3-2. IO Latency Interface Files |
| 5-4. PID |
| 5-4-1. PID Interface Files |
| 5-5. Cpuset |
| 5.5-1. Cpuset Interface Files |
| 5-6. Device |
| 5-7. RDMA |
| 5-7-1. RDMA Interface Files |
| 5-8. HugeTLB |
| 5.8-1. HugeTLB Interface Files |
| 5-8. Misc |
| 5-8-1. perf_event |
| 5-N. Non-normative information |
| 5-N-1. CPU controller root cgroup process behaviour |
| 5-N-2. IO controller root cgroup process behaviour |
| 6. Namespace |
| 6-1. Basics |
| 6-2. The Root and Views |
| 6-3. Migration and setns(2) |
| 6-4. Interaction with Other Namespaces |
| P. Information on Kernel Programming |
| P-1. Filesystem Support for Writeback |
| D. Deprecated v1 Core Features |
| R. Issues with v1 and Rationales for v2 |
| R-1. Multiple Hierarchies |
| R-2. Thread Granularity |
| R-3. Competition Between Inner Nodes and Threads |
| R-4. Other Interface Issues |
| R-5. Controller Issues and Remedies |
| R-5-1. Memory |
| |
| |
| Introduction |
| ============ |
| |
| Terminology |
| ----------- |
| |
| "cgroup" stands for "control group" and is never capitalized. The |
| singular form is used to designate the whole feature and also as a |
| qualifier as in "cgroup controllers". When explicitly referring to |
| multiple individual control groups, the plural form "cgroups" is used. |
| |
| |
| What is cgroup? |
| --------------- |
| |
| cgroup is a mechanism to organize processes hierarchically and |
| distribute system resources along the hierarchy in a controlled and |
| configurable manner. |
| |
| cgroup is largely composed of two parts - the core and controllers. |
| cgroup core is primarily responsible for hierarchically organizing |
| processes. A cgroup controller is usually responsible for |
| distributing a specific type of system resource along the hierarchy |
| although there are utility controllers which serve purposes other than |
| resource distribution. |
| |
| cgroups form a tree structure and every process in the system belongs |
| to one and only one cgroup. All threads of a process belong to the |
| same cgroup. On creation, all processes are put in the cgroup that |
| the parent process belongs to at the time. A process can be migrated |
| to another cgroup. Migration of a process doesn't affect already |
| existing descendant processes. |
| |
| Following certain structural constraints, controllers may be enabled or |
| disabled selectively on a cgroup. All controller behaviors are |
| hierarchical - if a controller is enabled on a cgroup, it affects all |
| processes which belong to the cgroups consisting the inclusive |
| sub-hierarchy of the cgroup. When a controller is enabled on a nested |
| cgroup, it always restricts the resource distribution further. The |
| restrictions set closer to the root in the hierarchy can not be |
| overridden from further away. |
| |
| |
| Basic Operations |
| ================ |
| |
| Mounting |
| -------- |
| |
| Unlike v1, cgroup v2 has only single hierarchy. The cgroup v2 |
| hierarchy can be mounted with the following mount command:: |
| |
| # mount -t cgroup2 none $MOUNT_POINT |
| |
| cgroup2 filesystem has the magic number 0x63677270 ("cgrp"). All |
| controllers which support v2 and are not bound to a v1 hierarchy are |
| automatically bound to the v2 hierarchy and show up at the root. |
| Controllers which are not in active use in the v2 hierarchy can be |
| bound to other hierarchies. This allows mixing v2 hierarchy with the |
| legacy v1 multiple hierarchies in a fully backward compatible way. |
| |
| A controller can be moved across hierarchies only after the controller |
| is no longer referenced in its current hierarchy. Because per-cgroup |
| controller states are destroyed asynchronously and controllers may |
| have lingering references, a controller may not show up immediately on |
| the v2 hierarchy after the final umount of the previous hierarchy. |
| Similarly, a controller should be fully disabled to be moved out of |
| the unified hierarchy and it may take some time for the disabled |
| controller to become available for other hierarchies; furthermore, due |
| to inter-controller dependencies, other controllers may need to be |
| disabled too. |
| |
| While useful for development and manual configurations, moving |
| controllers dynamically between the v2 and other hierarchies is |
| strongly discouraged for production use. It is recommended to decide |
| the hierarchies and controller associations before starting using the |
| controllers after system boot. |
| |
| During transition to v2, system management software might still |
| automount the v1 cgroup filesystem and so hijack all controllers |
| during boot, before manual intervention is possible. To make testing |
| and experimenting easier, the kernel parameter cgroup_no_v1= allows |
| disabling controllers in v1 and make them always available in v2. |
| |
| cgroup v2 currently supports the following mount options. |
| |
| nsdelegate |
| |
| Consider cgroup namespaces as delegation boundaries. This |
| option is system wide and can only be set on mount or modified |
| through remount from the init namespace. The mount option is |
| ignored on non-init namespace mounts. Please refer to the |
| Delegation section for details. |
| |
| memory_localevents |
| |
| Only populate memory.events with data for the current cgroup, |
| and not any subtrees. This is legacy behaviour, the default |
| behaviour without this option is to include subtree counts. |
| This option is system wide and can only be set on mount or |
| modified through remount from the init namespace. The mount |
| option is ignored on non-init namespace mounts. |
| |
| memory_recursiveprot |
| |
| Recursively apply memory.min and memory.low protection to |
| entire subtrees, without requiring explicit downward |
| propagation into leaf cgroups. This allows protecting entire |
| subtrees from one another, while retaining free competition |
| within those subtrees. This should have been the default |
| behavior but is a mount-option to avoid regressing setups |
| relying on the original semantics (e.g. specifying bogusly |
| high 'bypass' protection values at higher tree levels). |
| |
| |
| Organizing Processes and Threads |
| -------------------------------- |
| |
| Processes |
| ~~~~~~~~~ |
| |
| Initially, only the root cgroup exists to which all processes belong. |
| A child cgroup can be created by creating a sub-directory:: |
| |
| # mkdir $CGROUP_NAME |
| |
| A given cgroup may have multiple child cgroups forming a tree |
| structure. Each cgroup has a read-writable interface file |
| "cgroup.procs". When read, it lists the PIDs of all processes which |
| belong to the cgroup one-per-line. The PIDs are not ordered and the |
| same PID may show up more than once if the process got moved to |
| another cgroup and then back or the PID got recycled while reading. |
| |
| A process can be migrated into a cgroup by writing its PID to the |
| target cgroup's "cgroup.procs" file. Only one process can be migrated |
| on a single write(2) call. If a process is composed of multiple |
| threads, writing the PID of any thread migrates all threads of the |
| process. |
| |
| When a process forks a child process, the new process is born into the |
| cgroup that the forking process belongs to at the time of the |
| operation. After exit, a process stays associated with the cgroup |
| that it belonged to at the time of exit until it's reaped; however, a |
| zombie process does not appear in "cgroup.procs" and thus can't be |
| moved to another cgroup. |
| |
| A cgroup which doesn't have any children or live processes can be |
| destroyed by removing the directory. Note that a cgroup which doesn't |
| have any children and is associated only with zombie processes is |
| considered empty and can be removed:: |
| |
| # rmdir $CGROUP_NAME |
| |
| "/proc/$PID/cgroup" lists a process's cgroup membership. If legacy |
| cgroup is in use in the system, this file may contain multiple lines, |
| one for each hierarchy. The entry for cgroup v2 is always in the |
| format "0::$PATH":: |
| |
| # cat /proc/842/cgroup |
| ... |
| 0::/test-cgroup/test-cgroup-nested |
| |
| If the process becomes a zombie and the cgroup it was associated with |
| is removed subsequently, " (deleted)" is appended to the path:: |
| |
| # cat /proc/842/cgroup |
| ... |
| 0::/test-cgroup/test-cgroup-nested (deleted) |
| |
| |
| Threads |
| ~~~~~~~ |
| |
| cgroup v2 supports thread granularity for a subset of controllers to |
| support use cases requiring hierarchical resource distribution across |
| the threads of a group of processes. By default, all threads of a |
| process belong to the same cgroup, which also serves as the resource |
| domain to host resource consumptions which are not specific to a |
| process or thread. The thread mode allows threads to be spread across |
| a subtree while still maintaining the common resource domain for them. |
| |
| Controllers which support thread mode are called threaded controllers. |
| The ones which don't are called domain controllers. |
| |
| Marking a cgroup threaded makes it join the resource domain of its |
| parent as a threaded cgroup. The parent may be another threaded |
| cgroup whose resource domain is further up in the hierarchy. The root |
| of a threaded subtree, that is, the nearest ancestor which is not |
| threaded, is called threaded domain or thread root interchangeably and |
| serves as the resource domain for the entire subtree. |
| |
| Inside a threaded subtree, threads of a process can be put in |
| different cgroups and are not subject to the no internal process |
| constraint - threaded controllers can be enabled on non-leaf cgroups |
| whether they have threads in them or not. |
| |
| As the threaded domain cgroup hosts all the domain resource |
| consumptions of the subtree, it is considered to have internal |
| resource consumptions whether there are processes in it or not and |
| can't have populated child cgroups which aren't threaded. Because the |
| root cgroup is not subject to no internal process constraint, it can |
| serve both as a threaded domain and a parent to domain cgroups. |
| |
| The current operation mode or type of the cgroup is shown in the |
| "cgroup.type" file which indicates whether the cgroup is a normal |
| domain, a domain which is serving as the domain of a threaded subtree, |
| or a threaded cgroup. |
| |
| On creation, a cgroup is always a domain cgroup and can be made |
| threaded by writing "threaded" to the "cgroup.type" file. The |
| operation is single direction:: |
| |
| # echo threaded > cgroup.type |
| |
| Once threaded, the cgroup can't be made a domain again. To enable the |
| thread mode, the following conditions must be met. |
| |
| - As the cgroup will join the parent's resource domain. The parent |
| must either be a valid (threaded) domain or a threaded cgroup. |
| |
| - When the parent is an unthreaded domain, it must not have any domain |
| controllers enabled or populated domain children. The root is |
| exempt from this requirement. |
| |
| Topology-wise, a cgroup can be in an invalid state. Please consider |
| the following topology:: |
| |
| A (threaded domain) - B (threaded) - C (domain, just created) |
| |
| C is created as a domain but isn't connected to a parent which can |
| host child domains. C can't be used until it is turned into a |
| threaded cgroup. "cgroup.type" file will report "domain (invalid)" in |
| these cases. Operations which fail due to invalid topology use |
| EOPNOTSUPP as the errno. |
| |
| A domain cgroup is turned into a threaded domain when one of its child |
| cgroup becomes threaded or threaded controllers are enabled in the |
| "cgroup.subtree_control" file while there are processes in the cgroup. |
| A threaded domain reverts to a normal domain when the conditions |
| clear. |
| |
| When read, "cgroup.threads" contains the list of the thread IDs of all |
| threads in the cgroup. Except that the operations are per-thread |
| instead of per-process, "cgroup.threads" has the same format and |
| behaves the same way as "cgroup.procs". While "cgroup.threads" can be |
| written to in any cgroup, as it can only move threads inside the same |
| threaded domain, its operations are confined inside each threaded |
| subtree. |
| |
| The threaded domain cgroup serves as the resource domain for the whole |
| subtree, and, while the threads can be scattered across the subtree, |
| all the processes are considered to be in the threaded domain cgroup. |
| "cgroup.procs" in a threaded domain cgroup contains the PIDs of all |
| processes in the subtree and is not readable in the subtree proper. |
| However, "cgroup.procs" can be written to from anywhere in the subtree |
| to migrate all threads of the matching process to the cgroup. |
| |
| Only threaded controllers can be enabled in a threaded subtree. When |
| a threaded controller is enabled inside a threaded subtree, it only |
| accounts for and controls resource consumptions associated with the |
| threads in the cgroup and its descendants. All consumptions which |
| aren't tied to a specific thread belong to the threaded domain cgroup. |
| |
| Because a threaded subtree is exempt from no internal process |
