blob: dc5e2dcdbef40b344f373614220460ebe079f768 [file] [log] [blame]
Tejun Heo6c292092015-11-16 11:13:34 -05001
2Control Group v2
3
4October, 2015 Tejun Heo <tj@kernel.org>
5
6This is the authoritative documentation on the design, interface and
7conventions of cgroup v2. It describes all userland-visible aspects
8of cgroup including core and specific controller behaviors. All
9future changes must be reflected in this document. Documentation for
W. Trevor King9a2ddda2016-01-27 13:01:52 -080010v1 is available under Documentation/cgroup-v1/.
Tejun Heo6c292092015-11-16 11:13:34 -050011
12CONTENTS
13
141. Introduction
15 1-1. Terminology
16 1-2. What is cgroup?
172. Basic Operations
18 2-1. Mounting
19 2-2. Organizing Processes
20 2-3. [Un]populated Notification
21 2-4. Controlling Controllers
22 2-4-1. Enabling and Disabling
23 2-4-2. Top-down Constraint
24 2-4-3. No Internal Process Constraint
25 2-5. Delegation
26 2-5-1. Model of Delegation
27 2-5-2. Delegation Containment
28 2-6. Guidelines
29 2-6-1. Organize Once and Control
30 2-6-2. Avoid Name Collisions
313. Resource Distribution Models
32 3-1. Weights
33 3-2. Limits
34 3-3. Protections
35 3-4. Allocations
364. Interface Files
37 4-1. Format
38 4-2. Conventions
39 4-3. Core Interface Files
405. Controllers
41 5-1. CPU
42 5-1-1. CPU Interface Files
43 5-2. Memory
44 5-2-1. Memory Interface Files
45 5-2-2. Usage Guidelines
46 5-2-3. Memory Ownership
47 5-3. IO
48 5-3-1. IO Interface Files
49 5-3-2. Writeback
Hans Ragas20c56e52017-01-10 17:42:34 +000050 5-4. PID
51 5-4-1. PID Interface Files
Tejun Heo63f1ca52017-02-02 13:50:35 -050052 5-5. RDMA
53 5-5-1. RDMA Interface Files
54 5-6. Misc
55 5-6-1. perf_event
Serge Hallynd4021f62016-01-29 02:54:10 -0600566. Namespace
57 6-1. Basics
58 6-2. The Root and Views
59 6-3. Migration and setns(2)
60 6-4. Interaction with Other Namespaces
Tejun Heo6c292092015-11-16 11:13:34 -050061P. Information on Kernel Programming
62 P-1. Filesystem Support for Writeback
63D. Deprecated v1 Core Features
64R. Issues with v1 and Rationales for v2
65 R-1. Multiple Hierarchies
66 R-2. Thread Granularity
67 R-3. Competition Between Inner Nodes and Threads
68 R-4. Other Interface Issues
69 R-5. Controller Issues and Remedies
70 R-5-1. Memory
71
72
731. Introduction
74
751-1. Terminology
76
77"cgroup" stands for "control group" and is never capitalized. The
78singular form is used to designate the whole feature and also as a
79qualifier as in "cgroup controllers". When explicitly referring to
80multiple individual control groups, the plural form "cgroups" is used.
81
82
831-2. What is cgroup?
84
85cgroup is a mechanism to organize processes hierarchically and
86distribute system resources along the hierarchy in a controlled and
87configurable manner.
88
89cgroup is largely composed of two parts - the core and controllers.
90cgroup core is primarily responsible for hierarchically organizing
91processes. A cgroup controller is usually responsible for
92distributing a specific type of system resource along the hierarchy
93although there are utility controllers which serve purposes other than
94resource distribution.
95
96cgroups form a tree structure and every process in the system belongs
97to one and only one cgroup. All threads of a process belong to the
98same cgroup. On creation, all processes are put in the cgroup that
99the parent process belongs to at the time. A process can be migrated
100to another cgroup. Migration of a process doesn't affect already
101existing descendant processes.
102
103Following certain structural constraints, controllers may be enabled or
104disabled selectively on a cgroup. All controller behaviors are
105hierarchical - if a controller is enabled on a cgroup, it affects all
106processes which belong to the cgroups consisting the inclusive
107sub-hierarchy of the cgroup. When a controller is enabled on a nested
108cgroup, it always restricts the resource distribution further. The
109restrictions set closer to the root in the hierarchy can not be
110overridden from further away.
111
112
1132. Basic Operations
114
1152-1. Mounting
116
117Unlike v1, cgroup v2 has only single hierarchy. The cgroup v2
118hierarchy can be mounted with the following mount command.
119
120 # mount -t cgroup2 none $MOUNT_POINT
121
122cgroup2 filesystem has the magic number 0x63677270 ("cgrp"). All
123controllers which support v2 and are not bound to a v1 hierarchy are
124automatically bound to the v2 hierarchy and show up at the root.
125Controllers which are not in active use in the v2 hierarchy can be
126bound to other hierarchies. This allows mixing v2 hierarchy with the
127legacy v1 multiple hierarchies in a fully backward compatible way.
128
129A controller can be moved across hierarchies only after the controller
130is no longer referenced in its current hierarchy. Because per-cgroup
131controller states are destroyed asynchronously and controllers may
132have lingering references, a controller may not show up immediately on
133the v2 hierarchy after the final umount of the previous hierarchy.
134Similarly, a controller should be fully disabled to be moved out of
135the unified hierarchy and it may take some time for the disabled
136controller to become available for other hierarchies; furthermore, due
137to inter-controller dependencies, other controllers may need to be
138disabled too.
139
140While useful for development and manual configurations, moving
141controllers dynamically between the v2 and other hierarchies is
142strongly discouraged for production use. It is recommended to decide
143the hierarchies and controller associations before starting using the
144controllers after system boot.
145
Johannes Weiner1619b6d2016-02-16 13:21:14 -0500146During transition to v2, system management software might still
147automount the v1 cgroup filesystem and so hijack all controllers
148during boot, before manual intervention is possible. To make testing
149and experimenting easier, the kernel parameter cgroup_no_v1= allows
150disabling controllers in v1 and make them always available in v2.
151
Tejun Heo6c292092015-11-16 11:13:34 -0500152
1532-2. Organizing Processes
154
155Initially, only the root cgroup exists to which all processes belong.
156A child cgroup can be created by creating a sub-directory.
157
158 # mkdir $CGROUP_NAME
159
160A given cgroup may have multiple child cgroups forming a tree
161structure. Each cgroup has a read-writable interface file
162"cgroup.procs". When read, it lists the PIDs of all processes which
163belong to the cgroup one-per-line. The PIDs are not ordered and the
164same PID may show up more than once if the process got moved to
165another cgroup and then back or the PID got recycled while reading.
166
167A process can be migrated into a cgroup by writing its PID to the
168target cgroup's "cgroup.procs" file. Only one process can be migrated
169on a single write(2) call. If a process is composed of multiple
170threads, writing the PID of any thread migrates all threads of the
171process.
172
173When a process forks a child process, the new process is born into the
174cgroup that the forking process belongs to at the time of the
175operation. After exit, a process stays associated with the cgroup
176that it belonged to at the time of exit until it's reaped; however, a
177zombie process does not appear in "cgroup.procs" and thus can't be
178moved to another cgroup.
179
180A cgroup which doesn't have any children or live processes can be
181destroyed by removing the directory. Note that a cgroup which doesn't
182have any children and is associated only with zombie processes is
183considered empty and can be removed.
184
185 # rmdir $CGROUP_NAME
186
187"/proc/$PID/cgroup" lists a process's cgroup membership. If legacy
188cgroup is in use in the system, this file may contain multiple lines,
189one for each hierarchy. The entry for cgroup v2 is always in the
190format "0::$PATH".
191
192 # cat /proc/842/cgroup
193 ...
