Provided by: manpages_4.15-1_all 
NAME
cgroups - Linux control groups
DESCRIPTION
Control cgroups, usually referred to as cgroups, are a Linux kernel feature which allow
processes to be organized into hierarchical groups whose usage of various types of
resources can then be limited and monitored. The kernel's cgroup interface is provided
through a pseudo-filesystem called cgroupfs. Grouping is implemented in the core cgroup
kernel code, while resource tracking and limits are implemented in a set of per-resource-
type subsystems (memory, CPU, and so on).
Terminology
A cgroup is a collection of processes that are bound to a set of limits or parameters
defined via the cgroup filesystem.
A subsystem is a kernel component that modifies the behavior of the processes in a cgroup.
Various subsystems have been implemented, making it possible to do things such as limiting
the amount of CPU time and memory available to a cgroup, accounting for the CPU time used
by a cgroup, and freezing and resuming execution of the processes in a cgroup. Subsystems
are sometimes also known as resource controllers (or simply, controllers).
The cgroups for a controller are arranged in a hierarchy. This hierarchy is defined by
creating, removing, and renaming subdirectories within the cgroup filesystem. At each
level of the hierarchy, attributes (e.g., limits) can be defined. The limits, control,
and accounting provided by cgroups generally have effect throughout the subhierarchy
underneath the cgroup where the attributes are defined. Thus, for example, the limits
placed on a cgroup at a higher level in the hierarchy cannot be exceeded by descendant
cgroups.
Cgroups version 1 and version 2
The initial release of the cgroups implementation was in Linux 2.6.24. Over time, various
cgroup controllers have been added to allow the management of various types of resources.
However, the development of these controllers was largely uncoordinated, with the result
that many inconsistencies arose between controllers and management of the cgroup
hierarchies became rather complex. (A longer description of these problems can be found
in the kernel source file Documentation/cgroup-v2.txt.)
Because of the problems with the initial cgroups implementation (cgroups version 1),
starting in Linux 3.10, work began on a new, orthogonal implementation to remedy these
problems. Initially marked experimental, and hidden behind the -o __DEVEL__sane_behavior
mount option, the new version (cgroups version 2) was eventually made official with the
release of Linux 4.5. Differences between the two versions are described in the text
below.
Although cgroups v2 is intended as a replacement for cgroups v1, the older system
continues to exist (and for compatibility reasons is unlikely to be removed). Currently,
cgroups v2 implements only a subset of the controllers available in cgroups v1. The two
systems are implemented so that both v1 controllers and v2 controllers can be mounted on
the same system. Thus, for example, it is possible to use those controllers that are
supported under version 2, while also using version 1 controllers where version 2 does not
yet support those controllers. The only restriction here is that a controller can't be
simultaneously employed in both a cgroups v1 hierarchy and in the cgroups v2 hierarchy.
CGROUPS VERSION 1
Under cgroups v1, each controller may be mounted against a separate cgroup filesystem that
provides its own hierarchical organization of the processes on the system. It is also
possible to comount multiple (or even all) cgroups v1 controllers against the same cgroup
filesystem, meaning that the comounted controllers manage the same hierarchical
organization of processes.
For each mounted hierarchy, the directory tree mirrors the control group hierarchy. Each
control group is represented by a directory, with each of its child control cgroups
represented as a child directory. For instance, /user/joe/1.session represents control
group 1.session, which is a child of cgroup joe, which is a child of /user. Under each
cgroup directory is a set of files which can be read or written to, reflecting resource
limits and a few general cgroup properties.
Tasks (threads) versus processes
In cgroups v1, a distinction is drawn between processes and tasks. In this view, a
process can consist of multiple tasks (more commonly called threads, from a user-space
perspective, and called such in the remainder of this man page). In cgroups v1, it is
possible to independently manipulate the cgroup memberships of the threads in a process.
The cgroups v1 ability to split threads across different cgroups caused problems in some
cases. For example, it made no sense for the memory controller, since all of the threads
of a process share a single address space. Because of these problems, the ability to
independently manipulate the cgroup memberships of the threads in a process was removed in
the initial cgroups v2 implementation, and subsequently restored in a more limited form
(see the discussion of "thread mode" below).
Mounting v1 controllers
The use of cgroups requires a kernel built with the CONFIG_CGROUP option. In addition,
each of the v1 controllers has an associated configuration option that must be set in
order to employ that controller.
In order to use a v1 controller, it must be mounted against a cgroup filesystem. The
usual place for such mounts is under a tmpfs(5) filesystem mounted at /sys/fs/cgroup.
Thus, one might mount the cpu controller as follows:
mount -t cgroup -o cpu none /sys/fs/cgroup/cpu
It is possible to comount multiple controllers against the same hierarchy. For example,
here the cpu and cpuacct controllers are comounted against a single hierarchy:
mount -t cgroup -o cpu,cpuacct none /sys/fs/cgroup/cpu,cpuacct
Comounting controllers has the effect that a process is in the same cgroup for all of the
comounted controllers. Separately mounting controllers allows a process to be in cgroup
/foo1 for one controller while being in /foo2/foo3 for another.
It is possible to comount all v1 controllers against the same hierarchy:
mount -t cgroup -o all cgroup /sys/fs/cgroup
(One can achieve the same result by omitting -o all, since it is the default if no
controllers are explicitly specified.)