| constraint, a threaded controller must be able to handle competition |
| between threads in a non-leaf cgroup and its child cgroups. Each |
| threaded controller defines how such competitions are handled. |
| |
| |
| [Un]populated Notification |
| -------------------------- |
| |
| Each non-root cgroup has a "cgroup.events" file which contains |
| "populated" field indicating whether the cgroup's sub-hierarchy has |
| live processes in it. Its value is 0 if there is no live process in |
| the cgroup and its descendants; otherwise, 1. poll and [id]notify |
| events are triggered when the value changes. This can be used, for |
| example, to start a clean-up operation after all processes of a given |
| sub-hierarchy have exited. The populated state updates and |
| notifications are recursive. Consider the following sub-hierarchy |
| where the numbers in the parentheses represent the numbers of processes |
| in each cgroup:: |
| |
| A(4) - B(0) - C(1) |
| \ D(0) |
| |
| A, B and C's "populated" fields would be 1 while D's 0. After the one |
| process in C exits, B and C's "populated" fields would flip to "0" and |
| file modified events will be generated on the "cgroup.events" files of |
| both cgroups. |
| |
| |
| Controlling Controllers |
| ----------------------- |
| |
| Enabling and Disabling |
| ~~~~~~~~~~~~~~~~~~~~~~ |
| |
| Each cgroup has a "cgroup.controllers" file which lists all |
| controllers available for the cgroup to enable:: |
| |
| # cat cgroup.controllers |
| cpu io memory |
| |
| No controller is enabled by default. Controllers can be enabled and |
| disabled by writing to the "cgroup.subtree_control" file:: |
| |
| # echo "+cpu +memory -io" > cgroup.subtree_control |
| |
| Only controllers which are listed in "cgroup.controllers" can be |
| enabled. When multiple operations are specified as above, either they |
| all succeed or fail. If multiple operations on the same controller |
| are specified, the last one is effective. |
| |
| Enabling a controller in a cgroup indicates that the distribution of |
| the target resource across its immediate children will be controlled. |
| Consider the following sub-hierarchy. The enabled controllers are |
| listed in parentheses:: |
| |
| A(cpu,memory) - B(memory) - C() |
| \ D() |
| |
| As A has "cpu" and "memory" enabled, A will control the distribution |
| of CPU cycles and memory to its children, in this case, B. As B has |
| "memory" enabled but not "CPU", C and D will compete freely on CPU |
| cycles but their division of memory available to B will be controlled. |
| |
| As a controller regulates the distribution of the target resource to |
| the cgroup's children, enabling it creates the controller's interface |
| files in the child cgroups. In the above example, enabling "cpu" on B |
| would create the "cpu." prefixed controller interface files in C and |
| D. Likewise, disabling "memory" from B would remove the "memory." |
| prefixed controller interface files from C and D. This means that the |
| controller interface files - anything which doesn't start with |
| "cgroup." are owned by the parent rather than the cgroup itself. |
| |
| |
| Top-down Constraint |
| ~~~~~~~~~~~~~~~~~~~ |
| |
| Resources are distributed top-down and a cgroup can further distribute |
| a resource only if the resource has been distributed to it from the |
| parent. This means that all non-root "cgroup.subtree_control" files |
| can only contain controllers which are enabled in the parent's |
| "cgroup.subtree_control" file. A controller can be enabled only if |
| the parent has the controller enabled and a controller can't be |
| disabled if one or more children have it enabled. |
| |
| |
| No Internal Process Constraint |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| Non-root cgroups can distribute domain resources to their children |
| only when they don't have any processes of their own. In other words, |
| only domain cgroups which don't contain any processes can have domain |
| controllers enabled in their "cgroup.subtree_control" files. |
| |
| This guarantees that, when a domain controller is looking at the part |
| of the hierarchy which has it enabled, processes are always only on |
| the leaves. This rules out situations where child cgroups compete |
| against internal processes of the parent. |
| |
| The root cgroup is exempt from this restriction. Root contains |
| processes and anonymous resource consumption which can't be associated |
| with any other cgroups and requires special treatment from most |
| controllers. How resource consumption in the root cgroup is governed |
| is up to each controller (for more information on this topic please |
| refer to the Non-normative information section in the Controllers |
| chapter). |
| |
| Note that the restriction doesn't get in the way if there is no |
| enabled controller in the cgroup's "cgroup.subtree_control". This is |
| important as otherwise it wouldn't be possible to create children of a |
| populated cgroup. To control resource distribution of a cgroup, the |
| cgroup must create children and transfer all its processes to the |
| children before enabling controllers in its "cgroup.subtree_control" |
| file. |
| |
| |
| Delegation |
| ---------- |
| |
| Model of Delegation |
| ~~~~~~~~~~~~~~~~~~~ |
| |
| A cgroup can be delegated in two ways. First, to a less privileged |
| user by granting write access of the directory and its "cgroup.procs", |
| "cgroup.threads" and "cgroup.subtree_control" files to the user. |
| Second, if the "nsdelegate" mount option is set, automatically to a |
| cgroup namespace on namespace creation. |
| |
| Because the resource control interface files in a given directory |
| control the distribution of the parent's resources, the delegatee |
| shouldn't be allowed to write to them. For the first method, this is |
| achieved by not granting access to these files. For the second, the |
| kernel rejects writes to all files other than "cgroup.procs" and |
| "cgroup.subtree_control" on a namespace root from inside the |
| namespace. |
| |
| The end results are equivalent for both delegation types. Once |
| delegated, the user can build sub-hierarchy under the directory, |
| organize processes inside it as it sees fit and further distribute the |
| resources it received from the parent. The limits and other settings |
| of all resource controllers are hierarchical and regardless of what |
| happens in the delegated sub-hierarchy, nothing can escape the |
| resource restrictions imposed by the parent. |
| |
| Currently, cgroup doesn't impose any restrictions on the number of |
| cgroups in or nesting depth of a delegated sub-hierarchy; however, |
| this may be limited explicitly in the future. |
| |
| |
| Delegation Containment |
| ~~~~~~~~~~~~~~~~~~~~~~ |
| |
| A delegated sub-hierarchy is contained in the sense that processes |
| can't be moved into or out of the sub-hierarchy by the delegatee. |
| |
| For delegations to a less privileged user, this is achieved by |
| requiring the following conditions for a process with a non-root euid |
| to migrate a target process into a cgroup by writing its PID to the |
| "cgroup.procs" file. |
| |
| - The writer must have write access to the "cgroup.procs" file. |
| |
| - The writer must have write access to the "cgroup.procs" file of the |
| common ancestor of the source and destination cgroups. |
| |
| The above two constraints ensure that while a delegatee may migrate |
| processes around freely in the delegated sub-hierarchy it can't pull |
| in from or push out to outside the sub-hierarchy. |
| |
| For an example, let's assume cgroups C0 and C1 have been delegated to |
| user U0 who created C00, C01 under C0 and C10 under C1 as follows and |
| all processes under C0 and C1 belong to U0:: |
| |
| ~~~~~~~~~~~~~ - C0 - C00 |
| ~ cgroup ~ \ C01 |
| ~ hierarchy ~ |
| ~~~~~~~~~~~~~ - C1 - C10 |
| |
| Let's also say U0 wants to write the PID of a process which is |
| currently in C10 into "C00/cgroup.procs". U0 has write access to the |
| file; however, the common ancestor of the source cgroup C10 and the |
| destination cgroup C00 is above the points of delegation and U0 would |
| not have write access to its "cgroup.procs" files and thus the write |
| will be denied with -EACCES. |
| |
| For delegations to namespaces, containment is achieved by requiring |
| that both the source and destination cgroups are reachable from the |
| namespace of the process which is attempting the migration. If either |
| is not reachable, the migration is rejected with -ENOENT. |
| |
| |
| Guidelines |
| ---------- |
| |
| Organize Once and Control |
| ~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| Migrating a process across cgroups is a relatively expensive operation |
| and stateful resources such as memory are not moved together with the |
| process. This is an explicit design decision as there often exist |
| inherent trade-offs between migration and various hot paths in terms |
| of synchronization cost. |
| |
| As such, migrating processes across cgroups frequently as a means to |
| apply different resource restrictions is discouraged. A workload |
| should be assigned to a cgroup according to the system's logical and |
| resource structure once on start-up. Dynamic adjustments to resource |
| distribution can be made by changing controller configuration through |
| the interface files. |
| |
| |
| Avoid Name Collisions |
| ~~~~~~~~~~~~~~~~~~~~~ |
| |
| Interface files for a cgroup and its children cgroups occupy the same |
| directory and it is possible to create children cgroups which collide |
| with interface files. |
| |
| All cgroup core interface files are prefixed with "cgroup." and each |
| controller's interface files are prefixed with the controller name and |
| a dot. A controller's name is composed of lower case alphabets and |
| '_'s but never begins with an '_' so it can be used as the prefix |
| character for collision avoidance. Also, interface file names won't |
| start or end with terms which are often used in categorizing workloads |
| such as job, service, slice, unit or workload. |
| |
| cgroup doesn't do anything to prevent name collisions and it's the |
| user's responsibility to avoid them. |
| |
| |
| Resource Distribution Models |
| ============================ |
| |
| cgroup controllers implement several resource distribution schemes |
| depending on the resource type and expected use cases. This section |
| describes major schemes in use along with their expected behaviors. |
| |
| |
| Weights |
| ------- |
| |
| A parent's resource is distributed by adding up the weights of all |
| active children and giving each the fraction matching the ratio of its |
| weight against the sum. As only children which can make use of the |
| resource at the moment participate in the distribution, this is |
| work-conserving. Due to the dynamic nature, this model is usually |
| used for stateless resources. |
| |
| All weights are in the range [1, 10000] with the default at 100. This |
| allows symmetric multiplicative biases in both directions at fine |
| enough granularity while staying in the intuitive range. |
| |
| As long as the weight is in range, all configuration combinations are |
| valid and there is no reason to reject configuration changes or |
| process migrations. |
| |
| "cpu.weight" proportionally distributes CPU cycles to active children |
| and is an example of this type. |
| |
| |
| Limits |
| ------ |
| |
| A child can only consume upto the configured amount of the resource. |
| Limits can be over-committed - the sum of the limits of children can |
| exceed the amount of resource available to the parent. |
| |
| Limits are in the range [0, max] and defaults to "max", which is noop. |
| |
| As limits can be over-committed, all configuration combinations are |
| valid and there is no reason to reject configuration changes or |
| process migrations. |
| |
| "io.max" limits the maximum BPS and/or IOPS that a cgroup can consume |
| on an IO device and is an example of this type. |
| |
| |
| Protections |
| ----------- |
| |
| A cgroup is protected upto the configured amount of the resource |
| as long as the usages of all its ancestors are under their |
| protected levels. Protections can be hard guarantees or best effort |
| soft boundaries. Protections can also be over-committed in which case |
| only upto the amount available to the parent is protected among |
| children. |
| |
| Protections are in the range [0, max] and defaults to 0, which is |
| noop. |
| |
| As protections can be over-committed, all configuration combinations |
| are valid and there is no reason to reject configuration changes or |
| process migrations. |
| |
| "memory.low" implements best-effort memory protection and is an |
| example of this type. |
| |
| |
| Allocations |
| ----------- |
| |
| A cgroup is exclusively allocated a certain amount of a finite |
| resource. Allocations can't be over-committed - the sum of the |
| allocations of children can not exceed the amount of resource |
| available to the parent. |
| |
| Allocations are in the range [0, max] and defaults to 0, which is no |
| resource. |
| |
| As allocations can't be over-committed, some configuration |
