World Library  
Flag as Inappropriate
Email this Article


Article Id: WHEBN0028942492
Reproduction Date:

Title: Cgroups  
Author: World Heritage Encyclopedia
Language: English
Subject: LXC, CoreOS, Linux kernel, L4Linux, Systemd
Collection: Interfaces of the Linux Kernel, Linux Kernel Features, Operating System Security, Virtualization-Related Software for Linux
Publisher: World Heritage Encyclopedia


Original author(s) Paul Menage, Rohit Seth
Initial release 2007 (2007)
Written in C
Operating system Linux
Type resource management for process groups
License GPL and LGPL
Website //cgroups/Documentation/ and //ControlGroupInterface/systemd/Software/

cgroups (a backronym for control groups) is a Linux kernel feature to limit, account, and isolate resource usage (CPU, memory, disk I/O, etc.) of process groups.

This work was started by engineers at Google (primarily Paul Menage and Rohit Seth) in 2006 under the name "process containers".[1] In late 2007, it was renamed to "Control Groups" due to the confusion caused by multiple meanings of the term "container" in the Linux kernel, and merged into kernel version 2.6.24.[2] Since then, many new features and controllers have been added, such as support for kernfs,[3] firewalling,[4] and the introduction of a unified hierarchy.[5]


  • Features 1
  • Usage 2
  • Redesign 3
    • Namespace isolation 3.1
    • Unified hierarchy 3.2
    • Kernel memory control groups (kmemcg) 3.3
  • Adoption 4
  • See also 5
  • References 6
  • External links 7


One of the design goals of cgroups is to provide a unified interface to many different use cases, from controlling single processes (by using nice, for example) to whole operating system-level virtualization (as provided by OpenVZ, Linux-VServer or LXC, for example). Cgroups provides:

  • Resource limitation: groups can be set to not exceed a set memory limit — this also includes file system cache.[6] The original paper was presented at Linux Symposium and can be found at Containers: Challenges with the memory resource controller and its performance.[7]
  • Prioritization: some groups may get a larger share of CPU[8] or disk I/O throughput.[9]
  • Accounting: to measure how much resources certain systems use for e.g. billing purposes.[10]
  • Control: freezing groups or checkpointing and restarting.[10]


A control group is a collection of processes that are bound by the same criteria. These groups can be hierarchical, where each group inherits limits from its parent group. The kernel provides access to multiple controllers (subsystems) through the cgroup interface.[2] For instance, the "memory" controller limits memory use, "cpuacct" accounts CPU usage, etc.

Control groups can be used in multiple ways:

  • By accessing the cgroup virtual file system manually.
  • By creating and managing groups on the fly using tools like cgcreate, cgexec, and cgclassify (from libcgroup).
  • Through the "rules engine daemon" that can automatically move processes of certain users, groups, or commands to cgroups as specified in its configuration.
  • Indirectly through other software that uses cgroups, such as Docker, Linux Containers (LXC) virtualization,[11] libvirt, systemd, Open Grid Scheduler/Grid Engine,[12] and Google's lmctfy.

The Linux kernel documentation contains full technical details of the setup and use of control groups.[13]


Redesign of cgroups started in 2013,[14] with additional changes brought by versions 3.15 and 3.16 of the Linux kernel.[15][16][17]

Namespace isolation

While not technically part of the cgroups work, a related feature of the Linux kernel is namespace isolation, where groups of processes are separated such that they cannot "see" resources in other groups. For example, a PID namespace provides a separate enumeration of process identifiers within each namespace. Also available are mount, UTS, network and SysV IPC namespaces.

  • The PID namespace provides isolation for the allocation of process identifiers (PIDs), lists of processes and their details. While the new namespace is isolated from other siblings, processes in its "parent" namespace still see all processes in child namespaces—albeit with different PID numbers.[18]
  • Network namespace isolates the network interface controllers (physical or virtual), iptables firewall rules, routing tables etc. Network namespaces can be connected with each other using the "veth" virtual Ethernet device.[19]
  • "UTS" namespace allows changing the hostname.
  • Mount namespace allows creating a different file system layout, or making certain mount points read-only.[20]
  • IPC namespace isolates the System V inter-process communication between namespaces.
  • User namespace isolates the user IDs between namespaces.[21]

Namespaces are created with the "unshare" command or syscall, or as new flags in a "clone" syscall.[22]

The "ns" subsystem was added early in cgroups development to integrate namespaces and control groups. If the "ns" cgroup was mounted, each namespace would also create a new group in the cgroup hierarchy. This was an experiment that was later judged to be a poor fit for the cgroups API, and removed from the kernel.