It is not possible to mount the same controller against multiple cgroup hierarchies. For
example, it is not possible to mount both the cpu and cpuacct controllers against one
hierarchy, and to mount the cpu controller alone against another hierarchy. It is
possible to create multiple mount points with exactly the same set of comounted
controllers. However, in this case all that results is multiple mount points providing a
view of the same hierarchy.
Note that on many systems, the v1 controllers are automatically mounted under
/sys/fs/cgroup; in particular, systemd(1) automatically creates such mount points.
Unmounting v1 controllers
A mounted cgroup filesystem can be unmounted using the umount(8) command, as in the
following example:
umount /sys/fs/cgroup/pids
But note well: a cgroup filesystem is unmounted only if it is not busy, that is, it has no
child cgroups. If this is not the case, then the only effect of the umount(8) is to make
the mount invisible. Thus, to ensure that the mount point is really removed, one must
first remove all child cgroups, which in turn can be done only after all member processes
have been moved from those cgroups to the root cgroup.
Cgroups version 1 controllers
Each of the cgroups version 1 controllers is governed by a kernel configuration option
(listed below). Additionally, the availability of the cgroups feature is governed by the
CONFIG_CGROUPS kernel configuration option.
cpu (since Linux 2.6.24; CONFIG_CGROUP_SCHED)
Cgroups can be guaranteed a minimum number of "CPU shares" when a system is busy.
This does not limit a cgroup's CPU usage if the CPUs are not busy. For further
information, see Documentation/scheduler/sched-design-CFS.txt.
In Linux 3.2, this controller was extended to provide CPU "bandwidth" control. If
the kernel is configured with CONFIG_CFS_BANDWIDTH, then within each scheduling
period (defined via a file in the cgroup directory), it is possible to define an
upper limit on the CPU time allocated to the processes in a cgroup. This upper
limit applies even if there is no other competition for the CPU. Further
information can be found in the kernel source file
Documentation/scheduler/sched-bwc.txt.
cpuacct (since Linux 2.6.24; CONFIG_CGROUP_CPUACCT)
This provides accounting for CPU usage by groups of processes.
Further information can be found in the kernel source file
Documentation/cgroup-v1/cpuacct.txt.
cpuset (since Linux 2.6.24; CONFIG_CPUSETS)
This cgroup can be used to bind the processes in a cgroup to a specified set of
CPUs and NUMA nodes.
Further information can be found in the kernel source file
Documentation/cgroup-v1/cpusets.txt.
memory (since Linux 2.6.25; CONFIG_MEMCG)
The memory controller supports reporting and limiting of process memory, kernel
memory, and swap used by cgroups.
Further information can be found in the kernel source file
Documentation/cgroup-v1/memory.txt.
devices (since Linux 2.6.26; CONFIG_CGROUP_DEVICE)
This supports controlling which processes may create (mknod) devices as well as
open them for reading or writing. The policies may be specified as whitelists and
blacklists. Hierarchy is enforced, so new rules must not violate existing rules
for the target or ancestor cgroups.
Further information can be found in the kernel source file Documentation/cgroup-
v1/devices.txt.
freezer (since Linux 2.6.28; CONFIG_CGROUP_FREEZER)
The freezer cgroup can suspend and restore (resume) all processes in a cgroup.
Freezing a cgroup /A also causes its children, for example, processes in /A/B, to
be frozen.
Further information can be found in the kernel source file Documentation/cgroup-
v1/freezer-subsystem.txt.
net_cls (since Linux 2.6.29; CONFIG_CGROUP_NET_CLASSID)
This places a classid, specified for the cgroup, on network packets created by a
cgroup. These classids can then be used in firewall rules, as well as used to
shape traffic using tc(8). This applies only to packets leaving the cgroup, not to
traffic arriving at the cgroup.
Further information can be found in the kernel source file Documentation/cgroup-
v1/net_cls.txt.
blkio (since Linux 2.6.33; CONFIG_BLK_CGROUP)
The blkio cgroup controls and limits access to specified block devices by applying
IO control in the form of throttling and upper limits against leaf nodes and
intermediate nodes in the storage hierarchy.
Two policies are available. The first is a proportional-weight time-based division
of disk implemented with CFQ. This is in effect for leaf nodes using CFQ. The
second is a throttling policy which specifies upper I/O rate limits on a device.
Further information can be found in the kernel source file Documentation/cgroup-
v1/blkio-controller.txt.
perf_event (since Linux 2.6.39; CONFIG_CGROUP_PERF)
This controller allows perf monitoring of the set of processes grouped in a cgroup.
Further information can be found in the kernel source file
tools/perf/Documentation/perf-record.txt.
net_prio (since Linux 3.3; CONFIG_CGROUP_NET_PRIO)
This allows priorities to be specified, per network interface, for cgroups.
Further information can be found in the kernel source file Documentation/cgroup-
v1/net_prio.txt.
hugetlb (since Linux 3.5; CONFIG_CGROUP_HUGETLB)
This supports limiting the use of huge pages by cgroups.
Further information can be found in the kernel source file Documentation/cgroup-
v1/hugetlb.txt.
pids (since Linux 4.3; CONFIG_CGROUP_PIDS)
This controller permits limiting the number of process that may be created in a
cgroup (and its descendants).
Further information can be found in the kernel source file Documentation/cgroup-
v1/pids.txt.
rdma (since Linux 4.11; CONFIG_CGROUP_RDMA)
The RDMA controller permits limiting the use of RDMA/IB-specific resources per
cgroup.