194 0::/test-cgroup/test-cgroup-nested
195
196If the process becomes a zombie and the cgroup it was associated with
197is removed subsequently, " (deleted)" is appended to the path.
198
199 # cat /proc/842/cgroup
200 ...
201 0::/test-cgroup/test-cgroup-nested (deleted)
202
203
2042-3. [Un]populated Notification
205
206Each non-root cgroup has a "cgroup.events" file which contains
207"populated" field indicating whether the cgroup's sub-hierarchy has
208live processes in it. Its value is 0 if there is no live process in
209the cgroup and its descendants; otherwise, 1. poll and [id]notify
210events are triggered when the value changes. This can be used, for
211example, to start a clean-up operation after all processes of a given
212sub-hierarchy have exited. The populated state updates and
213notifications are recursive. Consider the following sub-hierarchy
214where the numbers in the parentheses represent the numbers of processes
215in each cgroup.
216
217 A(4) - B(0) - C(1)
218 \ D(0)
219
220A, B and C's "populated" fields would be 1 while D's 0. After the one
221process in C exits, B and C's "populated" fields would flip to "0" and
222file modified events will be generated on the "cgroup.events" files of
223both cgroups.
224
225
2262-4. Controlling Controllers
227
2282-4-1. Enabling and Disabling
229
230Each cgroup has a "cgroup.controllers" file which lists all
231controllers available for the cgroup to enable.
232
233 # cat cgroup.controllers
234 cpu io memory
235
236No controller is enabled by default. Controllers can be enabled and
237disabled by writing to the "cgroup.subtree_control" file.
238
239 # echo "+cpu +memory -io" > cgroup.subtree_control
240
241Only controllers which are listed in "cgroup.controllers" can be
242enabled. When multiple operations are specified as above, either they
243all succeed or fail. If multiple operations on the same controller
244are specified, the last one is effective.
245
246Enabling a controller in a cgroup indicates that the distribution of
247the target resource across its immediate children will be controlled.
248Consider the following sub-hierarchy. The enabled controllers are
249listed in parentheses.
250
251 A(cpu,memory) - B(memory) - C()
252 \ D()
253
254As A has "cpu" and "memory" enabled, A will control the distribution
255of CPU cycles and memory to its children, in this case, B. As B has
256"memory" enabled but not "CPU", C and D will compete freely on CPU
257cycles but their division of memory available to B will be controlled.
258
259As a controller regulates the distribution of the target resource to
260the cgroup's children, enabling it creates the controller's interface
261files in the child cgroups. In the above example, enabling "cpu" on B
262would create the "cpu." prefixed controller interface files in C and
263D. Likewise, disabling "memory" from B would remove the "memory."
264prefixed controller interface files from C and D. This means that the
265controller interface files - anything which doesn't start with
266"cgroup." are owned by the parent rather than the cgroup itself.
267
268
2692-4-2. Top-down Constraint
270
271Resources are distributed top-down and a cgroup can further distribute
272a resource only if the resource has been distributed to it from the
273parent. This means that all non-root "cgroup.subtree_control" files
274can only contain controllers which are enabled in the parent's
275"cgroup.subtree_control" file. A controller can be enabled only if
276the parent has the controller enabled and a controller can't be
277disabled if one or more children have it enabled.
278
279
2802-4-3. No Internal Process Constraint
281
282Non-root cgroups can only distribute resources to their children when
283they don't have any processes of their own. In other words, only
284cgroups which don't contain any processes can have controllers enabled
285in their "cgroup.subtree_control" files.
286
287This guarantees that, when a controller is looking at the part of the
288hierarchy which has it enabled, processes are always only on the
289leaves. This rules out situations where child cgroups compete against
290internal processes of the parent.
291
292The root cgroup is exempt from this restriction. Root contains
293processes and anonymous resource consumption which can't be associated
294with any other cgroups and requires special treatment from most
295controllers. How resource consumption in the root cgroup is governed
296is up to each controller.
297
298Note that the restriction doesn't get in the way if there is no
299enabled controller in the cgroup's "cgroup.subtree_control". This is
300important as otherwise it wouldn't be possible to create children of a
301populated cgroup. To control resource distribution of a cgroup, the
302cgroup must create children and transfer all its processes to the
303children before enabling controllers in its "cgroup.subtree_control"
304file.
305
306
3072-5. Delegation
308
3092-5-1. Model of Delegation
310
311A cgroup can be delegated to a less privileged user by granting write
312access of the directory and its "cgroup.procs" file to the user. Note
313that resource control interface files in a given directory control the
314distribution of the parent's resources and thus must not be delegated
315along with the directory.
316
317Once delegated, the user can build sub-hierarchy under the directory,
318organize processes as it sees fit and further distribute the resources
319it received from the parent. The limits and other settings of all
320resource controllers are hierarchical and regardless of what happens
321in the delegated sub-hierarchy, nothing can escape the resource
322restrictions imposed by the parent.
323
324Currently, cgroup doesn't impose any restrictions on the number of
325cgroups in or nesting depth of a delegated sub-hierarchy; however,
326this may be limited explicitly in the future.
327
328
3292-5-2. Delegation Containment
330
331A delegated sub-hierarchy is contained in the sense that processes
332can't be moved into or out of the sub-hierarchy by the delegatee. For
333a process with a non-root euid to migrate a target process into a
334cgroup by writing its PID to the "cgroup.procs" file, the following
335conditions must be met.
336
Tejun Heo6c292092015-11-16 11:13:34 -0500337- The writer must have write access to the "cgroup.procs" file.
338
339- The writer must have write access to the "cgroup.procs" file of the
340 common ancestor of the source and destination cgroups.
341
Tejun Heo576dd462017-01-20 11:29:54 -0500342The above two constraints ensure that while a delegatee may migrate
Tejun Heo6c292092015-11-16 11:13:34 -0500343processes around freely in the delegated sub-hierarchy it can't pull
344in from or push out to outside the sub-hierarchy.
345
346For an example, let's assume cgroups C0 and C1 have been delegated to
347user U0 who created C00, C01 under C0 and C10 under C1 as follows and
348all processes under C0 and C1 belong to U0.
349
350 ~~~~~~~~~~~~~ - C0 - C00
351 ~ cgroup ~ \ C01
352 ~ hierarchy ~
353 ~~~~~~~~~~~~~ - C1 - C10
354
355Let's also say U0 wants to write the PID of a process which is
356currently in C10 into "C00/cgroup.procs". U0 has write access to the
Tejun Heo576dd462017-01-20 11:29:54 -0500357file; however, the common ancestor of the source cgroup C10 and the
358destination cgroup C00 is above the points of delegation and U0 would
359not have write access to its "cgroup.procs" files and thus the write
360will be denied with -EACCES.
Tejun Heo6c292092015-11-16 11:13:34 -0500361
362
3632-6. Guidelines
364
3652-6-1. Organize Once and Control
366
367Migrating a process across cgroups is a relatively expensive operation
368and stateful resources such as memory are not moved together with the
369process. This is an explicit design decision as there often exist
370inherent trade-offs between migration and various hot paths in terms
371of synchronization cost.
372
373As such, migrating processes across cgroups frequently as a means to
374apply different resource restrictions is discouraged. A workload
375should be assigned to a cgroup according to the system's logical and
376resource structure once on start-up. Dynamic adjustments to resource
377distribution can be made by changing controller configuration through
378the interface files.
379
380
3812-6-2. Avoid Name Collisions
382
383Interface files for a cgroup and its children cgroups occupy the same
384directory and it is possible to create children cgroups which collide
385with interface files.
386
387All cgroup core interface files are prefixed with "cgroup." and each
388controller's interface files are prefixed with the controller name and
389a dot. A controller's name is composed of lower case alphabets and
390'_'s but never begins with an '_' so it can be used as the prefix
391character for collision avoidance. Also, interface file names won't
392start or end with terms which are often used in categorizing workloads
393such as job, service, slice, unit or workload.
