Provided by: cgroup-tools_2.0-2_amd64 bug

NAME

       cgconfig.conf - libcgroup configuration file

DESCRIPTION

       cgconfig.conf  is  a  configuration file used by libcgroup to define control groups, their
       parameters and their mount points.  The  file  consists  of  mount  ,  group  and  default
       sections.  These sections can be in arbitrary order and all of them are optional. Any line
       starting with '#' is considered a comment line and is ignored.

       mount section has this form:

              mount {
                     <controller> = <path>;
                     ...
              }

       controller
              Name of the kernel subsystem. The list of subsystems supported by the kernel can be
              found  in  /proc/cgroups  file.  Named  hierarchy  can  be  specified as controller
              "name=<somename>". Do not forget to use double quotes around this  controller  name
              (see  examples  below). Apart from named hierarchy, additional mount options may be
              specified by putting the controller and the options in  quotes.  Options  supported
              are  nosuid, noexec and nodev.

              Libcgroup  merges  all subsystems mounted to the same directory (see Example 1) and
              the directory is mounted only once.

       path   The directory path where the group hierarchy associated to a given controller shall
              be  mounted.  The directory is created automatically on cgconfig service startup if
              it does not exist and is deleted on service shutdown.

       If no mount section is specified, no controllers are mounted.

       group section has this form:

              group <name> {
                     [permissions]
                     <controller> {
                            <param name> = <param value>;
                            ...
                     }
                     ...
              }

       name   Name of the control group. It can contain only characters, which  are  allowed  for
              directory  names.  The groups form a tree, i.e. a control group can contain zero or
              more subgroups. Subgroups can be specified using '/' delimiter.

              The root control group is always created automatically in all hierarchies and it is
              the base of the group hierarchy. It can be explicitly specified in cgconfig.conf by
              using '.' as group name. This can be used e.g. to set its permissions, as shown  in
              Example 6.

              When  the  parent  control  group  of  a  subgroup  is  not specified it is created
              automatically.

       permissions
              Permissions of the given control group on  mounted  filesystem.   root  has  always
              permission  to  do anything with the control group.  Permissions have the following
              syntax:
                        perm {
                               task {
                                      uid = <task user>;
                                      gid = <task group>;
                                      fperm = <file permissions>
                               }
                               admin {
                                      uid = <admin name>;
                                      gid = <admin group>;
                                      dperm = <directory permissions>
                                      fperm = <file permissions>
                               }
                        }

              task user/group  Name of the user and the group, which own the tasks  file  of  the
                               control  group.  Given  fperm  then  specify the file permissions.
                               Please note that the given value is not  used  as  was  specified.
                               Instead,  current file owner permissions are used as a "umask" for
                               group and others permissions. For example if fperm = 777 then both
                               group and others will get the same permissions as the file owner.

              admin user/group Name  of  the  user  and  the  group which own the rest of control
                               group's files. Given fperm and dperm control  file  and  directory
                               permissions.    Again,   the   given   value   is  masked  by  the
                               file/directory owner permissions.

              Permissions are only apply to the enclosing control group and are not inherited  by
              subgroups.  If  there is no perm section in the control group definition, root:root
              is the owner of all files and default file permissions are preserved if fperm resp.
              dperm are not specified.

       controller
              Name  of the kernel subsystem.  The section can be empty, default kernel parameters
              will be used in this case. By specifying controller the control group and  all  its
              parents  are  controlled  by  the  specific  subsystem.  One  control  group can be
              controlled by multiple subsystems, even if the subsystems are mounted on  different
              directories.  Each  control  group must be controlled by at least one subsystem, so
              that libcgroup knows in which hierarchies the control group should be created.

              The parameters of the given controller can be modified  in  the  following  section
              enclosed in brackets.

              param name
                     Name of the file to set. Each controller can have zero or more parameters.

              param value
                     Value which should be written to the file when the control group is created.
                     If it is enclosed in double quotes `"', it  can  contain  spaces  and  other
                     special characters.