Further information can be found in the kernel source file Documentation/cgroup-
v1/rdma.txt.
Creating cgroups and moving processes
A cgroup filesystem initially contains a single root cgroup, '/', which all processes
belong to. A new cgroup is created by creating a directory in the cgroup filesystem:
mkdir /sys/fs/cgroup/cpu/cg1
This creates a new empty cgroup.
A process may be moved to this cgroup by writing its PID into the cgroup's cgroup.procs
file:
echo $$ > /sys/fs/cgroup/cpu/cg1/cgroup.procs
Only one PID at a time should be written to this file.
Writing the value 0 to a cgroup.procs file causes the writing process to be moved to the
corresponding cgroup.
When writing a PID into the cgroup.procs, all threads in the process are moved into the
new cgroup at once.
Within a hierarchy, a process can be a member of exactly one cgroup. Writing a process's
PID to a cgroup.procs file automatically removes it from the cgroup of which it was
previously a member.
The cgroup.procs file can be read to obtain a list of the processes that are members of a
cgroup. The returned list of PIDs is not guaranteed to be in order. Nor is it guaranteed
to be free of duplicates. (For example, a PID may be recycled while reading from the
list.)
In cgroups v1, an individual thread can be moved to another cgroup by writing its thread
ID (i.e., the kernel thread ID returned by clone(2) and gettid(2)) to the tasks file in a
cgroup directory. This file can be read to discover the set of threads that are members
of the cgroup.
Removing cgroups
To remove a cgroup, it must first have no child cgroups and contain no (nonzombie)
processes. So long as that is the case, one can simply remove the corresponding directory
pathname. Note that files in a cgroup directory cannot and need not be removed.
Cgroups v1 release notification
Two files can be used to determine whether the kernel provides notifications when a cgroup
becomes empty. A cgroup is considered to be empty when it contains no child cgroups and
no member processes.
A special file in the root directory of each cgroup hierarchy, release_agent, can be used
to register the pathname of a program that may be invoked when a cgroup in the hierarchy
becomes empty. The pathname of the newly empty cgroup (relative to the cgroup mount
point) is provided as the sole command-line argument when the release_agent program is
invoked. The release_agent program might remove the cgroup directory, or perhaps
repopulate it with a process.
The default value of the release_agent file is empty, meaning that no release agent is
invoked.
The content of the release_agent file can also be specified via a mount option when the
cgroup filesystem is mounted:
mount -o release_agent=pathname ...
Whether or not the release_agent program is invoked when a particular cgroup becomes empty
is determined by the value in the notify_on_release file in the corresponding cgroup
directory. If this file contains the value 0, then the release_agent program is not
invoked. If it contains the value 1, the release_agent program is invoked. The default
value for this file in the root cgroup is 0. At the time when a new cgroup is created,
the value in this file is inherited from the corresponding file in the parent cgroup.
Cgroup v1 named hierarchies
In cgroups v1, it is possible to mount a cgroup hierarchy that has no attached
controllers:
mount -t cgroup -o none,name=somename none /some/mount/point
Multiple instances of such hierarchies can be mounted; each hierarchy must have a unique
name. The only purpose of such hierarchies is to track processes. (See the discussion of
release notification below.) An example of this is the name=systemd cgroup hierarchy that
is used by systemd(1) to track services and user sessions.
CGROUPS VERSION 2
In cgroups v2, all mounted controllers reside in a single unified hierarchy. While
(different) controllers may be simultaneously mounted under the v1 and v2 hierarchies, it
is not possible to mount the same controller simultaneously under both the v1 and the v2
hierarchies.
The new behaviors in cgroups v2 are summarized here, and in some cases elaborated in the
following subsections.
1. Cgroups v2 provides a unified hierarchy against which all controllers are mounted.
2. "Internal" processes are not permitted. With the exception of the root cgroup,
processes may reside only in leaf nodes (cgroups that do not themselves contain child
cgroups). The details are somewhat more subtle than this, and are described below.
3. Active cgroups must be specified via the files cgroup.controllers and
cgroup.subtree_control.
4. The tasks file has been removed. In addition, the cgroup.clone_children file that is
employed by the cpuset controller has been removed.
5. An improved mechanism for notification of empty cgroups is provided by the
cgroup.events file.
For more changes, see the Documentation/cgroup-v2.txt file in the kernel source.
Some of the new behaviors listed above saw subsequent modification with the addition in
Linux 4.14 of "thread mode" (described below).
Cgroups v2 unified hierarchy
In cgroups v1, the ability to mount different controllers against different hierarchies
was intended to allow great flexibility for application design. In practice, though, the
flexibility turned out to less useful than expected, and in many cases added complexity.
Therefore, in cgroups v2, all available controllers are mounted against a single
hierarchy. The available controllers are automatically mounted, meaning that it is not
necessary (or possible) to specify the controllers when mounting the cgroup v2 filesystem
using a command such as the following:
mount -t cgroup2 none /mnt/cgroup2
A cgroup v2 controller is available only if it is not currently in use via a mount against
a cgroup v1 hierarchy. Or, to put things another way, it is not possible to employ the
same controller against both a v1 hierarchy and the unified v2 hierarchy. This means that
it may be necessary first to unmount a v1 controller (as described above) before that
controller is available in v2. Since systemd(1) makes heavy use of some v1 controllers by
default, it can in some cases be simpler to boot the system with selected v1 controllers
disabled. To do this, specify the cgroup_no_v1=list option on the kernel boot command
line; list is a comma-separated list of the names of the controllers to disable, or the
word all to disable all v1 controllers. (This situation is correctly handled by
systemd(1), which falls back to operating without the specified controllers.)
