Tejun Heo | 6c29209 | 2015-11-16 11:13:34 -0500 | [diff] [blame] | 1 | |
| 2 | Control Group v2 |
| 3 | |
| 4 | October, 2015 Tejun Heo <tj@kernel.org> |
| 5 | |
| 6 | This is the authoritative documentation on the design, interface and |
| 7 | conventions of cgroup v2. It describes all userland-visible aspects |
| 8 | of cgroup including core and specific controller behaviors. All |
| 9 | future changes must be reflected in this document. Documentation for |
W. Trevor King | 9a2ddda | 2016-01-27 13:01:52 -0800 | [diff] [blame] | 10 | v1 is available under Documentation/cgroup-v1/. |
Tejun Heo | 6c29209 | 2015-11-16 11:13:34 -0500 | [diff] [blame] | 11 | |
| 12 | CONTENTS |
| 13 | |
| 14 | 1. Introduction |
| 15 | 1-1. Terminology |
| 16 | 1-2. What is cgroup? |
| 17 | 2. Basic Operations |
| 18 | 2-1. Mounting |
| 19 | 2-2. Organizing Processes |
| 20 | 2-3. [Un]populated Notification |
| 21 | 2-4. Controlling Controllers |
| 22 | 2-4-1. Enabling and Disabling |
| 23 | 2-4-2. Top-down Constraint |
| 24 | 2-4-3. No Internal Process Constraint |
| 25 | 2-5. Delegation |
| 26 | 2-5-1. Model of Delegation |
| 27 | 2-5-2. Delegation Containment |
| 28 | 2-6. Guidelines |
| 29 | 2-6-1. Organize Once and Control |
| 30 | 2-6-2. Avoid Name Collisions |
| 31 | 3. Resource Distribution Models |
| 32 | 3-1. Weights |
| 33 | 3-2. Limits |
| 34 | 3-3. Protections |
| 35 | 3-4. Allocations |
| 36 | 4. Interface Files |
| 37 | 4-1. Format |
| 38 | 4-2. Conventions |
| 39 | 4-3. Core Interface Files |
| 40 | 5. Controllers |
| 41 | 5-1. CPU |
| 42 | 5-1-1. CPU Interface Files |
| 43 | 5-2. Memory |
| 44 | 5-2-1. Memory Interface Files |
| 45 | 5-2-2. Usage Guidelines |
| 46 | 5-2-3. Memory Ownership |
| 47 | 5-3. IO |
| 48 | 5-3-1. IO Interface Files |
| 49 | 5-3-2. Writeback |
Hans Ragas | 20c56e5 | 2017-01-10 17:42:34 +0000 | [diff] [blame] | 50 | 5-4. PID |
| 51 | 5-4-1. PID Interface Files |
Tejun Heo | 63f1ca5 | 2017-02-02 13:50:35 -0500 | [diff] [blame] | 52 | 5-5. RDMA |
| 53 | 5-5-1. RDMA Interface Files |
| 54 | 5-6. Misc |
| 55 | 5-6-1. perf_event |
Serge Hallyn | d4021f6 | 2016-01-29 02:54:10 -0600 | [diff] [blame] | 56 | 6. Namespace |
| 57 | 6-1. Basics |
| 58 | 6-2. The Root and Views |
| 59 | 6-3. Migration and setns(2) |
| 60 | 6-4. Interaction with Other Namespaces |
Tejun Heo | 6c29209 | 2015-11-16 11:13:34 -0500 | [diff] [blame] | 61 | P. Information on Kernel Programming |
| 62 | P-1. Filesystem Support for Writeback |
| 63 | D. Deprecated v1 Core Features |
| 64 | R. Issues with v1 and Rationales for v2 |
| 65 | R-1. Multiple Hierarchies |
| 66 | R-2. Thread Granularity |
| 67 | R-3. Competition Between Inner Nodes and Threads |
| 68 | R-4. Other Interface Issues |
| 69 | R-5. Controller Issues and Remedies |
| 70 | R-5-1. Memory |
| 71 | |
| 72 | |
| 73 | 1. Introduction |
| 74 | |
| 75 | 1-1. Terminology |
| 76 | |
| 77 | "cgroup" stands for "control group" and is never capitalized. The |
| 78 | singular form is used to designate the whole feature and also as a |
| 79 | qualifier as in "cgroup controllers". When explicitly referring to |
| 80 | multiple individual control groups, the plural form "cgroups" is used. |
| 81 | |
| 82 | |
| 83 | 1-2. What is cgroup? |
| 84 | |
| 85 | cgroup is a mechanism to organize processes hierarchically and |
| 86 | distribute system resources along the hierarchy in a controlled and |
| 87 | configurable manner. |
| 88 | |
| 89 | cgroup is largely composed of two parts - the core and controllers. |
| 90 | cgroup core is primarily responsible for hierarchically organizing |
| 91 | processes. A cgroup controller is usually responsible for |
| 92 | distributing a specific type of system resource along the hierarchy |
| 93 | although there are utility controllers which serve purposes other than |
| 94 | resource distribution. |
| 95 | |
| 96 | cgroups form a tree structure and every process in the system belongs |
| 97 | to one and only one cgroup. All threads of a process belong to the |
| 98 | same cgroup. On creation, all processes are put in the cgroup that |
| 99 | the parent process belongs to at the time. A process can be migrated |
| 100 | to another cgroup. Migration of a process doesn't affect already |
| 101 | existing descendant processes. |
| 102 | |
| 103 | Following certain structural constraints, controllers may be enabled or |
| 104 | disabled selectively on a cgroup. All controller behaviors are |
| 105 | hierarchical - if a controller is enabled on a cgroup, it affects all |
| 106 | processes which belong to the cgroups consisting the inclusive |
| 107 | sub-hierarchy of the cgroup. When a controller is enabled on a nested |
| 108 | cgroup, it always restricts the resource distribution further. The |
| 109 | restrictions set closer to the root in the hierarchy can not be |
| 110 | overridden from further away. |