394
395cgroup doesn't do anything to prevent name collisions and it's the
396user's responsibility to avoid them.
397
398
3993. Resource Distribution Models
400
401cgroup controllers implement several resource distribution schemes
402depending on the resource type and expected use cases. This section
403describes major schemes in use along with their expected behaviors.
404
405
4063-1. Weights
407
408A parent's resource is distributed by adding up the weights of all
409active children and giving each the fraction matching the ratio of its
410weight against the sum. As only children which can make use of the
411resource at the moment participate in the distribution, this is
412work-conserving. Due to the dynamic nature, this model is usually
413used for stateless resources.
414
415All weights are in the range [1, 10000] with the default at 100. This
416allows symmetric multiplicative biases in both directions at fine
417enough granularity while staying in the intuitive range.
418
419As long as the weight is in range, all configuration combinations are
420valid and there is no reason to reject configuration changes or
421process migrations.
422
423"cpu.weight" proportionally distributes CPU cycles to active children
424and is an example of this type.
425
426
4273-2. Limits
428
429A child can only consume upto the configured amount of the resource.
430Limits can be over-committed - the sum of the limits of children can
431exceed the amount of resource available to the parent.
432
433Limits are in the range [0, max] and defaults to "max", which is noop.
434
435As limits can be over-committed, all configuration combinations are
436valid and there is no reason to reject configuration changes or
437process migrations.
438
439"io.max" limits the maximum BPS and/or IOPS that a cgroup can consume
440on an IO device and is an example of this type.
441
442
4433-3. Protections
444
445A cgroup is protected to be allocated upto the configured amount of
446the resource if the usages of all its ancestors are under their
447protected levels. Protections can be hard guarantees or best effort
448soft boundaries. Protections can also be over-committed in which case
449only upto the amount available to the parent is protected among
450children.
451
452Protections are in the range [0, max] and defaults to 0, which is
453noop.
454
455As protections can be over-committed, all configuration combinations
456are valid and there is no reason to reject configuration changes or
457process migrations.
458
459"memory.low" implements best-effort memory protection and is an
460example of this type.
461
462
4633-4. Allocations
464
465A cgroup is exclusively allocated a certain amount of a finite
466resource. Allocations can't be over-committed - the sum of the
467allocations of children can not exceed the amount of resource
468available to the parent.
469
470Allocations are in the range [0, max] and defaults to 0, which is no
471resource.
472
473As allocations can't be over-committed, some configuration
474combinations are invalid and should be rejected. Also, if the
475resource is mandatory for execution of processes, process migrations
476may be rejected.
477
478"cpu.rt.max" hard-allocates realtime slices and is an example of this
479type.
480
481
4824. Interface Files
483
4844-1. Format
485
486All interface files should be in one of the following formats whenever
487possible.
488
489 New-line separated values
490 (when only one value can be written at once)
491
492 VAL0\n
493 VAL1\n
494 ...
495
496 Space separated values
497 (when read-only or multiple values can be written at once)
498
499 VAL0 VAL1 ...\n
500
501 Flat keyed
502
503 KEY0 VAL0\n
504 KEY1 VAL1\n
505 ...
506
507 Nested keyed
508
509 KEY0 SUB_KEY0=VAL00 SUB_KEY1=VAL01...
510 KEY1 SUB_KEY0=VAL10 SUB_KEY1=VAL11...
511 ...
512
513For a writable file, the format for writing should generally match
514reading; however, controllers may allow omitting later fields or
515implement restricted shortcuts for most common use cases.
516
517For both flat and nested keyed files, only the values for a single key
518can be written at a time. For nested keyed files, the sub key pairs
519may be specified in any order and not all pairs have to be specified.
520
521
5224-2. Conventions
523
524- Settings for a single feature should be contained in a single file.
525
526- The root cgroup should be exempt from resource control and thus
527 shouldn't have resource control interface files. Also,
528 informational files on the root cgroup which end up showing global
529 information available elsewhere shouldn't exist.
530
531- If a controller implements weight based resource distribution, its
532 interface file should be named "weight" and have the range [1,
533 10000] with 100 as the default. The values are chosen to allow
534 enough and symmetric bias in both directions while keeping it
535 intuitive (the default is 100%).
536
537- If a controller implements an absolute resource guarantee and/or
538 limit, the interface files should be named "min" and "max"
539 respectively. If a controller implements best effort resource
540 guarantee and/or limit, the interface files should be named "low"
541 and "high" respectively.
542
543 In the above four control files, the special token "max" should be
544 used to represent upward infinity for both reading and writing.
545
546- If a setting has a configurable default value and keyed specific
547 overrides, the default entry should be keyed with "default" and
548 appear as the first entry in the file.
549
550 The default value can be updated by writing either "default $VAL" or
551 "$VAL".
552
553 When writing to update a specific override, "default" can be used as
554 the value to indicate removal of the override. Override entries
555 with "default" as the value must not appear when read.
556
557 For example, a setting which is keyed by major:minor device numbers
558 with integer values may look like the following.
559
560 # cat cgroup-example-interface-file
561 default 150
562 8:0 300
563
564 The default value can be updated by
565
566 # echo 125 > cgroup-example-interface-file
567
568 or
569
570 # echo "default 125" > cgroup-example-interface-file
571
572 An override can be set by
573
574 # echo "8:16 170" > cgroup-example-interface-file
575
576 and cleared by
577
578 # echo "8:0 default" > cgroup-example-interface-file
579 # cat cgroup-example-interface-file
580 default 125
581 8:16 170
582
583- For events which are not very high frequency, an interface file
584 "events" should be created which lists event key value pairs.
585 Whenever a notifiable event happens, file modified event should be
586 generated on the file.
587
588
5894-3. Core Interface Files
590
591All cgroup core files are prefixed with "cgroup."
592
593 cgroup.procs
594
595 A read-write new-line separated values file which exists on
596 all cgroups.
597
598 When read, it lists the PIDs of all processes which belong to
599 the cgroup one-per-line. The PIDs are not ordered and the
600 same PID may show up more than once if the process got moved
601 to another cgroup and then back or the PID got recycled while
602 reading.
603
604 A PID can be written to migrate the process associated with
605 the PID to the cgroup. The writer should match all of the
606 following conditions.
607
608 - Its euid is either root or must match either uid or suid of
609 the target process.
610
611 - It must have write access to the "cgroup.procs" file.
612
613 - It must have write access to the "cgroup.procs" file of the
614 common ancestor of the source and destination cgroups.
615
616 When delegating a sub-hierarchy, write access to this file
617 should be granted along with the containing directory.
618
619 cgroup.controllers
620
621 A read-only space separated values file which exists on all
622 cgroups.
623
624 It shows space separated list of all controllers available to
625 the cgroup. The controllers are not ordered.
626
627 cgroup.subtree_control
628
629 A read-write space separated values file which exists on all
630 cgroups. Starts out empty.
631
632 When read, it shows space separated list of the controllers
633 which are enabled to control resource distribution from the
634 cgroup to its children.
635
636 Space separated list of controllers prefixed with '+' or '-'
637 can be written to enable or disable controllers. A controller
638 name prefixed with '+' enables the controller and '-'
639 disables. If a controller appears more than once on the list,
640 the last one is effective. When multiple enable and disable
641 operations are specified, either all succeed or all fail.
642
643 cgroup.events
644
645 A read-only flat-keyed file which exists on non-root cgroups.
646 The following entries are defined. Unless specified
647 otherwise, a value change in this file generates a file
648 modified event.
649
650 populated
651
652 1 if the cgroup or its descendants contains any live
653 processes; otherwise, 0.
654
655
6565. Controllers
657
6585-1. CPU
659
660[NOTE: The interface for the cpu controller hasn't been merged yet]
661
662The "cpu" controllers regulates distribution of CPU cycles. This
663controller implements weight and absolute bandwidth limit models for
664normal scheduling policy and absolute bandwidth allocation model for
665realtime scheduling policy.