Note that on many modern systems, systemd(1) automatically mounts the cgroup2 filesystem
at /sys/fs/cgroup/unified during the boot process.
Cgroups v2 controllers
The following controllers, documented in the kernel source file Documentation/cgroup-
v2.txt, are supported in cgroups version 2:
io (since Linux 4.5)
This is the successor of the version 1 blkio controller.
memory (since Linux 4.5)
This is the successor of the version 1 memory controller.
pids (since Linux 4.5)
This is the same as the version 1 pids controller.
perf_event (since Linux 4.11)
This is the same as the version 1 perf_event controller.
rdma (since Linux 4.11)
This is the same as the version 1 rdma controller.
cpu (since Linux 4.15)
This is the successor to the version 1 cpu and cpuacct controllers.
Cgroups v2 subtree control
Each cgroup in the v2 hierarchy contains the following two files:
cgroup.controllers
This read-only file exposes a list of the controllers that are available in this
cgroup. The contents of this file match the contents of the cgroup.subtree_control
file in the parent cgroup.
cgroup.subtree_control
This is a list of controllers that are active (enabled) in the cgroup. The set of
controllers in this file is a subset of the set in the cgroup.controllers of this
cgroup. The set of active controllers is modified by writing strings to this file
containing space-delimited controller names, each preceded by '+' (to enable a
controller) or '-' (to disable a controller), as in the following example:
echo '+pids -memory' > x/y/cgroup.subtree_control
An attempt to enable a controller that is not present in cgroup.controllers leads
to an ENOENT error when writing to the cgroup.subtree_control file.
Because the list of controllers in cgroup.subtree_control is a subset of those
cgroup.controllers, a controller that has been disabled in one cgroup in the hierarchy can
never be re-enabled in the subtree below that cgroup.
A cgroup's cgroup.subtree_control file determines the set of controllers that are
exercised in the child cgroups. When a controller (e.g., pids) is present in the
cgroup.subtree_control file of a parent cgroup, then the corresponding controller-
interface files (e.g., pids.max) are automatically created in the children of that cgroup
and can be used to exert resource control in the child cgroups.
Cgroups v2 "no internal processes" rule
Cgroups v2 enforces a so-called "no internal processes" rule. Roughly speaking, this rule
means that, with the exception of the root cgroup, processes may reside only in leaf nodes
(cgroups that do not themselves contain child cgroups). This avoids the need to decide
how to partition resources between processes which are members of cgroup A and processes
in child cgroups of A.
For instance, if cgroup /cg1/cg2 exists, then a process may reside in /cg1/cg2, but not in
/cg1. This is to avoid an ambiguity in cgroups v1 with respect to the delegation of
resources between processes in /cg1 and its child cgroups. The recommended approach in
cgroups v2 is to create a subdirectory called leaf for any nonleaf cgroup which should
contain processes, but no child cgroups. Thus, processes which previously would have gone
into /cg1 would now go into /cg1/leaf. This has the advantage of making explicit the
relationship between processes in /cg1/leaf and /cg1's other children.
The "no internal processes" rule is in fact more subtle than stated above. More
precisely, the rule is that a (nonroot) cgroup can't both (1) have member processes, and
(2) distribute resources into child cgroups—that is, have a nonempty
cgroup.subtree_control file. Thus, it is possible for a cgroup to have both member
processes and child cgroups, but before controllers can be enabled for that cgroup, the
member processes must be moved out of the cgroup (e.g., perhaps into the child cgroups).
With the Linux 4.14 addition of "thread mode" (described below), the "no internal
processes" rule has been relaxed in some cases.
Cgroups v2 cgroup.events file
With cgroups v2, a new mechanism is provided to obtain notification about when a cgroup
becomes empty. The cgroups v1 release_agent and notify_on_release files are removed, and
replaced by a new, more general-purpose file, cgroup.events. This read-only file contains
key-value pairs (delimited by newline characters, with the key and value separated by
spaces) that identify events or state for a cgroup. Currently, only one key appears in
this file, populated, which has either the value 0, meaning that the cgroup (and its
descendants) contain no (nonzombie) processes, or 1, meaning that the cgroup contains
member processes.
The cgroup.events file can be monitored, in order to receive notification when a cgroup
transitions between the populated and unpopulated states (or vice versa). When monitoring
this file using inotify(7), transitions generate IN_MODIFY events, and when monitoring the
file using poll(2), transitions generate POLLPRI events.
The cgroups v2 release-notification mechanism provided by the populated field of the
cgroup.events file offers at least two advantages over the cgroups v1 release_agent
mechanism. First, it allows for cheaper notification, since a single process can monitor
multiple cgroup.events files. By contrast, the cgroups v1 mechanism requires the creation
of a process for each notification. Second, notification can be delegated to a process
that lives inside a container associated with the newly empty cgroup.