| combinations are invalid and should be rejected. Also, if the |
| resource is mandatory for execution of processes, process migrations |
| may be rejected. |
| |
| "cpu.rt.max" hard-allocates realtime slices and is an example of this |
| type. |
| |
| |
| Interface Files |
| =============== |
| |
| Format |
| ------ |
| |
| All interface files should be in one of the following formats whenever |
| possible:: |
| |
| New-line separated values |
| (when only one value can be written at once) |
| |
| VAL0\n |
| VAL1\n |
| ... |
| |
| Space separated values |
| (when read-only or multiple values can be written at once) |
| |
| VAL0 VAL1 ...\n |
| |
| Flat keyed |
| |
| KEY0 VAL0\n |
| KEY1 VAL1\n |
| ... |
| |
| Nested keyed |
| |
| KEY0 SUB_KEY0=VAL00 SUB_KEY1=VAL01... |
| KEY1 SUB_KEY0=VAL10 SUB_KEY1=VAL11... |
| ... |
| |
| For a writable file, the format for writing should generally match |
| reading; however, controllers may allow omitting later fields or |
| implement restricted shortcuts for most common use cases. |
| |
| For both flat and nested keyed files, only the values for a single key |
| can be written at a time. For nested keyed files, the sub key pairs |
| may be specified in any order and not all pairs have to be specified. |
| |
| |
| Conventions |
| ----------- |
| |
| - Settings for a single feature should be contained in a single file. |
| |
| - The root cgroup should be exempt from resource control and thus |
| shouldn't have resource control interface files. |
| |
| - The default time unit is microseconds. If a different unit is ever |
| used, an explicit unit suffix must be present. |
| |
| - A parts-per quantity should use a percentage decimal with at least |
| two digit fractional part - e.g. 13.40. |
| |
| - If a controller implements weight based resource distribution, its |
| interface file should be named "weight" and have the range [1, |
| 10000] with 100 as the default. The values are chosen to allow |
| enough and symmetric bias in both directions while keeping it |
| intuitive (the default is 100%). |
| |
| - If a controller implements an absolute resource guarantee and/or |
| limit, the interface files should be named "min" and "max" |
| respectively. If a controller implements best effort resource |
| guarantee and/or limit, the interface files should be named "low" |
| and "high" respectively. |
| |
| In the above four control files, the special token "max" should be |
| used to represent upward infinity for both reading and writing. |
| |
| - If a setting has a configurable default value and keyed specific |
| overrides, the default entry should be keyed with "default" and |
| appear as the first entry in the file. |
| |
| The default value can be updated by writing either "default $VAL" or |
| "$VAL". |
| |
| When writing to update a specific override, "default" can be used as |
| the value to indicate removal of the override. Override entries |
| with "default" as the value must not appear when read. |
| |
| For example, a setting which is keyed by major:minor device numbers |
| with integer values may look like the following:: |
| |
| # cat cgroup-example-interface-file |
| default 150 |
| 8:0 300 |
| |
| The default value can be updated by:: |
| |
| # echo 125 > cgroup-example-interface-file |
| |
| or:: |
| |
| # echo "default 125" > cgroup-example-interface-file |
| |
| An override can be set by:: |
| |
| # echo "8:16 170" > cgroup-example-interface-file |
| |
| and cleared by:: |
| |
| # echo "8:0 default" > cgroup-example-interface-file |
| # cat cgroup-example-interface-file |
| default 125 |
| 8:16 170 |
| |
| - For events which are not very high frequency, an interface file |
| "events" should be created which lists event key value pairs. |
| Whenever a notifiable event happens, file modified event should be |
| generated on the file. |
| |
| |
| Core Interface Files |
| -------------------- |
| |
| All cgroup core files are prefixed with "cgroup." |
| |
| cgroup.type |
| |
| A read-write single value file which exists on non-root |
| cgroups. |
| |
| When read, it indicates the current type of the cgroup, which |
| can be one of the following values. |
| |
| - "domain" : A normal valid domain cgroup. |
| |
| - "domain threaded" : A threaded domain cgroup which is |
| serving as the root of a threaded subtree. |
| |
| - "domain invalid" : A cgroup which is in an invalid state. |
| It can't be populated or have controllers enabled. It may |
| be allowed to become a threaded cgroup. |
| |
| - "threaded" : A threaded cgroup which is a member of a |
| threaded subtree. |
| |
| A cgroup can be turned into a threaded cgroup by writing |
| "threaded" to this file. |
| |
| cgroup.procs |
| A read-write new-line separated values file which exists on |
| all cgroups. |
| |
| When read, it lists the PIDs of all processes which belong to |
| the cgroup one-per-line. The PIDs are not ordered and the |
| same PID may show up more than once if the process got moved |
| to another cgroup and then back or the PID got recycled while |
| reading. |
| |
| A PID can be written to migrate the process associated with |
| the PID to the cgroup. The writer should match all of the |
| following conditions. |
| |
| - It must have write access to the "cgroup.procs" file. |
| |
| - It must have write access to the "cgroup.procs" file of the |
| common ancestor of the source and destination cgroups. |
| |
| When delegating a sub-hierarchy, write access to this file |
| should be granted along with the containing directory. |
| |
| In a threaded cgroup, reading this file fails with EOPNOTSUPP |
| as all the processes belong to the thread root. Writing is |
| supported and moves every thread of the process to the cgroup. |
| |
| cgroup.threads |
| A read-write new-line separated values file which exists on |
| all cgroups. |
| |
| When read, it lists the TIDs of all threads which belong to |
| the cgroup one-per-line. The TIDs are not ordered and the |
| same TID may show up more than once if the thread got moved to |
| another cgroup and then back or the TID got recycled while |
| reading. |
| |
| A TID can be written to migrate the thread associated with the |
| TID to the cgroup. The writer should match all of the |
| following conditions. |
| |
| - It must have write access to the "cgroup.threads" file. |
| |
| - The cgroup that the thread is currently in must be in the |
| same resource domain as the destination cgroup. |
| |
| - It must have write access to the "cgroup.procs" file of the |
| common ancestor of the source and destination cgroups. |
| |
| When delegating a sub-hierarchy, write access to this file |
| should be granted along with the containing directory. |
| |
| cgroup.controllers |
| A read-only space separated values file which exists on all |
| cgroups. |
| |
| It shows space separated list of all controllers available to |
| the cgroup. The controllers are not ordered. |
| |
| cgroup.subtree_control |
| A read-write space separated values file which exists on all |
| cgroups. Starts out empty. |
| |
| When read, it shows space separated list of the controllers |
| which are enabled to control resource distribution from the |
| cgroup to its children. |
| |
| Space separated list of controllers prefixed with '+' or '-' |
| can be written to enable or disable controllers. A controller |
| name prefixed with '+' enables the controller and '-' |
| disables. If a controller appears more than once on the list, |
| the last one is effective. When multiple enable and disable |
| operations are specified, either all succeed or all fail. |
| |
| cgroup.events |
| A read-only flat-keyed file which exists on non-root cgroups. |
| The following entries are defined. Unless specified |
| otherwise, a value change in this file generates a file |
| modified event. |
| |
| populated |
| 1 if the cgroup or its descendants contains any live |
| processes; otherwise, 0. |
| frozen |
| 1 if the cgroup is frozen; otherwise, 0. |
| |
| cgroup.max.descendants |
| A read-write single value files. The default is "max". |
| |
| Maximum allowed number of descent cgroups. |
| If the actual number of descendants is equal or larger, |
| an attempt to create a new cgroup in the hierarchy will fail. |
| |
| cgroup.max.depth |
| A read-write single value files. The default is "max". |
| |
| Maximum allowed descent depth below the current cgroup. |
| If the actual descent depth is equal or larger, |
| an attempt to create a new child cgroup will fail. |
| |
| cgroup.stat |
| A read-only flat-keyed file with the following entries: |
| |
| nr_descendants |
| Total number of visible descendant cgroups. |
| |
| nr_dying_descendants |
| Total number of dying descendant cgroups. A cgroup becomes |
| dying after being deleted by a user. The cgroup will remain |
| in dying state for some time undefined time (which can depend |
| on system load) before being completely destroyed. |
| |
| A process can't enter a dying cgroup under any circumstances, |
| a dying cgroup can't revive. |
| |
| A dying cgroup can consume system resources not exceeding |
| limits, which were active at the moment of cgroup deletion. |
| |
| cgroup.freeze |
| A read-write single value file which exists on non-root cgroups. |
| Allowed values are "0" and "1". The default is "0". |
| |
| Writing "1" to the file causes freezing of the cgroup and all |
| descendant cgroups. This means that all belonging processes will |
| be stopped and will not run until the cgroup will be explicitly |
| unfrozen. Freezing of the cgroup may take some time; when this action |
| is completed, the "frozen" value in the cgroup.events control file |
| will be updated to "1" and the corresponding notification will be |
| issued. |
| |
| A cgroup can be frozen either by its own settings, or by settings |
| of any ancestor cgroups. If any of ancestor cgroups is frozen, the |
| cgroup will remain frozen. |
| |
| Processes in the frozen cgroup can be killed by a fatal signal. |
| They also can enter and leave a frozen cgroup: either by an explicit |
| move by a user, or if freezing of the cgroup races with fork(). |
| If a process is moved to a frozen cgroup, it stops. If a process is |
| moved out of a frozen cgroup, it becomes running. |
| |
| Frozen status of a cgroup doesn't affect any cgroup tree operations: |
| it's possible to delete a frozen (and empty) cgroup, as well as |
| create new sub-cgroups. |
| |
| Controllers |
| =========== |
| |
| CPU |
| --- |
| |
| The "cpu" controllers regulates distribution of CPU cycles. This |
| controller implements weight and absolute bandwidth limit models for |
| normal scheduling policy and absolute bandwidth allocation model for |
| realtime scheduling policy. |
| |
| In all the above models, cycles distribution is defined only on a temporal |
| base and it does not account for the frequency at which tasks are executed. |
| The (optional) utilization clamping support allows to hint the schedutil |
| cpufreq governor about the minimum desired frequency which should always be |
| provided by a CPU, as well as the maximum desired frequency, which should not |
| be exceeded by a CPU. |
| |
| WARNING: cgroup2 doesn't yet support control of realtime processes and |
| the cpu controller can only be enabled when all RT processes are in |
| the root cgroup. Be aware that system management software may already |
| have placed RT processes into nonroot cgroups during the system boot |
| process, and these processes may need to be moved to the root cgroup |
| before the cpu controller can be enabled. |
| |
| |
| CPU Interface Files |
| ~~~~~~~~~~~~~~~~~~~ |
| |
| All time durations are in microseconds. |
| |
| cpu.stat |
| A read-only flat-keyed file. |
| This file exists whether the controller is enabled or not. |
| |
| It always reports the following three stats: |
| |
| - usage_usec |
| - user_usec |
| - system_usec |
| |
| and the following three when the controller is enabled: |
| |
| - nr_periods |
| - nr_throttled |
| - throttled_usec |
| |
| cpu.weight |
| A read-write single value file which exists on non-root |
| cgroups. The default is "100". |
| |
| The weight in the range [1, 10000]. |
| |
| cpu.weight.nice |
| A read-write single value file which exists on non-root |
| cgroups. The default is "0". |
| |
| The nice value is in the range [-20, 19]. |
| |
| This interface file is an alternative interface for |
| "cpu.weight" and allows reading and setting weight using the |
| same values used by nice(2). Because the range is smaller and |
| granularity is coarser for the nice values, the read value is |
| the closest approximation of the current weight. |
| |
| cpu.max |
| A read-write two value file which exists on non-root cgroups. |
| The default is "max 100000". |
| |
| The maximum bandwidth limit. It's in the following format:: |
| |
| $MAX $PERIOD |
| |
| which indicates that the group may consume upto $MAX in each |
| $PERIOD duration. "max" for $MAX indicates no limit. If only |
| one number is written, $MAX is updated. |
| |
| cpu.pressure |
| A read-only nested-key file which exists on non-root cgroups. |
| |
| Shows pressure stall information for CPU. See |
| :ref:`Documentation/accounting/psi.rst <psi>` for details. |
| |
| cpu.uclamp.min |