666
667
6685-1-1. CPU Interface Files
669
670All time durations are in microseconds.
671
672 cpu.stat
673
674 A read-only flat-keyed file which exists on non-root cgroups.
675
676 It reports the following six stats.
677
678 usage_usec
679 user_usec
680 system_usec
681 nr_periods
682 nr_throttled
683 throttled_usec
684
685 cpu.weight
686
687 A read-write single value file which exists on non-root
688 cgroups. The default is "100".
689
690 The weight in the range [1, 10000].
691
692 cpu.max
693
694 A read-write two value file which exists on non-root cgroups.
695 The default is "max 100000".
696
697 The maximum bandwidth limit. It's in the following format.
698
699 $MAX $PERIOD
700
701 which indicates that the group may consume upto $MAX in each
702 $PERIOD duration. "max" for $MAX indicates no limit. If only
703 one number is written, $MAX is updated.
704
705 cpu.rt.max
706
707 [NOTE: The semantics of this file is still under discussion and the
708 interface hasn't been merged yet]
709
710 A read-write two value file which exists on all cgroups.
711 The default is "0 100000".
712
713 The maximum realtime runtime allocation. Over-committing
714 configurations are disallowed and process migrations are
715 rejected if not enough bandwidth is available. It's in the
716 following format.
717
718 $MAX $PERIOD
719
720 which indicates that the group may consume upto $MAX in each
721 $PERIOD duration. If only one number is written, $MAX is
722 updated.
723
724
7255-2. Memory
726
727The "memory" controller regulates distribution of memory. Memory is
728stateful and implements both limit and protection models. Due to the
729intertwining between memory usage and reclaim pressure and the
730stateful nature of memory, the distribution model is relatively
731complex.
732
733While not completely water-tight, all major memory usages by a given
734cgroup are tracked so that the total memory consumption can be
735accounted and controlled to a reasonable extent. Currently, the
736following types of memory usages are tracked.
737
738- Userland memory - page cache and anonymous memory.
739
740- Kernel data structures such as dentries and inodes.
741
742- TCP socket buffers.
743
744The above list may expand in the future for better coverage.
745
746
7475-2-1. Memory Interface Files
748
749All memory amounts are in bytes. If a value which is not aligned to
750PAGE_SIZE is written, the value may be rounded up to the closest
751PAGE_SIZE multiple when read back.
752
753 memory.current
754
755 A read-only single value file which exists on non-root
756 cgroups.
757
758 The total amount of memory currently being used by the cgroup
759 and its descendants.
760
761 memory.low
762
763 A read-write single value file which exists on non-root
764 cgroups. The default is "0".
765
766 Best-effort memory protection. If the memory usages of a
767 cgroup and all its ancestors are below their low boundaries,
768 the cgroup's memory won't be reclaimed unless memory can be
769 reclaimed from unprotected cgroups.
770
771 Putting more memory than generally available under this
772 protection is discouraged.
773
774 memory.high
775
776 A read-write single value file which exists on non-root
777 cgroups. The default is "max".
778
779 Memory usage throttle limit. This is the main mechanism to
780 control memory usage of a cgroup. If a cgroup's usage goes
781 over the high boundary, the processes of the cgroup are
782 throttled and put under heavy reclaim pressure.
783
784 Going over the high limit never invokes the OOM killer and
785 under extreme conditions the limit may be breached.
786
787 memory.max
788
789 A read-write single value file which exists on non-root
790 cgroups. The default is "max".
791
792 Memory usage hard limit. This is the final protection
793 mechanism. If a cgroup's memory usage reaches this limit and
794 can't be reduced, the OOM killer is invoked in the cgroup.
795 Under certain circumstances, the usage may go over the limit
796 temporarily.
797
798 This is the ultimate protection mechanism. As long as the
799 high limit is used and monitored properly, this limit's
800 utility is limited to providing the final safety net.
801
802 memory.events
803
804 A read-only flat-keyed file which exists on non-root cgroups.
805 The following entries are defined. Unless specified
806 otherwise, a value change in this file generates a file
807 modified event.
808
809 low
810
811 The number of times the cgroup is reclaimed due to
812 high memory pressure even though its usage is under
813 the low boundary. This usually indicates that the low
814 boundary is over-committed.
815
816 high
817
818 The number of times processes of the cgroup are
819 throttled and routed to perform direct memory reclaim
820 because the high memory boundary was exceeded. For a
821 cgroup whose memory usage is capped by the high limit
822 rather than global memory pressure, this event's
823 occurrences are expected.
824
825 max
826
827 The number of times the cgroup's memory usage was
828 about to go over the max boundary. If direct reclaim
829 fails to bring it down, the OOM killer is invoked.
830
831 oom
832
833 The number of times the OOM killer has been invoked in
834 the cgroup. This may not exactly match the number of
835 processes killed but should generally be close.
836
Johannes Weiner587d9f72016-01-20 15:03:19 -0800837 memory.stat
838
839 A read-only flat-keyed file which exists on non-root cgroups.
840
841 This breaks down the cgroup's memory footprint into different
842 types of memory, type-specific details, and other information
843 on the state and past events of the memory management system.
844
845 All memory amounts are in bytes.
846
847 The entries are ordered to be human readable, and new entries
848 can show up in the middle. Don't rely on items remaining in a
849 fixed position; use the keys to look up specific values!
850
851 anon
852
853 Amount of memory used in anonymous mappings such as
854 brk(), sbrk(), and mmap(MAP_ANONYMOUS)
855
856 file
857
858 Amount of memory used to cache filesystem data,
859 including tmpfs and shared memory.
860
Vladimir Davydov12580e42016-03-17 14:17:38 -0700861 kernel_stack
862
863 Amount of memory allocated to kernel stacks.
864
Vladimir Davydov27ee57c2016-03-17 14:17:35 -0700865 slab
866
867 Amount of memory used for storing in-kernel data
868 structures.
869
Johannes Weiner4758e192016-02-02 16:57:41 -0800870 sock
871
872 Amount of memory used in network transmission buffers
873
Johannes Weiner9a4caf12017-05-03 14:52:45 -0700874 shmem
875
876 Amount of cached filesystem data that is swap-backed,
877 such as tmpfs, shm segments, shared anonymous mmap()s
878
Johannes Weiner587d9f72016-01-20 15:03:19 -0800879 file_mapped
880
881 Amount of cached filesystem data mapped with mmap()
882
883 file_dirty
884
885 Amount of cached filesystem data that was modified but
886 not yet written back to disk
887
888 file_writeback
889
890 Amount of cached filesystem data that was modified and
891 is currently being written back to disk
892
893 inactive_anon
894 active_anon
895 inactive_file
896 active_file
897 unevictable
898
899 Amount of memory, swap-backed and filesystem-backed,
900 on the internal memory management lists used by the
901 page reclaim algorithm
902
Vladimir Davydov27ee57c2016-03-17 14:17:35 -0700903 slab_reclaimable
904
905 Part of "slab" that might be reclaimed, such as
906 dentries and inodes.
907
908 slab_unreclaimable
909
910 Part of "slab" that cannot be reclaimed on memory
911 pressure.
912
Johannes Weiner587d9f72016-01-20 15:03:19 -0800913 pgfault
914
915 Total number of page faults incurred
916
917 pgmajfault
918
919 Number of major page faults incurred
920
Roman Gushchinb3409592017-05-12 15:47:09 -0700921 workingset_refault
922
923 Number of refaults of previously evicted pages
924
925 workingset_activate
926
927 Number of refaulted pages that were immediately activated
928
929 workingset_nodereclaim
930
931 Number of times a shadow node has been reclaimed
932
Vladimir Davydov3e24b192016-01-20 15:03:13 -0800933 memory.swap.current
934
935 A read-only single value file which exists on non-root
936 cgroups.