Cgroups v2 cgroup.stat file
Each cgroup in the v2 hierarchy contains a read-only cgroup.stat file (first introduced in
Linux 4.14) that consists of lines containing key-value pairs. The following keys
currently appear in this file:
nr_descendants
This is the total number of visible (i.e., living) descendant cgroups underneath
this cgroup.
nr_dying_descendants
This is the total number of dying descendant cgroups underneath this cgroup. A
cgroup enters the dying state after being deleted. It remains in that state for an
undefined period (which will depend on system load) while resources are freed
before the cgroup is destroyed. Note that the presence of some cgroups in the
dying state is normal, and is not indicative of any problem.
A process can't be made a member of a dying cgroup, and a dying cgroup can't be
brought back to life.
Limiting the number of descendant cgroups
Each cgroup in the v2 hierarchy contains the following files, which can be used to view
and set limits on the number of descendant cgroups under that cgroup:
cgroup.max.depth (since Linux 4.14)
This file defines a limit on the depth of nesting of descendant cgroups. A value
of 0 in this file means that no descendant cgroups can be created. An attempt to
create a descendant whose nesting level exceeds the limit fails (mkdir(2) fails
with the error EAGAIN).
Writing the string "max" to this file means that no limit is imposed. The default
value in this file is "max".
cgroup.max.descendants (since Linux 4.14)
This file defines a limit on the number of live descendant cgroups that this cgroup
may have. An attempt to create more descendants than allowed by the limit fails
(mkdir(2) fails with the error EAGAIN).
Writing the string "max" to this file means that no limit is imposed. The default
value in this file is "max".
Cgroups v2 delegation: delegation to a less privileged user
In the context of cgroups, delegation means passing management of some subtree of the
cgroup hierarchy to a nonprivileged process. Cgroups v1 provides support for delegation
that was accidental and not fully secure. Cgroups v2 supports delegation by explicit
design.
Some terminology is required in order to describe delegation. A delegater is a privileged
user (i.e., root) who owns a parent cgroup. A delegatee is a nonprivileged user who will
be granted the permissions needed to manage some subhierarchy under that parent cgroup,
known as the delegated subtree.
To perform delegation, the delegater makes certain directories and files writable by the
delegatee, typically by changing the ownership of the objects to be the user ID of the
delegatee. Assuming that we want to delegate the hierarchy rooted at (say) /dlgt_grp and
that there are not yet any child cgroups under that cgroup, the ownership of the following
is changed to the user ID of the delegatee:
/dlgt_grp
Changing the ownership of the root of the subtree means that any new cgroups
created under the subtree (and the files they contain) will also be owned by the
delegatee.
/dlgt_grp/cgroup.procs
Changing the ownership of this file means that the delegatee can move processes
into the root of the delegated subtree.
/dlgt_grp/cgroup.subtree_control
Changing the ownership of this file means that that the delegatee can enable
controllers (that are present in /dlgt_grp/cgroup.controllers) in order to further
redistribute resources at lower levels in the subtree. (As an alternative to
changing the ownership of this file, the delegater might instead add selected
controllers to this file.)
/dlgt_grp/cgroup.threads
Changing the ownership of this file is necessary if a threaded subtree is being
delegated (see the description of "thread mode", below). This permits the
delegatee to write thread IDs to the file. (The ownership of this file can also be
changed when delegating a domain subtree, but currently this serves no purpose,
since, as described below, it is not possible to move a thread between domain
cgroups by writing its thread ID to the cgroup.tasks file.)
The delegater should not change the ownership of any of the controller interfaces files
(e.g., pids.max, memory.high) in dlgt_grp. Those files are used from the next level above
the delegated subtree in order to distribute resources into the subtree, and the delegatee
should not have permission to change the resources that are distributed into the delegated
subtree.
See also the discussion of the /sys/kernel/cgroup/delegate file in NOTES.
After the aforementioned steps have been performed, the delegatee can create child cgroups
within the delegated subtree (the cgroup subdirectories and the files they contain will be
owned by the delegatee) and move processes between cgroups in the subtree. If some
controllers are present in dlgt_grp/cgroup.subtree_control, or the ownership of that file
was passed to the delegatee, the delegatee can also control the further redistribution of
the corresponding resources into the delegated subtree.
Cgroups v2 delegation: nsdelegate and cgroup namespaces
Starting with Linux 4.13, there is a second way to perform cgroup delegation. This is
done by mounting or remounting the cgroup v2 filesystem with the nsdelegate mount option.
For example, if the cgroup v2 filesystem has already been mounted, we can remount it with
the nsdelegate option as follows:
mount -t cgroup2 -o remount,nsdelegate \
none /sys/fs/cgroup/unified
The effect of this mount option is to cause cgroup namespaces to automatically become
delegation boundaries. More specifically, the following restrictions apply for processes
inside the cgroup namespace:
* Writes to controller interface files in the root directory of the namespace will fail
with the error EPERM. Processes inside the cgroup namespace can still write to
delegatable files in the root directory of the cgroup namespace such as cgroup.procs
and cgroup.subtree_control, and can create subhierarchy underneath the root directory.
* Attempts to migrate processes across the namespace boundary are denied (with the error
ENOENT). Processes inside the cgroup namespace can still (subject to the containment
rules described below) move processes between cgroups within the subhierarchy under the
namespace root.