Linux namespaces were inspired by the more general namespace functionality used heavily throughout Plan 9 from Bell Labs.

Unified hierarchy

Whenever designing software, a software engineer seeks solutions which overall best address exigencies regarding stability, security, performance, as well as maintainability, programmability (API) and usability (ABI). By their nature, these exigencies balance each other, e.g., a mighty API to user space, that doesn't offer too much functionality, but carelessly exposes some key inner working, might seriously compromise stability and security. That is especially true if that software is part of the Linux kernel. Tejun Heo decided to alter cgroups to prevent these scenarios. He designed and implemented a unified hierarchy with only one user space entity that has exclusive access to the facilities offered by cgroups.

Kernfs was introduced into the Linux kernel with version 3.14, the main author being Tejun Heo.[23] One of the main motivators for a separate kernfs is the cgroups file-system. Kernfs is basically the splitting off of some of the sysfs logic into an independent entity so that other kernel subsystems can more easily implement their own virtual file-system with handling for device connect and disconnect, dynamic creation and removal as needed or unneeded, and other attributes. Redesign continued into version 3.15 of the Linux kernel.[24]

Kernel memory control groups (kmemcg)

Kernel memory control groups (kmemcg) were merged into version 3.8 of the Linux kernel mainline.[25][26][27] The kmemcg controller can limit the amount of memory that the kernel can utilize to manage its own internal processes.


Various projects are using cgroups as their basis, including the following:

See also


  1. ^ Jonathan Corbet (29 May 2007). "Process containers". 
  2. ^ a b Jonathan Corbet (29 October 2007). "Notes from a container". 
  3. ^ "cgroup: convert to kernfs". 2014-01-28. 
  4. ^ "netfilter: x_tables: lightweight process control group matching". 2014-04-23. 
  5. ^ "cgroup: prepare for the default unified hierarchy". 2014-03-13. 
  6. ^ Jonathan Corbet (31 July 2007). "Controlling memory use in containers". LWN. 
  7. ^ Balbir Singh, Vaidynathan Srinivasan (July 2007). "Containers: Challenges with the memory resource controller and its performance". Ottawa Linux Symposium. 
  8. ^ Jonathan Corbet (23 October 2007). "Kernel space: Fair user scheduling for Linux". Network World. Retrieved 2012-08-22. 
  9. ^ Kamkamezawa Hiroyu (19 November 2008). "Cgroup and Memory Resource Controller" (PDF presentation slides). Japan Linux Symposium. 
  10. ^ a b Dave Hansen. "Resource Management" (PDF presentation slides). Linux Foundation. 
  11. ^ Matt Helsley (3 February 2009). "LXC: Linux container tools". IBM developerWorks. 
  12. ^ "Grid Engine cgroups Integration". Scalable Logic. 2012-05-22. 
  13. ^ "cgroups". 
  14. ^ "All About the Linux Kernel: Cgroup’s Redesign".  
  15. ^ "The unified control group hierarchy in 3.16".  
  16. ^ "Pull cgroup updates for 3.15 from Tejun Heo".  
  17. ^ "Pull cgroup updates for 3.16 from Tejun Heo".  
  18. ^ Pavel Emelyanov, Kir Kolyshkin (19 November 2007). "PID namespaces in the 2.6.24 kernel". 
  19. ^ Jonathan Corbet (30 January 2007). "Network namespaces". 
  20. ^ Serge E. Hallyn, Ram Pai (17 September 2007). "Applying mount namespaces". IBM developerWorks. 
  21. ^ Michael Kerrisk (27 February 2013). "Namespaces in operation, part 5: User namespaces". Linux Info from the Source. 
  22. ^ Janak Desai (11 January 2006). "Linux kernel documentation on unshare". 
  23. ^ "kernfs, sysfs, driver-core: implement synchronous self-removal".  
  24. ^ "kernel/git/torvalds/linux.git: cgroups: convert to kernfs". Linux kernel source tree.  
  25. ^ "memcg: kmem controller infrastructure".  
  26. ^ "memcg: kmem accounting basic infrastructure".  
  27. ^ "memcg: add documentation about the kmem controller".  
  28. ^ a b "Mesosphere to Bring Google’s Kubernetes to Mesos". 2014-07-10. Retrieved 2014-07-13. 

External links

  • Linux kernel documentation on cgroups
  • Linux kernel Namespaces and cgroups by Rami Rosen
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.