937
938 The total amount of swap currently being used by the cgroup
939 and its descendants.
940
941 memory.swap.max
942
943 A read-write single value file which exists on non-root
944 cgroups. The default is "max".
945
946 Swap usage hard limit. If a cgroup's swap usage reaches this
947 limit, anonymous meomry of the cgroup will not be swapped out.
948
Tejun Heo6c292092015-11-16 11:13:34 -0500949
Parav Pandit6c83e6cb2016-03-05 11:20:58 +05309505-2-2. Usage Guidelines
Tejun Heo6c292092015-11-16 11:13:34 -0500951
952"memory.high" is the main mechanism to control memory usage.
953Over-committing on high limit (sum of high limits > available memory)
954and letting global memory pressure to distribute memory according to
955usage is a viable strategy.
956
957Because breach of the high limit doesn't trigger the OOM killer but
958throttles the offending cgroup, a management agent has ample
959opportunities to monitor and take appropriate actions such as granting
960more memory or terminating the workload.
961
962Determining whether a cgroup has enough memory is not trivial as
963memory usage doesn't indicate whether the workload can benefit from
964more memory. For example, a workload which writes data received from
965network to a file can use all available memory but can also operate as
966performant with a small amount of memory. A measure of memory
967pressure - how much the workload is being impacted due to lack of
968memory - is necessary to determine whether a workload needs more
969memory; unfortunately, memory pressure monitoring mechanism isn't
970implemented yet.
971
972
9735-2-3. Memory Ownership
974
975A memory area is charged to the cgroup which instantiated it and stays
976charged to the cgroup until the area is released. Migrating a process
977to a different cgroup doesn't move the memory usages that it
978instantiated while in the previous cgroup to the new cgroup.
979
980A memory area may be used by processes belonging to different cgroups.
981To which cgroup the area will be charged is in-deterministic; however,
982over time, the memory area is likely to end up in a cgroup which has
983enough memory allowance to avoid high reclaim pressure.
984
985If a cgroup sweeps a considerable amount of memory which is expected
986to be accessed repeatedly by other cgroups, it may make sense to use
987POSIX_FADV_DONTNEED to relinquish the ownership of memory areas
988belonging to the affected files to ensure correct memory ownership.
989
990
9915-3. IO
992
993The "io" controller regulates the distribution of IO resources. This
994controller implements both weight based and absolute bandwidth or IOPS
995limit distribution; however, weight based distribution is available
996only if cfq-iosched is in use and neither scheme is available for
997blk-mq devices.
998
999
10005-3-1. IO Interface Files
1001
1002 io.stat
1003
1004 A read-only nested-keyed file which exists on non-root
1005 cgroups.
1006
1007 Lines are keyed by $MAJ:$MIN device numbers and not ordered.
1008 The following nested keys are defined.
1009
1010 rbytes Bytes read
1011 wbytes Bytes written
1012 rios Number of read IOs
1013 wios Number of write IOs
1014
1015 An example read output follows.
1016
1017 8:16 rbytes=1459200 wbytes=314773504 rios=192 wios=353
1018 8:0 rbytes=90430464 wbytes=299008000 rios=8950 wios=1252
1019
1020 io.weight
1021
1022 A read-write flat-keyed file which exists on non-root cgroups.
1023 The default is "default 100".
1024
1025 The first line is the default weight applied to devices
1026 without specific override. The rest are overrides keyed by
1027 $MAJ:$MIN device numbers and not ordered. The weights are in
1028 the range [1, 10000] and specifies the relative amount IO time
1029 the cgroup can use in relation to its siblings.
1030
1031 The default weight can be updated by writing either "default
1032 $WEIGHT" or simply "$WEIGHT". Overrides can be set by writing
1033 "$MAJ:$MIN $WEIGHT" and unset by writing "$MAJ:$MIN default".
1034
1035 An example read output follows.
1036
1037 default 100
1038 8:16 200
1039 8:0 50
1040
1041 io.max
1042
1043 A read-write nested-keyed file which exists on non-root
1044 cgroups.
1045
1046 BPS and IOPS based IO limit. Lines are keyed by $MAJ:$MIN
1047 device numbers and not ordered. The following nested keys are
1048 defined.
1049
1050 rbps Max read bytes per second
1051 wbps Max write bytes per second
1052 riops Max read IO operations per second
1053 wiops Max write IO operations per second
1054
1055 When writing, any number of nested key-value pairs can be
1056 specified in any order. "max" can be specified as the value
1057 to remove a specific limit. If the same key is specified
1058 multiple times, the outcome is undefined.
1059
1060 BPS and IOPS are measured in each IO direction and IOs are
1061 delayed if limit is reached. Temporary bursts are allowed.
1062
1063 Setting read limit at 2M BPS and write at 120 IOPS for 8:16.
1064
1065 echo "8:16 rbps=2097152 wiops=120" > io.max
1066
1067 Reading returns the following.
1068
1069 8:16 rbps=2097152 wbps=max riops=max wiops=120
1070
1071 Write IOPS limit can be removed by writing the following.
1072
1073 echo "8:16 wiops=max" > io.max
1074
1075 Reading now returns the following.
1076
1077 8:16 rbps=2097152 wbps=max riops=max wiops=max
1078
1079
10805-3-2. Writeback
1081
1082Page cache is dirtied through buffered writes and shared mmaps and
1083written asynchronously to the backing filesystem by the writeback
1084mechanism. Writeback sits between the memory and IO domains and
1085regulates the proportion of dirty memory by balancing dirtying and
1086write IOs.
1087
1088The io controller, in conjunction with the memory controller,
1089implements control of page cache writeback IOs. The memory controller
1090defines the memory domain that dirty memory ratio is calculated and
1091maintained for and the io controller defines the io domain which
1092writes out dirty pages for the memory domain. Both system-wide and
1093per-cgroup dirty memory states are examined and the more restrictive
1094of the two is enforced.
1095
1096cgroup writeback requires explicit support from the underlying
1097filesystem. Currently, cgroup writeback is implemented on ext2, ext4
1098and btrfs. On other filesystems, all writeback IOs are attributed to
1099the root cgroup.
1100
1101There are inherent differences in memory and writeback management
1102which affects how cgroup ownership is tracked. Memory is tracked per
1103page while writeback per inode. For the purpose of writeback, an
1104inode is assigned to a cgroup and all IO requests to write dirty pages
1105from the inode are attributed to that cgroup.
1106
1107As cgroup ownership for memory is tracked per page, there can be pages
1108which are associated with different cgroups than the one the inode is
1109associated with. These are called foreign pages. The writeback
1110constantly keeps track of foreign pages and, if a particular foreign
1111cgroup becomes the majority over a certain period of time, switches
1112the ownership of the inode to that cgroup.
1113
1114While this model is enough for most use cases where a given inode is
1115mostly dirtied by a single cgroup even when the main writing cgroup
1116changes over time, use cases where multiple cgroups write to a single
1117inode simultaneously are not supported well. In such circumstances, a
1118significant portion of IOs are likely to be attributed incorrectly.
1119As memory controller assigns page ownership on the first use and
1120doesn't update it until the page is released, even if writeback
1121strictly follows page ownership, multiple cgroups dirtying overlapping
1122areas wouldn't work as expected. It's recommended to avoid such usage
1123patterns.
1124
1125The sysctl knobs which affect writeback behavior are applied to cgroup
1126writeback as follows.
1127
1128 vm.dirty_background_ratio
1129 vm.dirty_ratio
1130
1131 These ratios apply the same to cgroup writeback with the
1132 amount of available memory capped by limits imposed by the
1133 memory controller and system-wide clean memory.
1134
1135 vm.dirty_background_bytes
1136 vm.dirty_bytes
1137
1138 For cgroup writeback, this is calculated into ratio against
1139 total available memory and applied the same way as
1140 vm.dirty[_background]_ratio.