| A read-write single value file which exists on non-root cgroups. |
| The default is "0", i.e. no utilization boosting. |
| |
| The requested minimum utilization (protection) as a percentage |
| rational number, e.g. 12.34 for 12.34%. |
| |
| This interface allows reading and setting minimum utilization clamp |
| values similar to the sched_setattr(2). This minimum utilization |
| value is used to clamp the task specific minimum utilization clamp. |
| |
| The requested minimum utilization (protection) is always capped by |
| the current value for the maximum utilization (limit), i.e. |
| `cpu.uclamp.max`. |
| |
| cpu.uclamp.max |
| A read-write single value file which exists on non-root cgroups. |
| The default is "max". i.e. no utilization capping |
| |
| The requested maximum utilization (limit) as a percentage rational |
| number, e.g. 98.76 for 98.76%. |
| |
| This interface allows reading and setting maximum utilization clamp |
| values similar to the sched_setattr(2). This maximum utilization |
| value is used to clamp the task specific maximum utilization clamp. |
| |
| |
| |
| Memory |
| ------ |
| |
| The "memory" controller regulates distribution of memory. Memory is |
| stateful and implements both limit and protection models. Due to the |
| intertwining between memory usage and reclaim pressure and the |
| stateful nature of memory, the distribution model is relatively |
| complex. |
| |
| While not completely water-tight, all major memory usages by a given |
| cgroup are tracked so that the total memory consumption can be |
| accounted and controlled to a reasonable extent. Currently, the |
| following types of memory usages are tracked. |
| |
| - Userland memory - page cache and anonymous memory. |
| |
| - Kernel data structures such as dentries and inodes. |
| |
| - TCP socket buffers. |
| |
| The above list may expand in the future for better coverage. |
| |
| |
| Memory Interface Files |
| ~~~~~~~~~~~~~~~~~~~~~~ |
| |
| All memory amounts are in bytes. If a value which is not aligned to |
| PAGE_SIZE is written, the value may be rounded up to the closest |
| PAGE_SIZE multiple when read back. |
| |
| memory.current |
| A read-only single value file which exists on non-root |
| cgroups. |
| |
| The total amount of memory currently being used by the cgroup |
| and its descendants. |
| |
| memory.min |
| A read-write single value file which exists on non-root |
| cgroups. The default is "0". |
| |
| Hard memory protection. If the memory usage of a cgroup |
| is within its effective min boundary, the cgroup's memory |
| won't be reclaimed under any conditions. If there is no |
| unprotected reclaimable memory available, OOM killer |
| is invoked. Above the effective min boundary (or |
| effective low boundary if it is higher), pages are reclaimed |
| proportionally to the overage, reducing reclaim pressure for |
| smaller overages. |
| |
| Effective min boundary is limited by memory.min values of |
| all ancestor cgroups. If there is memory.min overcommitment |
| (child cgroup or cgroups are requiring more protected memory |
| than parent will allow), then each child cgroup will get |
| the part of parent's protection proportional to its |
| actual memory usage below memory.min. |
| |
| Putting more memory than generally available under this |
| protection is discouraged and may lead to constant OOMs. |
| |
| If a memory cgroup is not populated with processes, |
| its memory.min is ignored. |
| |
| memory.low |
| A read-write single value file which exists on non-root |
| cgroups. The default is "0". |
| |
| Best-effort memory protection. If the memory usage of a |
| cgroup is within its effective low boundary, the cgroup's |
| memory won't be reclaimed unless there is no reclaimable |
| memory available in unprotected cgroups. |
| Above the effective low boundary (or |
| effective min boundary if it is higher), pages are reclaimed |
| proportionally to the overage, reducing reclaim pressure for |
| smaller overages. |
| |
| Effective low boundary is limited by memory.low values of |
| all ancestor cgroups. If there is memory.low overcommitment |
| (child cgroup or cgroups are requiring more protected memory |
| than parent will allow), then each child cgroup will get |
| the part of parent's protection proportional to its |
| actual memory usage below memory.low. |
| |
| Putting more memory than generally available under this |
| protection is discouraged. |
| |
| memory.high |
| A read-write single value file which exists on non-root |
| cgroups. The default is "max". |
| |
| Memory usage throttle limit. This is the main mechanism to |
| control memory usage of a cgroup. If a cgroup's usage goes |
| over the high boundary, the processes of the cgroup are |
| throttled and put under heavy reclaim pressure. |
| |
| Going over the high limit never invokes the OOM killer and |
| under extreme conditions the limit may be breached. |
| |
| memory.max |
| A read-write single value file which exists on non-root |
| cgroups. The default is "max". |
| |
| Memory usage hard limit. This is the final protection |
| mechanism. If a cgroup's memory usage reaches this limit and |
| can't be reduced, the OOM killer is invoked in the cgroup. |
| Under certain circumstances, the usage may go over the limit |
| temporarily. |
| |
| In default configuration regular 0-order allocations always |
| succeed unless OOM killer chooses current task as a victim. |
| |
| Some kinds of allocations don't invoke the OOM killer. |
| Caller could retry them differently, return into userspace |
| as -ENOMEM or silently ignore in cases like disk readahead. |
| |
| This is the ultimate protection mechanism. As long as the |
| high limit is used and monitored properly, this limit's |
| utility is limited to providing the final safety net. |
| |
| memory.oom.group |
| A read-write single value file which exists on non-root |
| cgroups. The default value is "0". |
| |
| Determines whether the cgroup should be treated as |
| an indivisible workload by the OOM killer. If set, |
| all tasks belonging to the cgroup or to its descendants |
| (if the memory cgroup is not a leaf cgroup) are killed |
| together or not at all. This can be used to avoid |
| partial kills to guarantee workload integrity. |
| |
| Tasks with the OOM protection (oom_score_adj set to -1000) |
| are treated as an exception and are never killed. |
| |
| If the OOM killer is invoked in a cgroup, it's not going |
| to kill any tasks outside of this cgroup, regardless |
| memory.oom.group values of ancestor cgroups. |
| |
| memory.events |
| A read-only flat-keyed file which exists on non-root cgroups. |
| The following entries are defined. Unless specified |
| otherwise, a value change in this file generates a file |
| modified event. |
| |
| Note that all fields in this file are hierarchical and the |
| file modified event can be generated due to an event down the |
| hierarchy. For for the local events at the cgroup level see |
| memory.events.local. |
| |
| low |
| The number of times the cgroup is reclaimed due to |
| high memory pressure even though its usage is under |
| the low boundary. This usually indicates that the low |
| boundary is over-committed. |
| |
| high |
| The number of times processes of the cgroup are |
| throttled and routed to perform direct memory reclaim |
| because the high memory boundary was exceeded. For a |
| cgroup whose memory usage is capped by the high limit |
| rather than global memory pressure, this event's |
| occurrences are expected. |
| |
| max |
| The number of times the cgroup's memory usage was |
| about to go over the max boundary. If direct reclaim |
| fails to bring it down, the cgroup goes to OOM state. |
| |
| oom |
| The number of time the cgroup's memory usage was |
| reached the limit and allocation was about to fail. |
| |
| This event is not raised if the OOM killer is not |
| considered as an option, e.g. for failed high-order |
| allocations or if caller asked to not retry attempts. |
| |
| oom_kill |
| The number of processes belonging to this cgroup |
| killed by any kind of OOM killer. |
| |
| memory.events.local |
| Similar to memory.events but the fields in the file are local |
| to the cgroup i.e. not hierarchical. The file modified event |
| generated on this file reflects only the local events. |
| |
| memory.stat |
| A read-only flat-keyed file which exists on non-root cgroups. |
| |
| This breaks down the cgroup's memory footprint into different |
| types of memory, type-specific details, and other information |
| on the state and past events of the memory management system. |
| |
| All memory amounts are in bytes. |
| |
| The entries are ordered to be human readable, and new entries |
| can show up in the middle. Don't rely on items remaining in a |
| fixed position; use the keys to look up specific values! |
| |
| If the entry has no per-node counter(or not show in the |
| mempry.numa_stat). We use 'npn'(non-per-node) as the tag |
| to indicate that it will not show in the mempry.numa_stat. |
| |
| anon |
| Amount of memory used in anonymous mappings such as |
| brk(), sbrk(), and mmap(MAP_ANONYMOUS) |
| |
| file |
| Amount of memory used to cache filesystem data, |
| including tmpfs and shared memory. |
| |
| kernel_stack |
| Amount of memory allocated to kernel stacks. |
| |
| pagetables |
| Amount of memory allocated for page tables. |
| |
| percpu(npn) |
| Amount of memory used for storing per-cpu kernel |
| data structures. |
| |
| sock(npn) |
| Amount of memory used in network transmission buffers |
| |
| shmem |
| Amount of cached filesystem data that is swap-backed, |
| such as tmpfs, shm segments, shared anonymous mmap()s |
| |
| file_mapped |
| Amount of cached filesystem data mapped with mmap() |
| |
| file_dirty |
| Amount of cached filesystem data that was modified but |
| not yet written back to disk |
| |
| file_writeback |
| Amount of cached filesystem data that was modified and |
| is currently being written back to disk |
| |
| anon_thp |
| Amount of memory used in anonymous mappings backed by |
| transparent hugepages |
| |
| file_thp |
| Amount of cached filesystem data backed by transparent |
| hugepages |
| |
| shmem_thp |
| Amount of shm, tmpfs, shared anonymous mmap()s backed by |
| transparent hugepages |
| |
| inactive_anon, active_anon, inactive_file, active_file, unevictable |
| Amount of memory, swap-backed and filesystem-backed, |
| on the internal memory management lists used by the |
| page reclaim algorithm. |
| |
| As these represent internal list state (eg. shmem pages are on anon |
| memory management lists), inactive_foo + active_foo may not be equal to |
| the value for the foo counter, since the foo counter is type-based, not |
| list-based. |
| |
| slab_reclaimable |
| Part of "slab" that might be reclaimed, such as |
| dentries and inodes. |
| |
| slab_unreclaimable |
| Part of "slab" that cannot be reclaimed on memory |
| pressure. |
| |
| slab(npn) |
| Amount of memory used for storing in-kernel data |
| structures. |
| |
| workingset_refault_anon |
| Number of refaults of previously evicted anonymous pages. |
| |
| workingset_refault_file |
| Number of refaults of previously evicted file pages. |
| |
| workingset_activate_anon |
| Number of refaulted anonymous pages that were immediately |
| activated. |
| |
| workingset_activate_file |
| Number of refaulted file pages that were immediately activated. |
| |
| workingset_restore_anon |
| Number of restored anonymous pages which have been detected as |
| an active workingset before they got reclaimed. |
| |
| workingset_restore_file |
| Number of restored file pages which have been detected as an |
| active workingset before they got reclaimed. |
| |
| workingset_nodereclaim |
| Number of times a shadow node has been reclaimed |
| |
| pgfault(npn) |
| Total number of page faults incurred |
| |
| pgmajfault(npn) |
| Number of major page faults incurred |
| |
| pgrefill(npn) |
| Amount of scanned pages (in an active LRU list) |
| |
| pgscan(npn) |
| Amount of scanned pages (in an inactive LRU list) |
| |
| pgsteal(npn) |
| Amount of reclaimed pages |
| |
| pgactivate(npn) |
| Amount of pages moved to the active LRU list |
| |
| pgdeactivate(npn) |
| Amount of pages moved to the inactive LRU list |
| |
| pglazyfree(npn) |
| Amount of pages postponed to be freed under memory pressure |
| |
| pglazyfreed(npn) |
| Amount of reclaimed lazyfree pages |
| |
| thp_fault_alloc(npn) |
| Number of transparent hugepages which were allocated to satisfy |
| a page fault. This counter is not present when CONFIG_TRANSPARENT_HUGEPAGE |
| is not set. |
| |
| thp_collapse_alloc(npn) |
| Number of transparent hugepages which were allocated to allow |
| collapsing an existing range of pages. This counter is not |
| present when CONFIG_TRANSPARENT_HUGEPAGE is not set. |
| |
| memory.numa_stat |
| A read-only nested-keyed file which exists on non-root cgroups. |
| |
| This breaks down the cgroup's memory footprint into different |
| types of memory, type-specific details, and other information |
| per node on the state of the memory management system. |
| |
| This is useful for providing visibility into the NUMA locality |
| information within an memcg since the pages are allowed to be |