       If no group section is specified, no groups are created.

       default section has this form:

              default {
                     perm {
                            task {
                                   uid = <task user>;
                                   gid = <task group>;
                                   fperm = <file permissions>
                            }
                            admin {
                                   uid = <admin name>;
                                   gid = <admin group>;
                                   dperm = <directory permissions>
                                   fperm = <file permissions>
                            }
                     }
              }

       Content of the perm section has the same form as in group section. The permissions defined
       here specify owner and permissions of groups and files of all groups, which  do  not  have
       explicitly specified their permissions in their group section.

       template  section  has  the  same  structure as group section. Template name uses the same
       templates string as  cgrules.conf  destination  tag  (see  (cgrules.conf  (5)).   Template
       definition  is  used  as a control group definition for rules in cgrules.conf (5) with the
       same destination name.  Templates does not use default section settings.

       /etc/cgconfig.d/ directory can be used for  additional  configuration  files.  cgrulesengd
       searches this directory for additional templates.

EXAMPLES

   Example 1
       The configuration file:

              mount {
                     cpu = /sys/fs/cgroup/cpu;
                     cpuacct = /sys/fs/cgroup/cpu;
              }

       creates  the  hierarchy controlled by two subsystems with no groups inside. It corresponds
       to the following operations:

              mkdir /sys/fs/cgroup/cpu
              mount -t cgroup -o cpu,cpuacct cpu /sys/fs/cgroup/cpu

   Example 2
       The configuration file:

              mount {
                     cpu = /sys/fs/cgroup/cpu;
                     "name=scheduler" = /sys/fs/cgroup/cpu;
                     "name=noctrl" = /sys/fs/cgroup/noctrl;
              }

              group daemons {
                     cpu {
                            cpu.shares = "1000";
                     }
              }
              group test {
                     "name=noctrl" {
                     }
              }
       creates two hierarchies. One hierarchy named scheduler controlled by cpu  subsystem,  with
       group  daemons inside. Second hierarchy is named noctrl without any controller, with group
       test. It corresponds to following operations:

              mkdir /sys/fs/cgroup/cpu
              mount -t cgroup -o cpu,name=scheduler cpu /sys/fs/cgroup/cpu
              mount -t cgroup -o none,name=noctrl none /sys/fs/cgroup/noctrl

              mkdir /sys/fs/cgroup/cpu/daemons
              echo 1000 > /sys/fs/cgroup/cpu/daemons/www/cpu.shares

              mkdir /sys/fs/cgroup/noctrl/tests

       The daemons group is created automatically when its first subgroup  is  created.  All  its
       parameters have the default value and only root can access group's files.

       Since  both  cpuacct  and cpu subsystems are mounted to the same directory, all groups are
       implicitly controlled also by cpuacct subsystem, even if there is no  cpuacct  section  in
       any of the groups.

   Example 3
       The configuration file:

              mount {
                     cpu = /sys/fs/cgroup/cpu;
                     cpuacct = /sys/fs/cgroup/cpu;
              }

              group daemons/www {
                     perm {
                            task {
                                   uid = root;
                                   gid = webmaster;
                                   fperm = 770;
                            }
                            admin {
                                   uid = root;
                                   gid = root;
                                   dperm = 775;
                                   fperm = 744;
                            }
                     }
                     cpu {
                            cpu.shares = "1000";
                     }
              }

              group daemons/ftp {
                     perm {
                            task {
                                   uid = root;
                                   gid = ftpmaster;
                                   fperm = 774;
                            }
                            admin {
                                   uid = root;
                                   gid = root;
                                   dperm = 755;
                                   fperm = 700;
                            }
                     }
                     cpu {
                            cpu.shares = "500";
                     }
              }
       creates  the  hierarchy  controlled  by  two  subsystems  with one group and two subgroups
       inside, setting one parameter.  It corresponds to the  following  operations  (except  for
       file permissions which are little bit trickier to emulate via chmod):

              mkdir /sys/fs/cgroup/cpu
              mount -t cgroup -o cpu,cpuacct cpu /sys/fs/cgroup/cpu

              mkdir /sys/fs/cgroup/cpu/daemons

              mkdir /sys/fs/cgroup/cpu/daemons/www
              chown root:root /sys/fs/cgroup/cpu/daemons/www/*
              chown root:webmaster /sys/fs/cgroup/cpu/daemons/www/tasks
              echo 1000 > /sys/fs/cgroup/cpu/daemons/www/cpu.shares