1141
1142
Hans Ragas20c56e52017-01-10 17:42:34 +000011435-4. PID
1144
1145The process number controller is used to allow a cgroup to stop any
1146new tasks from being fork()'d or clone()'d after a specified limit is
1147reached.
1148
1149The number of tasks in a cgroup can be exhausted in ways which other
1150controllers cannot prevent, thus warranting its own controller. For
1151example, a fork bomb is likely to exhaust the number of tasks before
1152hitting memory restrictions.
1153
1154Note that PIDs used in this controller refer to TIDs, process IDs as
1155used by the kernel.
1156
1157
11585-4-1. PID Interface Files
1159
1160 pids.max
1161
Tobias Klauser312eb712017-02-17 18:44:11 +01001162 A read-write single value file which exists on non-root
1163 cgroups. The default is "max".
Hans Ragas20c56e52017-01-10 17:42:34 +00001164
Tobias Klauser312eb712017-02-17 18:44:11 +01001165 Hard limit of number of processes.
Hans Ragas20c56e52017-01-10 17:42:34 +00001166
1167 pids.current
1168
Tobias Klauser312eb712017-02-17 18:44:11 +01001169 A read-only single value file which exists on all cgroups.
Hans Ragas20c56e52017-01-10 17:42:34 +00001170
Tobias Klauser312eb712017-02-17 18:44:11 +01001171 The number of processes currently in the cgroup and its
1172 descendants.
Hans Ragas20c56e52017-01-10 17:42:34 +00001173
1174Organisational operations are not blocked by cgroup policies, so it is
1175possible to have pids.current > pids.max. This can be done by either
1176setting the limit to be smaller than pids.current, or attaching enough
1177processes to the cgroup such that pids.current is larger than
1178pids.max. However, it is not possible to violate a cgroup PID policy
1179through fork() or clone(). These will return -EAGAIN if the creation
1180of a new process would cause a cgroup policy to be violated.
1181
1182
Tejun Heo63f1ca52017-02-02 13:50:35 -050011835-5. RDMA
Tejun Heo968ebff2017-01-29 14:35:20 -05001184
Parav Pandit9c1e67f2017-01-10 00:02:15 +00001185The "rdma" controller regulates the distribution and accounting of
1186of RDMA resources.
1187
Tejun Heo63f1ca52017-02-02 13:50:35 -050011885-5-1. RDMA Interface Files
Parav Pandit9c1e67f2017-01-10 00:02:15 +00001189
1190 rdma.max
1191 A readwrite nested-keyed file that exists for all the cgroups
1192 except root that describes current configured resource limit
1193 for a RDMA/IB device.
1194
1195 Lines are keyed by device name and are not ordered.
1196 Each line contains space separated resource name and its configured
1197 limit that can be distributed.
1198
1199 The following nested keys are defined.
1200
1201 hca_handle Maximum number of HCA Handles
1202 hca_object Maximum number of HCA Objects
1203
1204 An example for mlx4 and ocrdma device follows.
1205
1206 mlx4_0 hca_handle=2 hca_object=2000
1207 ocrdma1 hca_handle=3 hca_object=max
1208
1209 rdma.current
1210 A read-only file that describes current resource usage.
1211 It exists for all the cgroup except root.
1212
1213 An example for mlx4 and ocrdma device follows.
1214
1215 mlx4_0 hca_handle=1 hca_object=20
1216 ocrdma1 hca_handle=1 hca_object=23
1217
1218
Tejun Heo63f1ca52017-02-02 13:50:35 -050012195-6. Misc
1220
12215-6-1. perf_event
Tejun Heo968ebff2017-01-29 14:35:20 -05001222
1223perf_event controller, if not mounted on a legacy hierarchy, is
1224automatically enabled on the v2 hierarchy so that perf events can
1225always be filtered by cgroup v2 path. The controller can still be
1226moved to a legacy hierarchy after v2 hierarchy is populated.
1227
1228
Serge Hallynd4021f62016-01-29 02:54:10 -060012296. Namespace
1230
12316-1. Basics
1232
1233cgroup namespace provides a mechanism to virtualize the view of the
1234"/proc/$PID/cgroup" file and cgroup mounts. The CLONE_NEWCGROUP clone
1235flag can be used with clone(2) and unshare(2) to create a new cgroup
1236namespace. The process running inside the cgroup namespace will have
1237its "/proc/$PID/cgroup" output restricted to cgroupns root. The
1238cgroupns root is the cgroup of the process at the time of creation of
1239the cgroup namespace.
1240
1241Without cgroup namespace, the "/proc/$PID/cgroup" file shows the
1242complete path of the cgroup of a process. In a container setup where
1243a set of cgroups and namespaces are intended to isolate processes the
1244"/proc/$PID/cgroup" file may leak potential system level information
1245to the isolated processes. For Example:
1246
1247 # cat /proc/self/cgroup
1248 0::/batchjobs/container_id1
1249
1250The path '/batchjobs/container_id1' can be considered as system-data
1251and undesirable to expose to the isolated processes. cgroup namespace
1252can be used to restrict visibility of this path. For example, before
1253creating a cgroup namespace, one would see:
1254
1255 # ls -l /proc/self/ns/cgroup
1256 lrwxrwxrwx 1 root root 0 2014-07-15 10:37 /proc/self/ns/cgroup -> cgroup:[4026531835]
1257 # cat /proc/self/cgroup
1258 0::/batchjobs/container_id1
1259
1260After unsharing a new namespace, the view changes.
1261
1262 # ls -l /proc/self/ns/cgroup
1263 lrwxrwxrwx 1 root root 0 2014-07-15 10:35 /proc/self/ns/cgroup -> cgroup:[4026532183]
1264 # cat /proc/self/cgroup
1265 0::/
1266
1267When some thread from a multi-threaded process unshares its cgroup
1268namespace, the new cgroupns gets applied to the entire process (all
1269the threads). This is natural for the v2 hierarchy; however, for the
1270legacy hierarchies, this may be unexpected.
1271
1272A cgroup namespace is alive as long as there are processes inside or
1273mounts pinning it. When the last usage goes away, the cgroup
1274namespace is destroyed. The cgroupns root and the actual cgroups
1275remain.
1276
1277
12786-2. The Root and Views
1279
1280The 'cgroupns root' for a cgroup namespace is the cgroup in which the
1281process calling unshare(2) is running. For example, if a process in
1282/batchjobs/container_id1 cgroup calls unshare, cgroup
1283/batchjobs/container_id1 becomes the cgroupns root. For the
1284init_cgroup_ns, this is the real root ('/') cgroup.
1285
1286The cgroupns root cgroup does not change even if the namespace creator
1287process later moves to a different cgroup.
1288
1289 # ~/unshare -c # unshare cgroupns in some cgroup
1290 # cat /proc/self/cgroup
1291 0::/
1292 # mkdir sub_cgrp_1
1293 # echo 0 > sub_cgrp_1/cgroup.procs
1294 # cat /proc/self/cgroup
1295 0::/sub_cgrp_1
1296
1297Each process gets its namespace-specific view of "/proc/$PID/cgroup"
1298
1299Processes running inside the cgroup namespace will be able to see
1300cgroup paths (in /proc/self/cgroup) only inside their root cgroup.
1301From within an unshared cgroupns:
1302
1303 # sleep 100000 &
1304 [1] 7353
1305 # echo 7353 > sub_cgrp_1/cgroup.procs
1306 # cat /proc/7353/cgroup
1307 0::/sub_cgrp_1
1308
1309From the initial cgroup namespace, the real cgroup path will be
1310visible:
1311
1312 $ cat /proc/7353/cgroup
1313 0::/batchjobs/container_id1/sub_cgrp_1
1314
1315From a sibling cgroup namespace (that is, a namespace rooted at a
1316different cgroup), the cgroup path relative to its own cgroup
1317namespace root will be shown. For instance, if PID 7353's cgroup
1318namespace root is at '/batchjobs/container_id2', then it will see
1319
1320 # cat /proc/7353/cgroup
1321 0::/../container_id2/sub_cgrp_1
1322
1323Note that the relative path always starts with '/' to indicate that
1324its relative to the cgroup namespace root of the caller.