| allocated from any physical node. One of the use case is evaluating |
| application performance by combining this information with the |
| application's CPU allocation. |
| |
| All memory amounts are in bytes. |
| |
| The output format of memory.numa_stat is:: |
| |
| type N0=<bytes in node 0> N1=<bytes in node 1> ... |
| |
| The entries are ordered to be human readable, and new entries |
| can show up in the middle. Don't rely on items remaining in a |
| fixed position; use the keys to look up specific values! |
| |
| The entries can refer to the memory.stat. |
| |
| memory.swap.current |
| A read-only single value file which exists on non-root |
| cgroups. |
| |
| The total amount of swap currently being used by the cgroup |
| and its descendants. |
| |
| memory.swap.high |
| A read-write single value file which exists on non-root |
| cgroups. The default is "max". |
| |
| Swap usage throttle limit. If a cgroup's swap usage exceeds |
| this limit, all its further allocations will be throttled to |
| allow userspace to implement custom out-of-memory procedures. |
| |
| This limit marks a point of no return for the cgroup. It is NOT |
| designed to manage the amount of swapping a workload does |
| during regular operation. Compare to memory.swap.max, which |
| prohibits swapping past a set amount, but lets the cgroup |
| continue unimpeded as long as other memory can be reclaimed. |
| |
| Healthy workloads are not expected to reach this limit. |
| |
| memory.swap.max |
| A read-write single value file which exists on non-root |
| cgroups. The default is "max". |
| |
| Swap usage hard limit. If a cgroup's swap usage reaches this |
| limit, anonymous memory of the cgroup will not be swapped out. |
| |
| memory.swap.events |
| A read-only flat-keyed file which exists on non-root cgroups. |
| The following entries are defined. Unless specified |
| otherwise, a value change in this file generates a file |
| modified event. |
| |
| high |
| The number of times the cgroup's swap usage was over |
| the high threshold. |
| |
| max |
| The number of times the cgroup's swap usage was about |
| to go over the max boundary and swap allocation |
| failed. |
| |
| fail |
| The number of times swap allocation failed either |
| because of running out of swap system-wide or max |
| limit. |
| |
| When reduced under the current usage, the existing swap |
| entries are reclaimed gradually and the swap usage may stay |
| higher than the limit for an extended period of time. This |
| reduces the impact on the workload and memory management. |
| |
| memory.pressure |
| A read-only nested-key file which exists on non-root cgroups. |
| |
| Shows pressure stall information for memory. See |
| :ref:`Documentation/accounting/psi.rst <psi>` for details. |
| |
| |
| Usage Guidelines |
| ~~~~~~~~~~~~~~~~ |
| |
| "memory.high" is the main mechanism to control memory usage. |
| Over-committing on high limit (sum of high limits > available memory) |
| and letting global memory pressure to distribute memory according to |
| usage is a viable strategy. |
| |
| Because breach of the high limit doesn't trigger the OOM killer but |
| throttles the offending cgroup, a management agent has ample |
| opportunities to monitor and take appropriate actions such as granting |
| more memory or terminating the workload. |
| |
| Determining whether a cgroup has enough memory is not trivial as |
| memory usage doesn't indicate whether the workload can benefit from |
| more memory. For example, a workload which writes data received from |
| network to a file can use all available memory but can also operate as |
| performant with a small amount of memory. A measure of memory |
| pressure - how much the workload is being impacted due to lack of |
| memory - is necessary to determine whether a workload needs more |
| memory; unfortunately, memory pressure monitoring mechanism isn't |
| implemented yet. |
| |
| |
| Memory Ownership |
| ~~~~~~~~~~~~~~~~ |
| |
| A memory area is charged to the cgroup which instantiated it and stays |
| charged to the cgroup until the area is released. Migrating a process |
| to a different cgroup doesn't move the memory usages that it |
| instantiated while in the previous cgroup to the new cgroup. |
| |
| A memory area may be used by processes belonging to different cgroups. |
| To which cgroup the area will be charged is in-deterministic; however, |
| over time, the memory area is likely to end up in a cgroup which has |
| enough memory allowance to avoid high reclaim pressure. |
| |
| If a cgroup sweeps a considerable amount of memory which is expected |
| to be accessed repeatedly by other cgroups, it may make sense to use |
| POSIX_FADV_DONTNEED to relinquish the ownership of memory areas |
| belonging to the affected files to ensure correct memory ownership. |
| |
| |
| IO |
| -- |
| |
| The "io" controller regulates the distribution of IO resources. This |
| controller implements both weight based and absolute bandwidth or IOPS |
| limit distribution; however, weight based distribution is available |
| only if cfq-iosched is in use and neither scheme is available for |
| blk-mq devices. |
| |
| |
| IO Interface Files |
| ~~~~~~~~~~~~~~~~~~ |
| |
| io.stat |
| A read-only nested-keyed file. |
| |
| Lines are keyed by $MAJ:$MIN device numbers and not ordered. |
| The following nested keys are defined. |
| |
| ====== ===================== |
| rbytes Bytes read |
| wbytes Bytes written |
| rios Number of read IOs |
| wios Number of write IOs |
| dbytes Bytes discarded |
| dios Number of discard IOs |
| ====== ===================== |
| |
| An example read output follows:: |
| |
| 8:16 rbytes=1459200 wbytes=314773504 rios=192 wios=353 dbytes=0 dios=0 |
| 8:0 rbytes=90430464 wbytes=299008000 rios=8950 wios=1252 dbytes=50331648 dios=3021 |
| |
| io.cost.qos |
| A read-write nested-keyed file with exists only on the root |
| cgroup. |
| |
| This file configures the Quality of Service of the IO cost |
| model based controller (CONFIG_BLK_CGROUP_IOCOST) which |
| currently implements "io.weight" proportional control. Lines |
| are keyed by $MAJ:$MIN device numbers and not ordered. The |
| line for a given device is populated on the first write for |
| the device on "io.cost.qos" or "io.cost.model". The following |
| nested keys are defined. |
| |
| ====== ===================================== |
| enable Weight-based control enable |
| ctrl "auto" or "user" |
| rpct Read latency percentile [0, 100] |
| rlat Read latency threshold |
| wpct Write latency percentile [0, 100] |
| wlat Write latency threshold |
| min Minimum scaling percentage [1, 10000] |
| max Maximum scaling percentage [1, 10000] |
| ====== ===================================== |
| |
| The controller is disabled by default and can be enabled by |
| setting "enable" to 1. "rpct" and "wpct" parameters default |
| to zero and the controller uses internal device saturation |
| state to adjust the overall IO rate between "min" and "max". |
| |
| When a better control quality is needed, latency QoS |
| parameters can be configured. For example:: |
| |
| 8:16 enable=1 ctrl=auto rpct=95.00 rlat=75000 wpct=95.00 wlat=150000 min=50.00 max=150.0 |
| |
| shows that on sdb, the controller is enabled, will consider |
| the device saturated if the 95th percentile of read completion |
| latencies is above 75ms or write 150ms, and adjust the overall |
| IO issue rate between 50% and 150% accordingly. |
| |
| The lower the saturation point, the better the latency QoS at |
| the cost of aggregate bandwidth. The narrower the allowed |
| adjustment range between "min" and "max", the more conformant |
| to the cost model the IO behavior. Note that the IO issue |
| base rate may be far off from 100% and setting "min" and "max" |
| blindly can lead to a significant loss of device capacity or |
| control quality. "min" and "max" are useful for regulating |
| devices which show wide temporary behavior changes - e.g. a |
| ssd which accepts writes at the line speed for a while and |
| then completely stalls for multiple seconds. |
| |
| When "ctrl" is "auto", the parameters are controlled by the |
| kernel and may change automatically. Setting "ctrl" to "user" |
| or setting any of the percentile and latency parameters puts |
| it into "user" mode and disables the automatic changes. The |
| automatic mode can be restored by setting "ctrl" to "auto". |
| |
| io.cost.model |
| A read-write nested-keyed file with exists only on the root |
| cgroup. |
| |
| This file configures the cost model of the IO cost model based |
| controller (CONFIG_BLK_CGROUP_IOCOST) which currently |
| implements "io.weight" proportional control. Lines are keyed |
| by $MAJ:$MIN device numbers and not ordered. The line for a |
| given device is populated on the first write for the device on |
| "io.cost.qos" or "io.cost.model". The following nested keys |
| are defined. |
| |
| ===== ================================ |
| ctrl "auto" or "user" |
| model The cost model in use - "linear" |
| ===== ================================ |
| |
| When "ctrl" is "auto", the kernel may change all parameters |
| dynamically. When "ctrl" is set to "user" or any other |
| parameters are written to, "ctrl" become "user" and the |
| automatic changes are disabled. |
| |
| When "model" is "linear", the following model parameters are |
| defined. |
| |
| ============= ======================================== |
| [r|w]bps The maximum sequential IO throughput |
| [r|w]seqiops The maximum 4k sequential IOs per second |
| [r|w]randiops The maximum 4k random IOs per second |
| ============= ======================================== |
| |
| From the above, the builtin linear model determines the base |
| costs of a sequential and random IO and the cost coefficient |
| for the IO size. While simple, this model can cover most |
| common device classes acceptably. |
| |
| The IO cost model isn't expected to be accurate in absolute |
| sense and is scaled to the device behavior dynamically. |
| |
| If needed, tools/cgroup/iocost_coef_gen.py can be used to |
| generate device-specific coefficients. |
| |
| io.weight |
| A read-write flat-keyed file which exists on non-root cgroups. |
| The default is "default 100". |
| |
| The first line is the default weight applied to devices |
| without specific override. The rest are overrides keyed by |
| $MAJ:$MIN device numbers and not ordered. The weights are in |
| the range [1, 10000] and specifies the relative amount IO time |
| the cgroup can use in relation to its siblings. |
| |
| The default weight can be updated by writing either "default |
| $WEIGHT" or simply "$WEIGHT". Overrides can be set by writing |
| "$MAJ:$MIN $WEIGHT" and unset by writing "$MAJ:$MIN default". |
| |
| An example read output follows:: |
| |
| default 100 |
| 8:16 200 |
| 8:0 50 |
| |
| io.max |
| A read-write nested-keyed file which exists on non-root |
| cgroups. |
| |
| BPS and IOPS based IO limit. Lines are keyed by $MAJ:$MIN |
| device numbers and not ordered. The following nested keys are |
| defined. |
| |
| ===== ================================== |
| rbps Max read bytes per second |
| wbps Max write bytes per second |
| riops Max read IO operations per second |
| wiops Max write IO operations per second |
| ===== ================================== |
| |
| When writing, any number of nested key-value pairs can be |
| specified in any order. "max" can be specified as the value |
| to remove a specific limit. If the same key is specified |
| multiple times, the outcome is undefined. |
| |
| BPS and IOPS are measured in each IO direction and IOs are |
| delayed if limit is reached. Temporary bursts are allowed. |
| |
| Setting read limit at 2M BPS and write at 120 IOPS for 8:16:: |
| |
| echo "8:16 rbps=2097152 wiops=120" > io.max |
| |
| Reading returns the following:: |
| |
| 8:16 rbps=2097152 wbps=max riops=max wiops=120 |
| |
| Write IOPS limit can be removed by writing the following:: |
| |
| echo "8:16 wiops=max" > io.max |
| |
| Reading now returns the following:: |
| |
| 8:16 rbps=2097152 wbps=max riops=max wiops=max |
| |
| io.pressure |
| A read-only nested-key file which exists on non-root cgroups. |
| |
| Shows pressure stall information for IO. See |
| :ref:`Documentation/accounting/psi.rst <psi>` for details. |
| |
| |
| Writeback |
| ~~~~~~~~~ |
| |
| Page cache is dirtied through buffered writes and shared mmaps and |
| written asynchronously to the backing filesystem by the writeback |
| mechanism. Writeback sits between the memory and IO domains and |
| regulates the proportion of dirty memory by balancing dirtying and |
| write IOs. |
| |
| The io controller, in conjunction with the memory controller, |
| implements control of page cache writeback IOs. The memory controller |
| defines the memory domain that dirty memory ratio is calculated and |
| maintained for and the io controller defines the io domain which |
| writes out dirty pages for the memory domain. Both system-wide and |
| per-cgroup dirty memory states are examined and the more restrictive |
| of the two is enforced. |
| |
| cgroup writeback requires explicit support from the underlying |
| filesystem. Currently, cgroup writeback is implemented on ext2, ext4, |
| btrfs, f2fs, and xfs. On other filesystems, all writeback IOs are |