               # + chmod the files so the result looks like:
               # ls -la /sys/fs/cgroup/cpu/daemons/www/
               # admin.dperm = 755:
               # drwxr-xr-x. 2 root webmaster 0 Jun 16 11:51 .
               #
               # admin.fperm = 744:
               # --w-------. 1 root webmaster 0 Jun 16 11:51 cgroup.event_control
               # -r--r--r--. 1 root webmaster 0 Jun 16 11:51 cgroup.procs
               # -r--r--r--. 1 root webmaster 0 Jun 16 11:51 cpuacct.stat
               # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpuacct.usage
               # -r--r--r--. 1 root webmaster 0 Jun 16 11:51 cpuacct.usage_percpu
               # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpu.rt_period_us
               # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpu.rt_runtime_us
               # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpu.shares
               # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 notify_on_release
               #
               # tasks.fperm = 770
               # -rw-rw----. 1 root webmaster 0 Jun 16 11:51 tasks

              mkdir /sys/fs/cgroup/cpu/daemons/ftp
              chown root:root /sys/fs/cgroup/cpu/daemons/ftp/*
              chown root:ftpmaster /sys/fs/cgroup/cpu/daemons/ftp/tasks
              echo 500 > /sys/fs/cgroup/cpu/daemons/ftp/cpu.shares

               # + chmod the files so the result looks like:
               # ls -la /sys/fs/cgroup/cpu/daemons/ftp/
               # admin.dperm = 755:
               # drwxr-xr-x. 2 root ftpmaster 0 Jun 16 11:51 .
               #
               # admin.fperm = 700:
               # --w-------. 1 root ftpmaster 0 Jun 16 11:51 cgroup.event_control
               # -r--------. 1 root ftpmaster 0 Jun 16 11:51 cgroup.procs
               # -r--------. 1 root ftpmaster 0 Jun 16 11:51 cpuacct.stat
               # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpuacct.usage
               # -r--------. 1 root ftpmaster 0 Jun 16 11:51 cpuacct.usage_percpu
               # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpu.rt_period_us
               # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpu.rt_runtime_us
               # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpu.shares
               # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 notify_on_release
               #
               # tasks.fperm = 774:
               # -rw-rw-r--. 1 root ftpmaster 0 Jun 16 11:51 tasks

       The  daemons  group  is  created automatically when its first subgroup is created. All its
       parameters have the default value and only root can access the group's files.

       Since both cpuacct and cpu subsystems are mounted to the same directory,  all  groups  are
       implicitly  also  controlled by the cpuacct subsystem, even if there is no cpuacct section
       in any of the groups.

   Example 4
       The configuration file:

              mount {
                     cpu = /sys/fs/cgroup/cpu;
                     cpuacct = /sys/fs/cgroup/cpuacct;
              }

              group daemons {
                     cpuacct{
                     }
                     cpu {
                     }
              }
       creates two hierarchies and one common group in both  of  them.   It  corresponds  to  the
       following operations:

              mkdir /sys/fs/cgroup/cpu
              mkdir /sys/fs/cgroup/cpuacct
              mount -t cgroup -o cpu cpu /sys/fs/cgroup/cpu
              mount -t cgroup -o cpuacct cpuacct /sys/fs/cgroup/cpuacct

              mkdir /sys/fs/cgroup/cpu/daemons
              mkdir /sys/fs/cgroup/cpuacct/daemons

       In  fact there are two groups created. One in the cpuacct hierarchy, the second in the cpu
       hierarchy. These two groups have nothing in common and can contain different subgroups and
       different tasks.

   Example 5
       The configuration file:

              mount {
                     cpu = /sys/fs/cgroup/cpu;
                     cpuacct = /sys/fs/cgroup/cpuacct;
              }

              group daemons {
                     cpuacct{
                     }
              }

              group daemons/www {
                     cpu {
                            cpu.shares = "1000";
                     }
              }

              group daemons/ftp {
                     cpu {
                            cpu.shares = "500";
                     }
              }
       creates  two  hierarchies  with  few  groups  inside. One of the groups is created in both
       hierarchies.