1325
1326
13276-3. Migration and setns(2)
1328
1329Processes inside a cgroup namespace can move into and out of the
1330namespace root if they have proper access to external cgroups. For
1331example, from inside a namespace with cgroupns root at
1332/batchjobs/container_id1, and assuming that the global hierarchy is
1333still accessible inside cgroupns:
1334
1335 # cat /proc/7353/cgroup
1336 0::/sub_cgrp_1
1337 # echo 7353 > batchjobs/container_id2/cgroup.procs
1338 # cat /proc/7353/cgroup
1339 0::/../container_id2
1340
1341Note that this kind of setup is not encouraged. A task inside cgroup
1342namespace should only be exposed to its own cgroupns hierarchy.
1343
1344setns(2) to another cgroup namespace is allowed when:
1345
1346(a) the process has CAP_SYS_ADMIN against its current user namespace
1347(b) the process has CAP_SYS_ADMIN against the target cgroup
1348 namespace's userns
1349
1350No implicit cgroup changes happen with attaching to another cgroup
1351namespace. It is expected that the someone moves the attaching
1352process under the target cgroup namespace root.
1353
1354
13556-4. Interaction with Other Namespaces
1356
1357Namespace specific cgroup hierarchy can be mounted by a process
1358running inside a non-init cgroup namespace.
1359
1360 # mount -t cgroup2 none $MOUNT_POINT
1361
1362This will mount the unified cgroup hierarchy with cgroupns root as the
1363filesystem root. The process needs CAP_SYS_ADMIN against its user and
1364mount namespaces.
1365
1366The virtualization of /proc/self/cgroup file combined with restricting
1367the view of cgroup hierarchy by namespace-private cgroupfs mount
1368provides a properly isolated cgroup view inside the container.
1369
1370
Tejun Heo6c292092015-11-16 11:13:34 -05001371P. Information on Kernel Programming
1372
1373This section contains kernel programming information in the areas
1374where interacting with cgroup is necessary. cgroup core and
1375controllers are not covered.
1376
1377
1378P-1. Filesystem Support for Writeback
1379
1380A filesystem can support cgroup writeback by updating
1381address_space_operations->writepage[s]() to annotate bio's using the
1382following two functions.
1383
1384 wbc_init_bio(@wbc, @bio)
1385
1386 Should be called for each bio carrying writeback data and
1387 associates the bio with the inode's owner cgroup. Can be
1388 called anytime between bio allocation and submission.
1389
1390 wbc_account_io(@wbc, @page, @bytes)
1391
1392 Should be called for each data segment being written out.
1393 While this function doesn't care exactly when it's called
1394 during the writeback session, it's the easiest and most
1395 natural to call it as data segments are added to a bio.
1396
1397With writeback bio's annotated, cgroup support can be enabled per
1398super_block by setting SB_I_CGROUPWB in ->s_iflags. This allows for
1399selective disabling of cgroup writeback support which is helpful when
1400certain filesystem features, e.g. journaled data mode, are
1401incompatible.
1402
1403wbc_init_bio() binds the specified bio to its cgroup. Depending on
1404the configuration, the bio may be executed at a lower priority and if
1405the writeback session is holding shared resources, e.g. a journal
1406entry, may lead to priority inversion. There is no one easy solution
1407for the problem. Filesystems can try to work around specific problem
1408cases by skipping wbc_init_bio() or using bio_associate_blkcg()
1409directly.
1410
1411
1412D. Deprecated v1 Core Features
1413
1414- Multiple hierarchies including named ones are not supported.
1415
1416- All mount options and remounting are not supported.
1417
1418- The "tasks" file is removed and "cgroup.procs" is not sorted.
1419
1420- "cgroup.clone_children" is removed.
1421
1422- /proc/cgroups is meaningless for v2. Use "cgroup.controllers" file
1423 at the root instead.
1424
1425
1426R. Issues with v1 and Rationales for v2
1427
1428R-1. Multiple Hierarchies
1429
1430cgroup v1 allowed an arbitrary number of hierarchies and each
1431hierarchy could host any number of controllers. While this seemed to
1432provide a high level of flexibility, it wasn't useful in practice.
1433
1434For example, as there is only one instance of each controller, utility
1435type controllers such as freezer which can be useful in all
1436hierarchies could only be used in one. The issue is exacerbated by
1437the fact that controllers couldn't be moved to another hierarchy once
1438hierarchies were populated. Another issue was that all controllers
1439bound to a hierarchy were forced to have exactly the same view of the
1440hierarchy. It wasn't possible to vary the granularity depending on
1441the specific controller.
1442
1443In practice, these issues heavily limited which controllers could be
1444put on the same hierarchy and most configurations resorted to putting
1445each controller on its own hierarchy. Only closely related ones, such
1446as the cpu and cpuacct controllers, made sense to be put on the same
1447hierarchy. This often meant that userland ended up managing multiple
1448similar hierarchies repeating the same steps on each hierarchy
1449whenever a hierarchy management operation was necessary.
1450
1451Furthermore, support for multiple hierarchies came at a steep cost.
1452It greatly complicated cgroup core implementation but more importantly
1453the support for multiple hierarchies restricted how cgroup could be
1454used in general and what controllers was able to do.
1455
1456There was no limit on how many hierarchies there might be, which meant
1457that a thread's cgroup membership couldn't be described in finite
1458length. The key might contain any number of entries and was unlimited
1459in length, which made it highly awkward to manipulate and led to
1460addition of controllers which existed only to identify membership,
1461which in turn exacerbated the original problem of proliferating number
1462of hierarchies.
1463
1464Also, as a controller couldn't have any expectation regarding the
1465topologies of hierarchies other controllers might be on, each
1466controller had to assume that all other controllers were attached to
1467completely orthogonal hierarchies. This made it impossible, or at
1468least very cumbersome, for controllers to cooperate with each other.
1469
1470In most use cases, putting controllers on hierarchies which are
1471completely orthogonal to each other isn't necessary. What usually is
1472called for is the ability to have differing levels of granularity
1473depending on the specific controller. In other words, hierarchy may
1474be collapsed from leaf towards root when viewed from specific
1475controllers. For example, a given configuration might not care about
1476how memory is distributed beyond a certain level while still wanting
1477to control how CPU cycles are distributed.
1478
1479
1480R-2. Thread Granularity
1481
1482cgroup v1 allowed threads of a process to belong to different cgroups.
1483This didn't make sense for some controllers and those controllers
1484ended up implementing different ways to ignore such situations but
1485much more importantly it blurred the line between API exposed to
1486individual applications and system management interface.
1487
1488Generally, in-process knowledge is available only to the process
1489itself; thus, unlike service-level organization of processes,
1490categorizing threads of a process requires active participation from
1491the application which owns the target process.
1492
1493cgroup v1 had an ambiguously defined delegation model which got abused
1494in combination with thread granularity. cgroups were delegated to
1495individual applications so that they can create and manage their own
1496sub-hierarchies and control resource distributions along them. This
1497effectively raised cgroup to the status of a syscall-like API exposed
1498to lay programs.
1499
1500First of all, cgroup has a fundamentally inadequate interface to be
1501exposed this way. For a process to access its own knobs, it has to
1502extract the path on the target hierarchy from /proc/self/cgroup,
1503construct the path by appending the name of the knob to the path, open
1504and then read and/or write to it. This is not only extremely clunky
1505and unusual but also inherently racy. There is no conventional way to
1506define transaction across the required steps and nothing can guarantee
1507that the process would actually be operating on its own sub-hierarchy.