| attributed to the root cgroup. |
| |
| There are inherent differences in memory and writeback management |
| which affects how cgroup ownership is tracked. Memory is tracked per |
| page while writeback per inode. For the purpose of writeback, an |
| inode is assigned to a cgroup and all IO requests to write dirty pages |
| from the inode are attributed to that cgroup. |
| |
| As cgroup ownership for memory is tracked per page, there can be pages |
| which are associated with different cgroups than the one the inode is |
| associated with. These are called foreign pages. The writeback |
| constantly keeps track of foreign pages and, if a particular foreign |
| cgroup becomes the majority over a certain period of time, switches |
| the ownership of the inode to that cgroup. |
| |
| While this model is enough for most use cases where a given inode is |
| mostly dirtied by a single cgroup even when the main writing cgroup |
| changes over time, use cases where multiple cgroups write to a single |
| inode simultaneously are not supported well. In such circumstances, a |
| significant portion of IOs are likely to be attributed incorrectly. |
| As memory controller assigns page ownership on the first use and |
| doesn't update it until the page is released, even if writeback |
| strictly follows page ownership, multiple cgroups dirtying overlapping |
| areas wouldn't work as expected. It's recommended to avoid such usage |
| patterns. |
| |
| The sysctl knobs which affect writeback behavior are applied to cgroup |
| writeback as follows. |
| |
| vm.dirty_background_ratio, vm.dirty_ratio |
| These ratios apply the same to cgroup writeback with the |
| amount of available memory capped by limits imposed by the |
| memory controller and system-wide clean memory. |
| |
| vm.dirty_background_bytes, vm.dirty_bytes |
| For cgroup writeback, this is calculated into ratio against |
| total available memory and applied the same way as |
| vm.dirty[_background]_ratio. |
| |
| |
| IO Latency |
| ~~~~~~~~~~ |
| |
| This is a cgroup v2 controller for IO workload protection. You provide a group |
| with a latency target, and if the average latency exceeds that target the |
| controller will throttle any peers that have a lower latency target than the |
| protected workload. |
| |
| The limits are only applied at the peer level in the hierarchy. This means that |
| in the diagram below, only groups A, B, and C will influence each other, and |
| groups D and F will influence each other. Group G will influence nobody:: |
| |
| [root] |
| / | \ |
| A B C |
| / \ | |
| D F G |
| |
| |
| So the ideal way to configure this is to set io.latency in groups A, B, and C. |
| Generally you do not want to set a value lower than the latency your device |
| supports. Experiment to find the value that works best for your workload. |
| Start at higher than the expected latency for your device and watch the |
| avg_lat value in io.stat for your workload group to get an idea of the |
| latency you see during normal operation. Use the avg_lat value as a basis for |
| your real setting, setting at 10-15% higher than the value in io.stat. |
| |
| How IO Latency Throttling Works |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| io.latency is work conserving; so as long as everybody is meeting their latency |
| target the controller doesn't do anything. Once a group starts missing its |
| target it begins throttling any peer group that has a higher target than itself. |
| This throttling takes 2 forms: |
| |
| - Queue depth throttling. This is the number of outstanding IO's a group is |
| allowed to have. We will clamp down relatively quickly, starting at no limit |
| and going all the way down to 1 IO at a time. |
| |
| - Artificial delay induction. There are certain types of IO that cannot be |
| throttled without possibly adversely affecting higher priority groups. This |
| includes swapping and metadata IO. These types of IO are allowed to occur |
| normally, however they are "charged" to the originating group. If the |
| originating group is being throttled you will see the use_delay and delay |
| fields in io.stat increase. The delay value is how many microseconds that are |
| being added to any process that runs in this group. Because this number can |
| grow quite large if there is a lot of swapping or metadata IO occurring we |
| limit the individual delay events to 1 second at a time. |
| |
| Once the victimized group starts meeting its latency target again it will start |
| unthrottling any peer groups that were throttled previously. If the victimized |
| group simply stops doing IO the global counter will unthrottle appropriately. |
| |
| IO Latency Interface Files |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| io.latency |
| This takes a similar format as the other controllers. |
| |
| "MAJOR:MINOR target=<target time in microseconds" |
| |
| io.stat |
| If the controller is enabled you will see extra stats in io.stat in |
| addition to the normal ones. |
| |
| depth |
| This is the current queue depth for the group. |
| |
| avg_lat |
| This is an exponential moving average with a decay rate of 1/exp |
| bound by the sampling interval. The decay rate interval can be |
| calculated by multiplying the win value in io.stat by the |
| corresponding number of samples based on the win value. |
| |
| win |
| The sampling window size in milliseconds. This is the minimum |
| duration of time between evaluation events. Windows only elapse |
| with IO activity. Idle periods extend the most recent window. |
| |
| PID |
| --- |
| |
| The process number controller is used to allow a cgroup to stop any |
| new tasks from being fork()'d or clone()'d after a specified limit is |
| reached. |
| |
| The number of tasks in a cgroup can be exhausted in ways which other |
| controllers cannot prevent, thus warranting its own controller. For |
| example, a fork bomb is likely to exhaust the number of tasks before |
| hitting memory restrictions. |
| |
| Note that PIDs used in this controller refer to TIDs, process IDs as |
| used by the kernel. |
| |
| |
| PID Interface Files |
| ~~~~~~~~~~~~~~~~~~~ |
| |
| pids.max |
| A read-write single value file which exists on non-root |
| cgroups. The default is "max". |
| |
| Hard limit of number of processes. |
| |
| pids.current |
| A read-only single value file which exists on all cgroups. |
| |
| The number of processes currently in the cgroup and its |
| descendants. |
| |
| Organisational operations are not blocked by cgroup policies, so it is |
| possible to have pids.current > pids.max. This can be done by either |
| setting the limit to be smaller than pids.current, or attaching enough |
| processes to the cgroup such that pids.current is larger than |
| pids.max. However, it is not possible to violate a cgroup PID policy |
| through fork() or clone(). These will return -EAGAIN if the creation |
| of a new process would cause a cgroup policy to be violated. |
| |
| |
| Cpuset |
| ------ |
| |
| The "cpuset" controller provides a mechanism for constraining |
| the CPU and memory node placement of tasks to only the resources |
| specified in the cpuset interface files in a task's current cgroup. |
| This is especially valuable on large NUMA systems where placing jobs |
| on properly sized subsets of the systems with careful processor and |
| memory placement to reduce cross-node memory access and contention |
| can improve overall system performance. |
| |
| The "cpuset" controller is hierarchical. That means the controller |
| cannot use CPUs or memory nodes not allowed in its parent. |
| |
| |
| Cpuset Interface Files |
| ~~~~~~~~~~~~~~~~~~~~~~ |
| |
| cpuset.cpus |
| A read-write multiple values file which exists on non-root |
| cpuset-enabled cgroups. |
| |
| It lists the requested CPUs to be used by tasks within this |
| cgroup. The actual list of CPUs to be granted, however, is |
| subjected to constraints imposed by its parent and can differ |
| from the requested CPUs. |
| |
| The CPU numbers are comma-separated numbers or ranges. |
| For example:: |
| |
| # cat cpuset.cpus |
| 0-4,6,8-10 |
| |
| An empty value indicates that the cgroup is using the same |
| setting as the nearest cgroup ancestor with a non-empty |
| "cpuset.cpus" or all the available CPUs if none is found. |
| |
| The value of "cpuset.cpus" stays constant until the next update |
| and won't be affected by any CPU hotplug events. |
| |
| cpuset.cpus.effective |
| A read-only multiple values file which exists on all |
| cpuset-enabled cgroups. |
| |
| It lists the onlined CPUs that are actually granted to this |
| cgroup by its parent. These CPUs are allowed to be used by |
| tasks within the current cgroup. |
| |
| If "cpuset.cpus" is empty, the "cpuset.cpus.effective" file shows |
| all the CPUs from the parent cgroup that can be available to |
| be used by this cgroup. Otherwise, it should be a subset of |
| "cpuset.cpus" unless none of the CPUs listed in "cpuset.cpus" |
| can be granted. In this case, it will be treated just like an |
| empty "cpuset.cpus". |
| |
| Its value will be affected by CPU hotplug events. |
| |
| cpuset.mems |
| A read-write multiple values file which exists on non-root |
| cpuset-enabled cgroups. |
| |
| It lists the requested memory nodes to be used by tasks within |
| this cgroup. The actual list of memory nodes granted, however, |
| is subjected to constraints imposed by its parent and can differ |
| from the requested memory nodes. |
| |
| The memory node numbers are comma-separated numbers or ranges. |
| For example:: |
| |
| # cat cpuset.mems |
| 0-1,3 |
| |
| An empty value indicates that the cgroup is using the same |
| setting as the nearest cgroup ancestor with a non-empty |
| "cpuset.mems" or all the available memory nodes if none |
| is found. |
| |
| The value of "cpuset.mems" stays constant until the next update |
| and won't be affected by any memory nodes hotplug events. |
| |
| cpuset.mems.effective |
| A read-only multiple values file which exists on all |
| cpuset-enabled cgroups. |
| |
| It lists the onlined memory nodes that are actually granted to |
| this cgroup by its parent. These memory nodes are allowed to |
| be used by tasks within the current cgroup. |
| |
| If "cpuset.mems" is empty, it shows all the memory nodes from the |
| parent cgroup that will be available to be used by this cgroup. |
| Otherwise, it should be a subset of "cpuset.mems" unless none of |
| the memory nodes listed in "cpuset.mems" can be granted. In this |
| case, it will be treated just like an empty "cpuset.mems". |
| |
| Its value will be affected by memory nodes hotplug events. |
| |
| cpuset.cpus.partition |
| A read-write single value file which exists on non-root |
| cpuset-enabled cgroups. This flag is owned by the parent cgroup |
| and is not delegatable. |
| |
| It accepts only the following input values when written to. |
| |
| "root" - a partition root |
| "member" - a non-root member of a partition |
| |
| When set to be a partition root, the current cgroup is the |
| root of a new partition or scheduling domain that comprises |
| itself and all its descendants except those that are separate |
| partition roots themselves and their descendants. The root |
| cgroup is always a partition root. |
| |
| There are constraints on where a partition root can be set. |
| It can only be set in a cgroup if all the following conditions |
| are true. |
| |
| 1) The "cpuset.cpus" is not empty and the list of CPUs are |
| exclusive, i.e. they are not shared by any of its siblings. |
| 2) The parent cgroup is a partition root. |
| 3) The "cpuset.cpus" is also a proper subset of the parent's |
| "cpuset.cpus.effective". |
| 4) There is no child cgroups with cpuset enabled. This is for |
| eliminating corner cases that have to be handled if such a |
| condition is allowed. |
| |
| Setting it to partition root will take the CPUs away from the |
| effective CPUs of the parent cgroup. Once it is set, this |
| file cannot be reverted back to "member" if there are any child |
| cgroups with cpuset enabled. |
| |
| A parent partition cannot distribute all its CPUs to its |
| child partitions. There must be at least one cpu left in the |
| parent partition. |
| |
| Once becoming a partition root, changes to "cpuset.cpus" is |
| generally allowed as long as the first condition above is true, |
| the change will not take away all the CPUs from the parent |
| partition and the new "cpuset.cpus" value is a superset of its |
| children's "cpuset.cpus" values. |
| |
| Sometimes, external factors like changes to ancestors' |
| "cpuset.cpus" or cpu hotplug can cause the state of the partition |
| root to change. On read, the "cpuset.sched.partition" file |
| can show the following values. |
| |
| "member" Non-root member of a partition |
| "root" Partition root |
| "root invalid" Invalid partition root |
| |
| It is a partition root if the first 2 partition root conditions |
| above are true and at least one CPU from "cpuset.cpus" is |
| granted by the parent cgroup. |
| |
| A partition root can become invalid if none of CPUs requested |
| in "cpuset.cpus" can be granted by the parent cgroup or the |