The ability to define cgroup namespaces as delegation boundaries makes cgroup namespaces
more useful. To understand why, suppose that we already have one cgroup hierarchy that
has been delegated to a nonprivileged user, cecilia, using the older delegation technique
described above. Suppose further that cecilia wanted to further delegate a subhierarchy
under the existing delegated hierarchy. (For example, the delegated hierarchy might be
associated with an unprivileged container run by cecilia.) Even if a cgroup namespace was
employed, because both hierarchies are owned by the unprivileged user cecilia, the
following illegitimate actions could be performed:
* A process in the inferior hierarchy could change the resource controller settings in
the root directory of the that hierarchy. (These resource controller settings are
intended to allow control to be exercised from the parent cgroup; a process inside the
child cgroup should not be allowed to modify them.)
* A process inside the inferior hierarchy could move processes into and out of the
inferior hierarchy if the cgroups in the superior hierarchy were somehow visible.
Employing the nsdelegate mount option prevents both of these possibilities.
The nsdelegate mount option only has an effect when performed in the initial mount
namespace; in other mount namespaces, the option is silently ignored.
Note: On some systems, systemd(1) automatically mounts the cgroup v2 filesystem. In order
to experiment with the nsdelegate operation, it may be desirable to
Cgroup v2 delegation containment rules
Some delegation containment rules ensure that the delegatee can move processes between
cgroups within the delegated subtree, but can't move processes from outside the delegated
subtree into the subtree or vice versa. A nonprivileged process (i.e., the delegatee) can
write the PID of a "target" process into a cgroup.procs file only if all of the following
are true:
* The writer has write permission on the cgroup.procs file in the destination cgroup.
* The writer has write permission on the cgroup.procs file in the common ancestor of the
source and destination cgroups. (In some cases, the common ancestor may be the source
or destination cgroup itself.)
* If the cgroup v2 filesystem was mounted with the nsdelegate option, the writer must be
able to see the source and destination cgroups from its cgroup namespace.
* Before Linux 4.11: the effective UID of the writer (i.e., the delegatee) matches the
real user ID or the saved set-user-ID of the target process. (This was a historical
requirement inherited from cgroups v1 that was later deemed unnecessary, since the
other rules suffice for containment in cgroups v2.)
Note: one consequence of these delegation containment rules is that the unprivileged
delegatee can't place the first process into the delegated subtree; instead, the delegater
must place the first process (a process owned by the delegatee) into the delegated
subtree.
CGROUPS VERSION 2 THREAD MODE
Among the restrictions imposed by cgroups v2 that were not present in cgroups v1 are the
following:
* No thread-granularity control: all of the threads of a process must be in the same
cgroup.
* No internal processes: a cgroup can't both have member processes and exercise
controllers on child cgroups.
Both of these restrictions were added because the lack of these restrictions had caused
problems in cgroups v1. In particular, the cgroups v1 ability to allow thread-level
granularity for cgroup membership made no sense for some controllers. (A notable example
was the memory controller: since threads share an address space, it made no sense to split
threads across different memory cgroups.)
Notwithstanding the initial design decision in cgroups v2, there were use cases for
certain controllers, notably the cpu controller, for which thread-level granularity of
control was meaningful and useful. To accommodate such use cases, Linux 4.14 added thread
mode for cgroups v2.
Thread mode allows the following:
* The creation of threaded subtrees in which the threads of a process may be spread
across cgroups inside the tree. (A threaded subtree may contain multiple multithreaded
processes.)
* The concept of threaded controllers, which can distribute resources across the cgroups
in a threaded subtree.
* A relaxation of the "no internal processes rule", so that, within a threaded subtree, a
cgroup can both contain member threads and exercise resource control over child
cgroups.
With the addition of thread mode, each nonroot cgroup now contains a new file,
cgroup.type, that exposes, and in some circumstances can be used to change, the "type" of
a cgroup. This file contains one of the following type values:
domain This is a normal v2 cgroup that provides process-granularity control. If a process
is a member of this cgroup, then all threads of the process are (by definition) in
the same cgroup. This is the default cgroup type, and provides the same behavior
that was provided for cgroups in the initial cgroups v2 implementation.
threaded
This cgroup is a member of a threaded subtree. Threads can be added to this
cgroup, and controllers can be enabled for the cgroup.
domain threaded
This is a domain cgroup that serves as the root of a threaded subtree. This cgroup
type is also known as "threaded root".
domain invalid
This is a cgroup inside a threaded subtree that is in an "invalid" state.
Processes can't be added to the cgroup, and controllers can't be enabled for the
cgroup. The only thing that can be done with this cgroup (other than deleting it)
is to convert it to a threaded cgroup by writing the string "threaded" to the
cgroup.type file.
The rationale for the existence of this "interim" type during the creation of a
threaded subtree (rather than the kernel simply immediately converting all cgroups
under the threaded root to the type threaded) is to allow for possible future
extensions to the thread mode model
Threaded versus domain controllers
With the addition of threads mode, cgroups v2 now distinguishes two types of resource
controllers:
* Threaded controllers: these controllers support thread-granularity for resource control
and can be enabled inside threaded subtrees, with the result that the corresponding
controller-interface files appear inside the cgroups in the threaded subtree. As at
Linux 4.15, the following controllers are threaded: cpu, perf_event, and pids.
* Domain controllers: these controllers support only process granularity for resource
control. From the perspective of a domain controller, all threads of a process are
always in the same cgroup. Domain controllers can't be enabled inside a threaded
subtree.