1508
1509cgroup controllers implemented a number of knobs which would never be
1510accepted as public APIs because they were just adding control knobs to
1511system-management pseudo filesystem. cgroup ended up with interface
1512knobs which were not properly abstracted or refined and directly
1513revealed kernel internal details. These knobs got exposed to
1514individual applications through the ill-defined delegation mechanism
1515effectively abusing cgroup as a shortcut to implementing public APIs
1516without going through the required scrutiny.
1517
1518This was painful for both userland and kernel. Userland ended up with
1519misbehaving and poorly abstracted interfaces and kernel exposing and
1520locked into constructs inadvertently.
1521
1522
1523R-3. Competition Between Inner Nodes and Threads
1524
1525cgroup v1 allowed threads to be in any cgroups which created an
1526interesting problem where threads belonging to a parent cgroup and its
1527children cgroups competed for resources. This was nasty as two
1528different types of entities competed and there was no obvious way to
1529settle it. Different controllers did different things.
1530
1531The cpu controller considered threads and cgroups as equivalents and
1532mapped nice levels to cgroup weights. This worked for some cases but
1533fell flat when children wanted to be allocated specific ratios of CPU
1534cycles and the number of internal threads fluctuated - the ratios
1535constantly changed as the number of competing entities fluctuated.
1536There also were other issues. The mapping from nice level to weight
1537wasn't obvious or universal, and there were various other knobs which
1538simply weren't available for threads.
1539
1540The io controller implicitly created a hidden leaf node for each
1541cgroup to host the threads. The hidden leaf had its own copies of all
1542the knobs with "leaf_" prefixed. While this allowed equivalent
1543control over internal threads, it was with serious drawbacks. It
1544always added an extra layer of nesting which wouldn't be necessary
1545otherwise, made the interface messy and significantly complicated the
1546implementation.
1547
1548The memory controller didn't have a way to control what happened
1549between internal tasks and child cgroups and the behavior was not
1550clearly defined. There were attempts to add ad-hoc behaviors and
1551knobs to tailor the behavior to specific workloads which would have
1552led to problems extremely difficult to resolve in the long term.
1553
1554Multiple controllers struggled with internal tasks and came up with
1555different ways to deal with it; unfortunately, all the approaches were
1556severely flawed and, furthermore, the widely different behaviors
1557made cgroup as a whole highly inconsistent.
1558
1559This clearly is a problem which needs to be addressed from cgroup core
1560in a uniform way.
1561
1562
1563R-4. Other Interface Issues
1564
1565cgroup v1 grew without oversight and developed a large number of
1566idiosyncrasies and inconsistencies. One issue on the cgroup core side
1567was how an empty cgroup was notified - a userland helper binary was
1568forked and executed for each event. The event delivery wasn't
1569recursive or delegatable. The limitations of the mechanism also led
1570to in-kernel event delivery filtering mechanism further complicating
1571the interface.
1572
1573Controller interfaces were problematic too. An extreme example is
1574controllers completely ignoring hierarchical organization and treating
1575all cgroups as if they were all located directly under the root
1576cgroup. Some controllers exposed a large amount of inconsistent
1577implementation details to userland.
1578
1579There also was no consistency across controllers. When a new cgroup
1580was created, some controllers defaulted to not imposing extra
1581restrictions while others disallowed any resource usage until
1582explicitly configured. Configuration knobs for the same type of
1583control used widely differing naming schemes and formats. Statistics
1584and information knobs were named arbitrarily and used different
1585formats and units even in the same controller.
1586
1587cgroup v2 establishes common conventions where appropriate and updates
1588controllers so that they expose minimal and consistent interfaces.
1589
1590
1591R-5. Controller Issues and Remedies
1592
1593R-5-1. Memory
1594
1595The original lower boundary, the soft limit, is defined as a limit
1596that is per default unset. As a result, the set of cgroups that
1597global reclaim prefers is opt-in, rather than opt-out. The costs for
1598optimizing these mostly negative lookups are so high that the
1599implementation, despite its enormous size, does not even provide the
1600basic desirable behavior. First off, the soft limit has no
1601hierarchical meaning. All configured groups are organized in a global
1602rbtree and treated like equal peers, regardless where they are located
1603in the hierarchy. This makes subtree delegation impossible. Second,
1604the soft limit reclaim pass is so aggressive that it not just
1605introduces high allocation latencies into the system, but also impacts
1606system performance due to overreclaim, to the point where the feature
1607becomes self-defeating.
1608
1609The memory.low boundary on the other hand is a top-down allocated
1610reserve. A cgroup enjoys reclaim protection when it and all its
1611ancestors are below their low boundaries, which makes delegation of
1612subtrees possible. Secondly, new cgroups have no reserve per default
1613and in the common case most cgroups are eligible for the preferred
1614reclaim pass. This allows the new low boundary to be efficiently
1615implemented with just a minor addition to the generic reclaim code,
1616without the need for out-of-band data structures and reclaim passes.
1617Because the generic reclaim code considers all cgroups except for the
1618ones running low in the preferred first reclaim pass, overreclaim of
1619individual groups is eliminated as well, resulting in much better
1620overall workload performance.
1621
1622The original high boundary, the hard limit, is defined as a strict
1623limit that can not budge, even if the OOM killer has to be called.
1624But this generally goes against the goal of making the most out of the
1625available memory. The memory consumption of workloads varies during
1626runtime, and that requires users to overcommit. But doing that with a
1627strict upper limit requires either a fairly accurate prediction of the
1628working set size or adding slack to the limit. Since working set size
1629estimation is hard and error prone, and getting it wrong results in
1630OOM kills, most users tend to err on the side of a looser limit and
1631end up wasting precious resources.
1632
1633The memory.high boundary on the other hand can be set much more
1634conservatively. When hit, it throttles allocations by forcing them
1635into direct reclaim to work off the excess, but it never invokes the
1636OOM killer. As a result, a high boundary that is chosen too
1637aggressively will not terminate the processes, but instead it will
1638lead to gradual performance degradation. The user can monitor this
1639and make corrections until the minimal memory footprint that still
1640gives acceptable performance is found.
1641
1642In extreme cases, with many concurrent allocations and a complete
1643breakdown of reclaim progress within the group, the high boundary can
1644be exceeded. But even then it's mostly better to satisfy the
1645allocation from the slack available in other groups or the rest of the
1646system than killing the group. Otherwise, memory.max is there to
1647limit this type of spillover and ultimately contain buggy or even
1648malicious applications.
Vladimir Davydov3e24b192016-01-20 15:03:13 -08001649
Johannes Weinerb6e6edc2016-03-17 14:20:28 -07001650Setting the original memory.limit_in_bytes below the current usage was
1651subject to a race condition, where concurrent charges could cause the
1652limit setting to fail. memory.max on the other hand will first set the
1653limit to prevent new charges, and then reclaim and OOM kill until the
1654new limit is met - or the task writing to memory.max is killed.
1655
Vladimir Davydov3e24b192016-01-20 15:03:13 -08001656The combined memory+swap accounting and limiting is replaced by real
1657control over swap space.
1658
1659The main argument for a combined memory+swap facility in the original
1660cgroup design was that global or parental pressure would always be
1661able to swap all anonymous memory of a child group, regardless of the
1662child's own (possibly untrusted) configuration. However, untrusted
1663groups can sabotage swapping by other means - such as referencing its
1664anonymous memory in a tight loop - and an admin can not assume full
1665swappability when overcommitting untrusted jobs.
1666
1667For trusted jobs, on the other hand, a combined counter is not an
1668intuitive userspace interface, and it flies in the face of the idea
1669that cgroup controllers should account and limit specific physical
1670resources. Swap space is a resource like all others in the system,
1671and that's why unified hierarchy allows distributing it separately.