| parent cgroup is no longer a partition root itself. In this |
| case, it is not a real partition even though the restriction |
| of the first partition root condition above will still apply. |
| The cpu affinity of all the tasks in the cgroup will then be |
| associated with CPUs in the nearest ancestor partition. |
| |
| An invalid partition root can be transitioned back to a |
| real partition root if at least one of the requested CPUs |
| can now be granted by its parent. In this case, the cpu |
| affinity of all the tasks in the formerly invalid partition |
| will be associated to the CPUs of the newly formed partition. |
| Changing the partition state of an invalid partition root to |
| "member" is always allowed even if child cpusets are present. |
| |
| |
| Device controller |
| ----------------- |
| |
| Device controller manages access to device files. It includes both |
| creation of new device files (using mknod), and access to the |
| existing device files. |
| |
| Cgroup v2 device controller has no interface files and is implemented |
| on top of cgroup BPF. To control access to device files, a user may |
| create bpf programs of the BPF_CGROUP_DEVICE type and attach them |
| to cgroups. On an attempt to access a device file, corresponding |
| BPF programs will be executed, and depending on the return value |
| the attempt will succeed or fail with -EPERM. |
| |
| A BPF_CGROUP_DEVICE program takes a pointer to the bpf_cgroup_dev_ctx |
| structure, which describes the device access attempt: access type |
| (mknod/read/write) and device (type, major and minor numbers). |
| If the program returns 0, the attempt fails with -EPERM, otherwise |
| it succeeds. |
| |
| An example of BPF_CGROUP_DEVICE program may be found in the kernel |
| source tree in the tools/testing/selftests/bpf/dev_cgroup.c file. |
| |
| |
| RDMA |
| ---- |
| |
| The "rdma" controller regulates the distribution and accounting of |
| RDMA resources. |
| |
| RDMA Interface Files |
| ~~~~~~~~~~~~~~~~~~~~ |
| |
| rdma.max |
| A readwrite nested-keyed file that exists for all the cgroups |
| except root that describes current configured resource limit |
| for a RDMA/IB device. |
| |
| Lines are keyed by device name and are not ordered. |
| Each line contains space separated resource name and its configured |
| limit that can be distributed. |
| |
| The following nested keys are defined. |
| |
| ========== ============================= |
| hca_handle Maximum number of HCA Handles |
| hca_object Maximum number of HCA Objects |
| ========== ============================= |
| |
| An example for mlx4 and ocrdma device follows:: |
| |
| mlx4_0 hca_handle=2 hca_object=2000 |
| ocrdma1 hca_handle=3 hca_object=max |
| |
| rdma.current |
| A read-only file that describes current resource usage. |
| It exists for all the cgroup except root. |
| |
| An example for mlx4 and ocrdma device follows:: |
| |
| mlx4_0 hca_handle=1 hca_object=20 |
| ocrdma1 hca_handle=1 hca_object=23 |
| |
| HugeTLB |
| ------- |
| |
| The HugeTLB controller allows to limit the HugeTLB usage per control group and |
| enforces the controller limit during page fault. |
| |
| HugeTLB Interface Files |
| ~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| hugetlb.<hugepagesize>.current |
| Show current usage for "hugepagesize" hugetlb. It exists for all |
| the cgroup except root. |
| |
| hugetlb.<hugepagesize>.max |
| Set/show the hard limit of "hugepagesize" hugetlb usage. |
| The default value is "max". It exists for all the cgroup except root. |
| |
| hugetlb.<hugepagesize>.events |
| A read-only flat-keyed file which exists on non-root cgroups. |
| |
| max |
| The number of allocation failure due to HugeTLB limit |
| |
| hugetlb.<hugepagesize>.events.local |
| Similar to hugetlb.<hugepagesize>.events but the fields in the file |
| are local to the cgroup i.e. not hierarchical. The file modified event |
| generated on this file reflects only the local events. |
| |
| Misc |
| ---- |
| |
| perf_event |
| ~~~~~~~~~~ |
| |
| perf_event controller, if not mounted on a legacy hierarchy, is |
| automatically enabled on the v2 hierarchy so that perf events can |
| always be filtered by cgroup v2 path. The controller can still be |
| moved to a legacy hierarchy after v2 hierarchy is populated. |
| |
| |
| Non-normative information |
| ------------------------- |
| |
| This section contains information that isn't considered to be a part of |
| the stable kernel API and so is subject to change. |
| |
| |
| CPU controller root cgroup process behaviour |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| When distributing CPU cycles in the root cgroup each thread in this |
| cgroup is treated as if it was hosted in a separate child cgroup of the |
| root cgroup. This child cgroup weight is dependent on its thread nice |
| level. |
| |
| For details of this mapping see sched_prio_to_weight array in |
| kernel/sched/core.c file (values from this array should be scaled |
| appropriately so the neutral - nice 0 - value is 100 instead of 1024). |
| |
| |
| IO controller root cgroup process behaviour |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| Root cgroup processes are hosted in an implicit leaf child node. |
| When distributing IO resources this implicit child node is taken into |
| account as if it was a normal child cgroup of the root cgroup with a |
| weight value of 200. |
| |
| |
| Namespace |
| ========= |
| |
| Basics |
| ------ |
| |
| cgroup namespace provides a mechanism to virtualize the view of the |
| "/proc/$PID/cgroup" file and cgroup mounts. The CLONE_NEWCGROUP clone |
| flag can be used with clone(2) and unshare(2) to create a new cgroup |
| namespace. The process running inside the cgroup namespace will have |
| its "/proc/$PID/cgroup" output restricted to cgroupns root. The |
| cgroupns root is the cgroup of the process at the time of creation of |
| the cgroup namespace. |
| |
| Without cgroup namespace, the "/proc/$PID/cgroup" file shows the |
| complete path of the cgroup of a process. In a container setup where |
| a set of cgroups and namespaces are intended to isolate processes the |
| "/proc/$PID/cgroup" file may leak potential system level information |
| to the isolated processes. For Example:: |
| |
| # cat /proc/self/cgroup |
| 0::/batchjobs/container_id1 |
| |
| The path '/batchjobs/container_id1' can be considered as system-data |
| and undesirable to expose to the isolated processes. cgroup namespace |
| can be used to restrict visibility of this path. For example, before |
| creating a cgroup namespace, one would see:: |
| |
| # ls -l /proc/self/ns/cgroup |
| lrwxrwxrwx 1 root root 0 2014-07-15 10:37 /proc/self/ns/cgroup -> cgroup:[4026531835] |
| # cat /proc/self/cgroup |
| 0::/batchjobs/container_id1 |
| |
| After unsharing a new namespace, the view changes:: |
| |
| # ls -l /proc/self/ns/cgroup |
| lrwxrwxrwx 1 root root 0 2014-07-15 10:35 /proc/self/ns/cgroup -> cgroup:[4026532183] |
| # cat /proc/self/cgroup |
| 0::/ |
| |
| When some thread from a multi-threaded process unshares its cgroup |
| namespace, the new cgroupns gets applied to the entire process (all |
| the threads). This is natural for the v2 hierarchy; however, for the |
| legacy hierarchies, this may be unexpected. |
| |
| A cgroup namespace is alive as long as there are processes inside or |
| mounts pinning it. When the last usage goes away, the cgroup |
| namespace is destroyed. The cgroupns root and the actual cgroups |
| remain. |
| |
| |
| The Root and Views |
| ------------------ |
| |
| The 'cgroupns root' for a cgroup namespace is the cgroup in which the |
| process calling unshare(2) is running. For example, if a process in |
| /batchjobs/container_id1 cgroup calls unshare, cgroup |
| /batchjobs/container_id1 becomes the cgroupns root. For the |
| init_cgroup_ns, this is the real root ('/') cgroup. |
| |
| The cgroupns root cgroup does not change even if the namespace creator |
| process later moves to a different cgroup:: |
| |
| # ~/unshare -c # unshare cgroupns in some cgroup |
| # cat /proc/self/cgroup |
| 0::/ |
| # mkdir sub_cgrp_1 |
| # echo 0 > sub_cgrp_1/cgroup.procs |
| # cat /proc/self/cgroup |
| 0::/sub_cgrp_1 |
| |
| Each process gets its namespace-specific view of "/proc/$PID/cgroup" |
| |
| Processes running inside the cgroup namespace will be able to see |
| cgroup paths (in /proc/self/cgroup) only inside their root cgroup. |
| From within an unshared cgroupns:: |
| |
| # sleep 100000 & |
| [1] 7353 |
| # echo 7353 > sub_cgrp_1/cgroup.procs |
| # cat /proc/7353/cgroup |
| 0::/sub_cgrp_1 |
| |
| From the initial cgroup namespace, the real cgroup path will be |
| visible:: |
| |
| $ cat /proc/7353/cgroup |
| 0::/batchjobs/container_id1/sub_cgrp_1 |
| |
| From a sibling cgroup namespace (that is, a namespace rooted at a |
| different cgroup), the cgroup path relative to its own cgroup |
| namespace root will be shown. For instance, if PID 7353's cgroup |
| namespace root is at '/batchjobs/container_id2', then it will see:: |
| |
| # cat /proc/7353/cgroup |
| 0::/../container_id2/sub_cgrp_1 |
| |
| Note that the relative path always starts with '/' to indicate that |
| its relative to the cgroup namespace root of the caller. |
| |
| |
| Migration and setns(2) |
| ---------------------- |
| |
| Processes inside a cgroup namespace can move into and out of the |
| namespace root if they have proper access to external cgroups. For |
| example, from inside a namespace with cgroupns root at |
| /batchjobs/container_id1, and assuming that the global hierarchy is |
| still accessible inside cgroupns:: |
| |
| # cat /proc/7353/cgroup |
| 0::/sub_cgrp_1 |
| # echo 7353 > batchjobs/container_id2/cgroup.procs |
| # cat /proc/7353/cgroup |
| 0::/../container_id2 |
| |
| Note that this kind of setup is not encouraged. A task inside cgroup |
| namespace should only be exposed to its own cgroupns hierarchy. |
| |
| setns(2) to another cgroup namespace is allowed when: |
| |
| (a) the process has CAP_SYS_ADMIN against its current user namespace |
| (b) the process has CAP_SYS_ADMIN against the target cgroup |
| namespace's userns |
| |
| No implicit cgroup changes happen with attaching to another cgroup |
| namespace. It is expected that the someone moves the attaching |
| process under the target cgroup namespace root. |
| |
| |
| Interaction with Other Namespaces |
| --------------------------------- |
| |
| Namespace specific cgroup hierarchy can be mounted by a process |
| running inside a non-init cgroup namespace:: |
| |
| # mount -t cgroup2 none $MOUNT_POINT |
| |
| This will mount the unified cgroup hierarchy with cgroupns root as the |
| filesystem root. The process needs CAP_SYS_ADMIN against its user and |
| mount namespaces. |
| |
| The virtualization of /proc/self/cgroup file combined with restricting |
| the view of cgroup hierarchy by namespace-private cgroupfs mount |
| provides a properly isolated cgroup view inside the container. |
| |
| |
| Information on Kernel Programming |
| ================================= |
| |
| This section contains kernel programming information in the areas |
| where interacting with cgroup is necessary. cgroup core and |
| controllers are not covered. |
| |
| |
| Filesystem Support for Writeback |
| -------------------------------- |
| |
| A filesystem can support cgroup writeback by updating |
| address_space_operations->writepage[s]() to annotate bio's using the |
| following two functions. |
| |
| wbc_init_bio(@wbc, @bio) |
| Should be called for each bio carrying writeback data and |
| associates the bio with the inode's owner cgroup and the |
| corresponding request queue. This must be called after |
| a queue (device) has been associated with the bio and |
| before submission. |
| |
| wbc_account_cgroup_owner(@wbc, @page, @bytes) |
| Should be called for each data segment being written out. |
| While this function doesn't care exactly when it's called |
| during the writeback session, it's the easiest and most |
| natural to call it as data segments are added to a bio. |
| |
| With writeback bio's annotated, cgroup support can be enabled per |
| super_block by setting SB_I_CGROUPWB in ->s_iflags. This allows for |
| selective disabling of cgroup writeback support which is helpful when |
| certain filesystem features, e.g. journaled data mode, are |
| incompatible. |
| |
| wbc_init_bio() binds the specified bio to its cgroup. Depending on |
| the configuration, the bio may be executed at a lower priority and if |
| the writeback session is holding shared resources, e.g. a journal |
| entry, may lead to priority inversion. There is no one easy solution |
| for the problem. Filesystems can try to work around specific problem |
| cases by skipping wbc_init_bio() and using bio_associate_blkg() |
| directly. |
| |
| |
| Deprecated v1 Core Features |
| =========================== |
| |
| - Multiple hierarchies including named ones are not supported. |
| |
| - All v1 mount options are not supported. |
| |
| - The "tasks" file is removed and "cgroup.procs" is not sorted. |
| |
| - "cgroup.clone_children" is removed. |
| |
| - /proc/cgroups is meaningless for v2. Use "cgroup.controllers" file |
| at the root instead. |
| |
| |
| Issues with v1 and Rationales for v2 |