Creating a threaded subtree
There are two pathways that lead to the creation of a threaded subtree. The first pathway
proceeds as follows:
1. We write the string "threaded" to the cgroup.type file of a cgroup y/z that currently
has the type domain. This has the following effects:
* The type of the cgroup y/z becomes threaded.
* The type of the parent cgroup, y, becomes domain threaded. The parent cgroup is the
root of a threaded subtree (also known as the "threaded root").
* All other cgroups under y that were not already of type threaded (because they were
inside already existing threaded subtrees under the new threaded root) are converted
to type domain invalid. Any subsequently created cgroups under y will also have the
type domain invalid.
2. We write the string "threaded" to each of the domain invalid cgroups under y, in order
to convert them to the type threaded. As a consequence of this step, all threads under
the threaded root now have the type threaded and the threaded subtree is now fully
usable. The requirement to write "threaded" to each of these cgroups is somewhat
cumbersome, but allows for possible future extensions to the thread-mode model.
The second way of creating a threaded subtree is as follows:
1. In an existing cgroup, z, that currently has the type domain, we (1) enable one or more
threaded controllers and (2) make a process a member of z. (These two steps can be
done in either order.) This has the following consequences:
* The type of z becomes domain threaded.
* All of the descendant cgroups of x that were not already of type threaded are
converted to type domain invalid.
2. As before, we make the threaded subtree usable by writing the string "threaded" to each
of the domain invalid cgroups under y, in order to convert them to the type threaded.
One of the consequences of the above pathways to creating a threaded subtree is that the
threaded root cgroup can be a parent only to threaded (and domain invalid) cgroups. The
threaded root cgroup can't be a parent of a domain cgroups, and a threaded cgroup can't
have a sibling that is a domain cgroup.
Using a threaded subtree
Within a threaded subtree, threaded controllers can be enabled in each subgroup whose type
has been changed to threaded; upon doing so, the corresponding controller interface files
appear in the children of that cgroup.
A process can be moved into a threaded subtree by writing its PID to the cgroup.procs file
in one of the cgroups inside the tree. This has the effect of making all of the threads
in the process members of the corresponding cgroup and makes the process a member of the
threaded subtree. The threads of the process can then be spread across the threaded
subtree by writing their thread IDs (see gettid(2)) to the cgroup.threads files in
different cgroups inside the subtree. The threads of a process must all reside in the
same threaded subtree.
As with writing to cgroup.procs, some containment rules apply when writing to the
cgroup.threads file:
* The writer must have write permission on the cgroup.threads file in the destination
cgroup.
* The writer must have write permission on the cgroup.procs file in the common ancestor
of the source and destination cgroups. (In some cases, the common ancestor may be the
source or destination cgroup itself.)
* The source and destination cgroups must be in the same threaded subtree. (Outside a
threaded subtree, an attempt to move a thread by writing its thread ID to the
cgroup.threads file in a different domain cgroup fails with the error EOPNOTSUPP.)
The cgroup.threads file is present in each cgroup (including domain cgroups) and can be
read in order to discover the set of threads that is present in the cgroup. The set of
thread IDs obtained when reading this file is not guaranteed to be ordered or free of
duplicates.
The cgroup.procs file in the threaded root shows the PIDs of all processes that are
members of the threaded subtree. The cgroup.procs files in the other cgroups in the
subtree are not readable.
Domain controllers can't be enabled in a threaded subtree; no controller-interface files
appear inside the cgroups underneath the threaded root. From the point of view of a
domain controller, threaded subtrees are invisible: a multithreaded process inside a
threaded subtree appears to a domain controller as a process that resides in the threaded
root cgroup.
Within a threaded subtree, the "no internal processes" rule does not apply: a cgroup can
both contain member processes (or thread) and exercise controllers on child cgroups.
Rules for writing to cgroup.type and creating threaded subtrees
A number of rules apply when writing to the cgroup.type file:
* Only the string "threaded" may be written. In other words, the only explicit
transition that is possible is to convert a domain cgroup to type threaded.
* The string "threaded" can be written only if the current value in cgroup.type is one of
the following
• domain, to start the creation of a threaded subtree via the first of the pathways
described above;
• domain invalid, to convert one of the cgroups in a threaded subtree into a usable
(i.e., threaded) state;
• threaded, which has no effect (a "no-op").
* We can't write to a cgroup.type file if the parent's type is domain invalid. In other
words, the cgroups of a threaded subtree must be converted to the threaded state in a
top-down manner.
There are also some constraints that must be satisfied in order to create a threaded
subtree rooted at the cgroup x:
* There can be no member processes in the descendant cgroups of x. (The cgroup x can
itself have member processes.)
* No domain controllers may be enabled in x's cgroup.subtree_control file.
If any of the above constraints is violated, then an attempt to write "threaded" to a
cgroup.type file fails with the error ENOTSUP.
The "domain threaded" cgroup type
According to the pathways described above, the type of a cgroup can change to domain
threaded in either of the following cases:
* The string "threaded" is written to a child cgroup.
* A threaded controller is enabled inside the cgroup and a process is made a member of
the cgroup.
A domain threaded cgroup, x, can revert to the type domain if the above conditions no
longer hold true—that is, if all threaded child cgroups of x are removed and either x no
longer has threaded controllers enabled or no longer has member processes.
When a domain threaded cgroup x reverts to the type domain:
* All domain invalid descendants of x that are not in lower-level threaded subtrees
revert to the type domain.
