Linux process resource limit -- the mechanism and usage of CGroup

User 3147702 2022-09-23 09:52:27 阅读数:604


1. 引言

此前的文章中,我们介绍了 docker Relying on the principle of resource isolation and limitation:

docker Relying on the principle of resource isolation and limitation

在文章中,我们提到了 Linux Used to manage and limit Linux Process group resources used CGroup 机制.本文我们就来详细介绍一下.

2. CGroup 的诞生

2006 年,Google Engineers started a project in the open source community to manage and limit the use of process resources,名为“process containers”,2007 年,Linux The kernel team renamed it cgroup 纳入到 Linux 内核 feature 项目中.在 2008 年 1 月发布的 Linux 2.6.24,This functionality was incorporated into the kernel.到 Linux 4.5 版本内核,CGroup v2 was merged into the kernel,This is a major update on how it is used.

CGroup 一般也被称为“cgroups”,是 control groups 的简称.

CGroup The function of the mechanism is right linux A set of processes to include CPU、内存、磁盘 IO、The use of resources, such as the network, is restricted、Manage and isolate.

3. CGroup 的主要功能

CGroup 的主要功能有:

  1. 限制资源的使用,For example, limit the usage of resources such as memory,Limit the cache of the file system, etc;
  2. 优先级控制,For example, let the process be killed with low priority CPU 调度等;
  3. Audit and Statistics,例如统计 CPU ratio used, etc;
  4. Suspend process and resume process execution.

4. cgroups 子系统

CGroup Restrictions on process group resources are implemented through subsystems,The advantage of this is that it can facilitate the addition of new functions.There are currently existing subsystems:

  1. cpu 子系统:主要限制进程的 cpu 使用率.
  2. cpuacct 子系统:可以统计 cgroups 中的进程的 cpu 使用报告.
  3. cpuset 子系统:可以为 cgroups 中的进程分配单独的 cpu 节点或者内存节点.
  4. memory 子系统:可以限制进程的 memory 使用量.
  5. blkio 子系统:可以限制进程的块设备 io.
  6. devices 子系统:可以控制进程能够访问某些设备.
  7. net_cls 子系统:可以标记 cgroups 中进程的网络数据包,然后可以使用 tc 模块(traffic control)对数据包进行控制.
  8. net_prio 子系统:这个子系统用来设计网络流量的优先级
  9. freezer 子系统:可以挂起或者恢复 cgroups 中的进程.
  10. ns 子系统:可以使不同 cgroups 下面的进程使用不同的 namespace
  11. hugetlb 子系统:这个子系统主要针对于HugeTLB系统进行限制,这是一个大页文件系统.

5. cgroups 的层级结构

CGroup It is organized in the form of a tree structure,每一棵 cgroup 结构体组成的树称之为一个 cgroups 层级结构(cgroups hierarchy).

如图所示,Group Hierarchy A 和 Group Hierarchy B 分别代表了 cgroups 的一个层级.在一个 cgroups 层级上,都可以 attach 一个或几个 cgroup 子系统,而被 attach 的 cgroups The subsystem can impose corresponding resource restrictions on a group of processes contained in the current hierarchy.

那么,cgroup How nodes are related to the processes they manage?This depends on the control task list for that node,Processes are added to a node's control task list,The control of the corresponding process by the node is realized.一个 cgroup A node's control list can contain multiple processes,And a process can be added to more than one cgroup in the control list of the node,这样便实现了 cgroup A many-to-many correspondence between nodes and managed processes.

6. 实战

6.1 查看 cgroup Subsystem mount point

通过命令 mount -t cgroup You can view all current ones linux cgroups Subsystems and mount points:

6.2 创建隔离组

For example, we want to deal with a certain group of processes cpu 资源进行限制,那么我们就执行:

 cd /sys/fs/cgroup/cpu
mkdir test_limit
cd test_limit

View the created directory,可以看到,A series of files have been generated in the directory.

6.3 限制 CPU 利用率

Next we can proceed to the process CPU Utilization is limited.

首先我们写一个 C 语言的程序,用来将 CPU 跑到 100%:

 int main() {
int i=0;
for (;;) i++;
return 0;

run this process,我们观察到 CPU Utilization has indeed been achieved 100%.


 # Limit this group of processes CPU total utilization to 20%
echo 20000 > /sys/fs/cgroup/cpu/test_limit/cpu.cfs_quota_us
# Add the ones that need to be restricted to the mission control list pid
echo 23732 >> /sys/fs/cgroup/cpu/test_limit/tasks

可以看到,After completing the execution of the above command,可以看到,cpu Utilization was soon successfully limited 20%.

The limit method for other resources is exactly the same.

copyright:author[User 3147702],Please bring the original link to reprint, thank you.