| ==================================== |
| |
| Multiple Hierarchies |
| -------------------- |
| |
| cgroup v1 allowed an arbitrary number of hierarchies and each |
| hierarchy could host any number of controllers. While this seemed to |
| provide a high level of flexibility, it wasn't useful in practice. |
| |
| For example, as there is only one instance of each controller, utility |
| type controllers such as freezer which can be useful in all |
| hierarchies could only be used in one. The issue is exacerbated by |
| the fact that controllers couldn't be moved to another hierarchy once |
| hierarchies were populated. Another issue was that all controllers |
| bound to a hierarchy were forced to have exactly the same view of the |
| hierarchy. It wasn't possible to vary the granularity depending on |
| the specific controller. |
| |
| In practice, these issues heavily limited which controllers could be |
| put on the same hierarchy and most configurations resorted to putting |
| each controller on its own hierarchy. Only closely related ones, such |
| as the cpu and cpuacct controllers, made sense to be put on the same |
| hierarchy. This often meant that userland ended up managing multiple |
| similar hierarchies repeating the same steps on each hierarchy |
| whenever a hierarchy management operation was necessary. |
| |
| Furthermore, support for multiple hierarchies came at a steep cost. |
| It greatly complicated cgroup core implementation but more importantly |
| the support for multiple hierarchies restricted how cgroup could be |
| used in general and what controllers was able to do. |
| |
| There was no limit on how many hierarchies there might be, which meant |
| that a thread's cgroup membership couldn't be described in finite |
| length. The key might contain any number of entries and was unlimited |
| in length, which made it highly awkward to manipulate and led to |
| addition of controllers which existed only to identify membership, |
| which in turn exacerbated the original problem of proliferating number |
| of hierarchies. |
| |
| Also, as a controller couldn't have any expectation regarding the |
| topologies of hierarchies other controllers might be on, each |
| controller had to assume that all other controllers were attached to |
| completely orthogonal hierarchies. This made it impossible, or at |
| least very cumbersome, for controllers to cooperate with each other. |
| |
| In most use cases, putting controllers on hierarchies which are |
| completely orthogonal to each other isn't necessary. What usually is |
| called for is the ability to have differing levels of granularity |
| depending on the specific controller. In other words, hierarchy may |
| be collapsed from leaf towards root when viewed from specific |
| controllers. For example, a given configuration might not care about |
| how memory is distributed beyond a certain level while still wanting |
| to control how CPU cycles are distributed. |
| |
| |
| Thread Granularity |
| ------------------ |
| |
| cgroup v1 allowed threads of a process to belong to different cgroups. |
| This didn't make sense for some controllers and those controllers |
| ended up implementing different ways to ignore such situations but |
| much more importantly it blurred the line between API exposed to |
| individual applications and system management interface. |
| |
| Generally, in-process knowledge is available only to the process |
| itself; thus, unlike service-level organization of processes, |
| categorizing threads of a process requires active participation from |
| the application which owns the target process. |
| |
| cgroup v1 had an ambiguously defined delegation model which got abused |
| in combination with thread granularity. cgroups were delegated to |
| individual applications so that they can create and manage their own |
| sub-hierarchies and control resource distributions along them. This |
| effectively raised cgroup to the status of a syscall-like API exposed |
| to lay programs. |
| |
| First of all, cgroup has a fundamentally inadequate interface to be |
| exposed this way. For a process to access its own knobs, it has to |
| extract the path on the target hierarchy from /proc/self/cgroup, |
| construct the path by appending the name of the knob to the path, open |
| and then read and/or write to it. This is not only extremely clunky |
| and unusual but also inherently racy. There is no conventional way to |
| define transaction across the required steps and nothing can guarantee |
| that the process would actually be operating on its own sub-hierarchy. |
| |
| cgroup controllers implemented a number of knobs which would never be |
| accepted as public APIs because they were just adding control knobs to |
| system-management pseudo filesystem. cgroup ended up with interface |
| knobs which were not properly abstracted or refined and directly |
| revealed kernel internal details. These knobs got exposed to |
| individual applications through the ill-defined delegation mechanism |
| effectively abusing cgroup as a shortcut to implementing public APIs |
| without going through the required scrutiny. |
| |
| This was painful for both userland and kernel. Userland ended up with |
| misbehaving and poorly abstracted interfaces and kernel exposing and |
| locked into constructs inadvertently. |
| |
| |
| Competition Between Inner Nodes and Threads |
| ------------------------------------------- |
| |
| cgroup v1 allowed threads to be in any cgroups which created an |
| interesting problem where threads belonging to a parent cgroup and its |
| children cgroups competed for resources. This was nasty as two |
| different types of entities competed and there was no obvious way to |
| settle it. Different controllers did different things. |
| |
| The cpu controller considered threads and cgroups as equivalents and |
| mapped nice levels to cgroup weights. This worked for some cases but |
| fell flat when children wanted to be allocated specific ratios of CPU |
| cycles and the number of internal threads fluctuated - the ratios |
| constantly changed as the number of competing entities fluctuated. |
| There also were other issues. The mapping from nice level to weight |
| wasn't obvious or universal, and there were various other knobs which |
| simply weren't available for threads. |
| |
| The io controller implicitly created a hidden leaf node for each |
| cgroup to host the threads. The hidden leaf had its own copies of all |
| the knobs with ``leaf_`` prefixed. While this allowed equivalent |
| control over internal threads, it was with serious drawbacks. It |
| always added an extra layer of nesting which wouldn't be necessary |
| otherwise, made the interface messy and significantly complicated the |
| implementation. |
| |
| The memory controller didn't have a way to control what happened |
| between internal tasks and child cgroups and the behavior was not |
| clearly defined. There were attempts to add ad-hoc behaviors and |
| knobs to tailor the behavior to specific workloads which would have |
| led to problems extremely difficult to resolve in the long term. |
| |
| Multiple controllers struggled with internal tasks and came up with |
| different ways to deal with it; unfortunately, all the approaches were |
| severely flawed and, furthermore, the widely different behaviors |
| made cgroup as a whole highly inconsistent. |
| |
| This clearly is a problem which needs to be addressed from cgroup core |
| in a uniform way. |
| |
| |
| Other Interface Issues |
| ---------------------- |
| |
| cgroup v1 grew without oversight and developed a large number of |
| idiosyncrasies and inconsistencies. One issue on the cgroup core side |
| was how an empty cgroup was notified - a userland helper binary was |
| forked and executed for each event. The event delivery wasn't |
| recursive or delegatable. The limitations of the mechanism also led |
| to in-kernel event delivery filtering mechanism further complicating |
| the interface. |
| |
| Controller interfaces were problematic too. An extreme example is |
| controllers completely ignoring hierarchical organization and treating |
| all cgroups as if they were all located directly under the root |
| cgroup. Some controllers exposed a large amount of inconsistent |
| implementation details to userland. |
| |
| There also was no consistency across controllers. When a new cgroup |
| was created, some controllers defaulted to not imposing extra |
| restrictions while others disallowed any resource usage until |
| explicitly configured. Configuration knobs for the same type of |
| control used widely differing naming schemes and formats. Statistics |
| and information knobs were named arbitrarily and used different |
| formats and units even in the same controller. |
| |
| cgroup v2 establishes common conventions where appropriate and updates |
| controllers so that they expose minimal and consistent interfaces. |
| |
| |
| Controller Issues and Remedies |
| ------------------------------ |
| |
| Memory |
| ~~~~~~ |
| |
| The original lower boundary, the soft limit, is defined as a limit |
| that is per default unset. As a result, the set of cgroups that |
| global reclaim prefers is opt-in, rather than opt-out. The costs for |
| optimizing these mostly negative lookups are so high that the |
| implementation, despite its enormous size, does not even provide the |
| basic desirable behavior. First off, the soft limit has no |
| hierarchical meaning. All configured groups are organized in a global |
| rbtree and treated like equal peers, regardless where they are located |
| in the hierarchy. This makes subtree delegation impossible. Second, |
| the soft limit reclaim pass is so aggressive that it not just |
| introduces high allocation latencies into the system, but also impacts |
| system performance due to overreclaim, to the point where the feature |
| becomes self-defeating. |
| |
| The memory.low boundary on the other hand is a top-down allocated |
| reserve. A cgroup enjoys reclaim protection when it's within its |
| effective low, which makes delegation of subtrees possible. It also |
| enjoys having reclaim pressure proportional to its overage when |
| above its effective low. |
| |
| The original high boundary, the hard limit, is defined as a strict |
| limit that can not budge, even if the OOM killer has to be called. |
| But this generally goes against the goal of making the most out of the |
| available memory. The memory consumption of workloads varies during |
| runtime, and that requires users to overcommit. But doing that with a |
| strict upper limit requires either a fairly accurate prediction of the |
| working set size or adding slack to the limit. Since working set size |
| estimation is hard and error prone, and getting it wrong results in |
| OOM kills, most users tend to err on the side of a looser limit and |
| end up wasting precious resources. |
| |
| The memory.high boundary on the other hand can be set much more |
| conservatively. When hit, it throttles allocations by forcing them |
| into direct reclaim to work off the excess, but it never invokes the |
| OOM killer. As a result, a high boundary that is chosen too |
| aggressively will not terminate the processes, but instead it will |
| lead to gradual performance degradation. The user can monitor this |
| and make corrections until the minimal memory footprint that still |
| gives acceptable performance is found. |
| |
| In extreme cases, with many concurrent allocations and a complete |
| breakdown of reclaim progress within the group, the high boundary can |
| be exceeded. But even then it's mostly better to satisfy the |
| allocation from the slack available in other groups or the rest of the |
| system than killing the group. Otherwise, memory.max is there to |
| limit this type of spillover and ultimately contain buggy or even |
| malicious applications. |
| |
| Setting the original memory.limit_in_bytes below the current usage was |
| subject to a race condition, where concurrent charges could cause the |
| limit setting to fail. memory.max on the other hand will first set the |
| limit to prevent new charges, and then reclaim and OOM kill until the |
| new limit is met - or the task writing to memory.max is killed. |
| |
| The combined memory+swap accounting and limiting is replaced by real |
| control over swap space. |
| |
| The main argument for a combined memory+swap facility in the original |
| cgroup design was that global or parental pressure would always be |
| able to swap all anonymous memory of a child group, regardless of the |
| child's own (possibly untrusted) configuration. However, untrusted |
| groups can sabotage swapping by other means - such as referencing its |
| anonymous memory in a tight loop - and an admin can not assume full |
| swappability when overcommitting untrusted jobs. |
| |
| For trusted jobs, on the other hand, a combined counter is not an |
| intuitive userspace interface, and it flies in the face of the idea |
| that cgroup controllers should account and limit specific physical |
| resources. Swap space is a resource like all others in the system, |
| and that's why unified hierarchy allows distributing it separately. |