* The root cgroups in any lower-level threaded subtrees revert to the type domain
threaded.
Exceptions for the root cgroup
The root cgroup of the v2 hierarchy is treated exceptionally: it can be the parent of both
domain and threaded cgroups. If the string "threaded" is written to the cgroup.type file
of one of the children of the root cgroup, then
* The type of that cgroup becomes threaded.
* The type of any descendants of that cgroup that are not part of lower-level threaded
subtrees changes to domain invalid.
Note that in this case, there is no cgroup whose type becomes domain threaded.
(Notionally, the root cgroup can be considered as the threaded root for the cgroup whose
type was changed to threaded.)
The aim of this exceptional treatment for the root cgroup is to allow a threaded cgroup
that employs the cpu controller to be placed as high as possible in the hierarchy, so as
to minimize the (small) cost of traversing the cgroup hierarchy.
The cgroups v2 "cpu" controller and realtime processes
As at Linux 4.15, the cgroups v2 cpu controller does not support control of realtime
processes, and the controller can be enabled in the root cgroup only if all realtime
threads are in the root cgroup. (If there are realtime processes in nonroot cgroups, then
a write(2) of the string "+cpu" to the cgroup.subtree_control file fails with the error
EINVAL. However, on some systems, systemd(1) places certain realtime processes in nonroot
cgroups in the v2 hierarchy. On such systems, these processes must first be moved to the
root cgroup before the cpu controller can be enabled.
ERRORS
The following errors can occur for mount(2):
EBUSY An attempt to mount a cgroup version 1 filesystem specified neither the name=
option (to mount a named hierarchy) nor a controller name (or all).
NOTES
A child process created via fork(2) inherits its parent's cgroup memberships. A process's
cgroup memberships are preserved across execve(2).
/proc files
/proc/cgroups (since Linux 2.6.24)
This file contains information about the controllers that are compiled into the
kernel. An example of the contents of this file (reformatted for readability) is
the following:
#subsys_name hierarchy num_cgroups enabled
cpuset 4 1 1
cpu 8 1 1
cpuacct 8 1 1
blkio 6 1 1
memory 3 1 1
devices 10 84 1
freezer 7 1 1
net_cls 9 1 1
perf_event 5 1 1
net_prio 9 1 1
hugetlb 0 1 0
pids 2 1 1
The fields in this file are, from left to right:
1. The name of the controller.
2. The unique ID of the cgroup hierarchy on which this controller is mounted. If
multiple cgroups v1 controllers are bound to the same hierarchy, then each will
show the same hierarchy ID in this field. The value in this field will be 0 if:
a) the controller is not mounted on a cgroups v1 hierarchy;
b) the controller is bound to the cgroups v2 single unified hierarchy; or
c) the controller is disabled (see below).
3. The number of control groups in this hierarchy using this controller.
4. This field contains the value 1 if this controller is enabled, or 0 if it has
been disabled (via the cgroup_disable kernel command-line boot parameter).
/proc/[pid]/cgroup (since Linux 2.6.24)
This file describes control groups to which the process with the corresponding PID
belongs. The displayed information differs for cgroups version 1 and version 2
hierarchies.
For each cgroup hierarchy of which the process is a member, there is one entry
containing three colon-separated fields:
hierarchy-ID:controller-list:cgroup-path
For example:
5:cpuacct,cpu,cpuset:/daemons
The colon-separated fields are, from left to right:
1. For cgroups version 1 hierarchies, this field contains a unique hierarchy ID
number that can be matched to a hierarchy ID in /proc/cgroups. For the cgroups
version 2 hierarchy, this field contains the value 0.
2. For cgroups version 1 hierarchies, this field contains a comma-separated list of
the controllers bound to the hierarchy. For the cgroups version 2 hierarchy,
this field is empty.
3. This field contains the pathname of the control group in the hierarchy to which
the process belongs. This pathname is relative to the mount point of the
hierarchy.
/sys/kernel/cgroup files
/sys/kernel/cgroup/delegate (since Linux 4.15)
This file exports a list of the cgroups v2 files (one per line) that are
delegatable (i.e., whose ownership should be changed to the user ID of the
delegatee). In the future, the set of delegatable files may change or grow, and
this file provides a way for the kernel to inform user-space applications of which
files must be delegated. As at Linux 4.15, one sees the following when inspecting
this file:
$ cat /sys/kernel/cgroup/delegate
cgroup.procs
cgroup.subtree_control
cgroup.threads
/sys/kernel/cgroup/features (since Linux 4.15)
Over time, the set of cgroups v2 features that are provided by the kernel may
change or grow, or some features may not be enabled by default. This file provides
a way for user-space applications to discover what features the running kernel
supports and has enabled. Features are listed one per line:
$ cat /sys/kernel/cgroup/features
nsdelegate
The entries that can appear in this file are:
nsdelegate (since Linux 4.15)
The kernel supports the nsdelegate mount option.
SEE ALSO
prlimit(1), systemd(1), systemd-cgls(1), systemd-cgtop(1), clone(2), ioprio_set(2),
perf_event_open(2), setrlimit(2), cgroup_namespaces(7), cpuset(7), namespaces(7),
sched(7), user_namespaces(7)
COLOPHON
This page is part of release 4.15 of the Linux man-pages project. A description of the
project, information about reporting bugs, and the latest version of this page, can be
found at https://www.kernel.org/doc/man-pages/.