       It corresponds to the following operations:

              mkdir /sys/fs/cgroup/cpu
              mkdir /sys/fs/cgroup/cpuacct
              mount -t cgroup -o cpu cpu /sys/fs/cgroup/cpu
              mount -t cgroup -o cpuacct cpuacct /sys/fs/cgroup/cpuacct

              mkdir /sys/fs/cgroup/cpuacct/daemons
              mkdir /sys/fs/cgroup/cpu/daemons
              mkdir /sys/fs/cgroup/cpu/daemons/www
              echo 1000 > /sys/fs/cgroup/cpu/daemons/www/cpu.shares
              mkdir /sys/fs/cgroup/cpu/daemons/ftp
              echo 500 > /sys/fs/cgroup/cpu/daemons/ftp/cpu.shares
       Group daemons is created in both hierarchies.  In  the  cpuacct  hierarchy  the  group  is
       explicitly  mentioned in the configuration file. In the cpu hierarchy the group is created
       implicitly when www is created there. These two groups have nothing in common, for example
       they  do not share processes and subgroups. Groups www and ftp are created only in the cpu
       hierarchy and are not controlled by the cpuacct subsystem.

   Example 6
       The configuration file:

              mount {
                     cpu = /sys/fs/cgroup/cpu;
                     cpuacct = /sys/fs/cgroup/cpu;
              }

              group . {
                     perm {
                            task {
                                   uid = root;
                                   gid = operator;
                            }
                            admin {
                                   uid = root;
                                   gid = operator;
                            }
                     }
                     cpu {
                     }
              }

              group daemons {
                     perm {
                            task {
                                   uid = root;
                                   gid = daemonmaster;
                            }
                            admin {
                                   uid = root;
                                   gid = operator;
                            }
                     }
                     cpu {
                     }
              }
       creates the hierarchy controlled by two subsystems with  one  group  having  some  special
       permissions.  It corresponds to the following operations:

              mkdir /sys/fs/cgroup/cpu
              mount -t cgroup -o cpu,cpuacct cpu /sys/fs/cgroup/cpu

              chown root:operator /sys/fs/cgroup/cpu/*
              chown root:operator /sys/fs/cgroup/cpu/tasks

              mkdir /sys/fs/cgroup/cpu/daemons
              chown root:operator /sys/fs/cgroup/cpu/daemons/*
              chown root:daemonmaster /sys/fs/cgroup/cpu/daemons/tasks

       Users  which  are  members  of  the  operator  group are allowed to administer the control
       groups, i.e. create new control groups and move processes  between  these  groups  without
       having root privileges.

       Members  of  the  daemonmaster  group can move processes to the daemons control group, but
       they can not move the process out of the group. Only the operator or root can do that.

   Example 7
       The configuration file:

              mount {
                     cpu = /sys/fs/cgroup/cpu;
                     cpuacct = /sys/fs/cgroup/cpuacct;
              }

              group students {
                     cpuacct{
                     }
                     cpu {
                     }
              }

              template students/%u {
                     cpuacct{
                     }
                     cpu {
                     }
              }

              mkdir /sys/fs/cgroup/cpu/daemons
              mkdir /sys/fs/cgroup/cpuacct/daemons

       The situation is the similar as in Example 4. The only difference is  template,  which  is
       used if some rule uses "/students/%u" as a destination.

   Example 8
       The configuration file:

              mount {
                     "cpu,nodev,nosuid,noexec" = /mnt/cgroups/cpu;
              }

       This  is the same as mount -t cgroup cgroup -o nodev,nosuid,noexec,cpu /mnt/cgroups/cpu It
       mounts the cpu controller with MS_NODEV, MS_NOSUID and MS_NOEXEC options passed.

RECOMMENDATIONS

   Keep hierarchies separated
       Having multiple hierarchies is perfectly valid and can be useful in various scenarios.  To
       keeps things clean, do not create one group in multiple hierarchies. Examples 4 and 5 show
       how  unreadable  and  confusing  it  can  be,  especially  when  reading  somebody   elses
       configuration file.

   Explicit is better than implicit
       libcgroup  can  implicitly  create  groups which are needed for the creation of configured
       subgroups. This may be useful and save some typing in simple scenarios. When it  comes  to
       multiple  hierarchies,  it's  better  to explicitly specify all groups and all controllers
       related to them.

FILES

       /etc/cgconfig.conf
              default libcgroup configuration file

       /etc/cgconfig.d/
              default libcgroup configuration files directory

SEE ALSO

       cgconfigparser (8)

BUGS

       Parameter values must be single strings without spaces.  Parsing of quoted strings is  not
       implemented.

                                                                                 CGCONFIG.CONF(5)