| 111 | |
| 112 | |
| 113 | 2. Basic Operations |
| 114 | |
| 115 | 2-1. Mounting |
| 116 | |
| 117 | Unlike v1, cgroup v2 has only single hierarchy. The cgroup v2 |
| 118 | hierarchy can be mounted with the following mount command. |
| 119 | |
| 120 | # mount -t cgroup2 none $MOUNT_POINT |
| 121 | |
| 122 | cgroup2 filesystem has the magic number 0x63677270 ("cgrp"). All |
| 123 | controllers which support v2 and are not bound to a v1 hierarchy are |
| 124 | automatically bound to the v2 hierarchy and show up at the root. |
| 125 | Controllers which are not in active use in the v2 hierarchy can be |
| 126 | bound to other hierarchies. This allows mixing v2 hierarchy with the |
| 127 | legacy v1 multiple hierarchies in a fully backward compatible way. |
| 128 | |
| 129 | A controller can be moved across hierarchies only after the controller |
| 130 | is no longer referenced in its current hierarchy. Because per-cgroup |
| 131 | controller states are destroyed asynchronously and controllers may |
| 132 | have lingering references, a controller may not show up immediately on |
| 133 | the v2 hierarchy after the final umount of the previous hierarchy. |
| 134 | Similarly, a controller should be fully disabled to be moved out of |
| 135 | the unified hierarchy and it may take some time for the disabled |
| 136 | controller to become available for other hierarchies; furthermore, due |
| 137 | to inter-controller dependencies, other controllers may need to be |
| 138 | disabled too. |
| 139 | |
| 140 | While useful for development and manual configurations, moving |
| 141 | controllers dynamically between the v2 and other hierarchies is |
| 142 | strongly discouraged for production use. It is recommended to decide |
| 143 | the hierarchies and controller associations before starting using the |
| 144 | controllers after system boot. |
| 145 | |
Johannes Weiner | 1619b6d | 2016-02-16 13:21:14 -0500 | [diff] [blame] | 146 | During transition to v2, system management software might still |
| 147 | automount the v1 cgroup filesystem and so hijack all controllers |
| 148 | during boot, before manual intervention is possible. To make testing |
| 149 | and experimenting easier, the kernel parameter cgroup_no_v1= allows |
| 150 | disabling controllers in v1 and make them always available in v2. |
| 151 | |
Tejun Heo | 6c29209 | 2015-11-16 11:13:34 -0500 | [diff] [blame] | 152 | |
| 153 | 2-2. Organizing Processes |
| 154 | |
| 155 | Initially, only the root cgroup exists to which all processes belong. |
| 156 | A child cgroup can be created by creating a sub-directory. |
| 157 | |
| 158 | # mkdir $CGROUP_NAME |
| 159 | |
| 160 | A given cgroup may have multiple child cgroups forming a tree |
| 161 | structure. Each cgroup has a read-writable interface file |
| 162 | "cgroup.procs". When read, it lists the PIDs of all processes which |
| 163 | belong to the cgroup one-per-line. The PIDs are not ordered and the |
| 164 | same PID may show up more than once if the process got moved to |
| 165 | another cgroup and then back or the PID got recycled while reading. |
| 166 | |
| 167 | A process can be migrated into a cgroup by writing its PID to the |
| 168 | target cgroup's "cgroup.procs" file. Only one process can be migrated |
| 169 | on a single write(2) call. If a process is composed of multiple |
| 170 | threads, writing the PID of any thread migrates all threads of the |
| 171 | process. |
| 172 | |
| 173 | When a process forks a child process, the new process is born into the |
| 174 | cgroup that the forking process belongs to at the time of the |
| 175 | operation. After exit, a process stays associated with the cgroup |
| 176 | that it belonged to at the time of exit until it's reaped; however, a |
| 177 | zombie process does not appear in "cgroup.procs" and thus can't be |
| 178 | moved to another cgroup. |
| 179 | |
| 180 | A cgroup which doesn't have any children or live processes can be |
| 181 | destroyed by removing the directory. Note that a cgroup which doesn't |
| 182 | have any children and is associated only with zombie processes is |
| 183 | considered empty and can be removed. |
| 184 | |
| 185 | # rmdir $CGROUP_NAME |
| 186 | |
| 187 | "/proc/$PID/cgroup" lists a process's cgroup membership. If legacy |
| 188 | cgroup is in use in the system, this file may contain multiple lines, |
| 189 | one for each hierarchy. The entry for cgroup v2 is always in the |
| 190 | format "0::$PATH". |
| 191 | |
| 192 | # cat /proc/842/cgroup |
| 193 | ... |
| 194 | 0::/test-cgroup/test-cgroup-nested |
| 195 | |
| 196 | If the process becomes a zombie and the cgroup it was associated with |
| 197 | is removed subsequently, " (deleted)" is appended to the path. |
| 198 | |
| 199 | # cat /proc/842/cgroup |
| 200 | ... |
| 201 | 0::/test-cgroup/test-cgroup-nested (deleted) |
| 202 | |
| 203 | |
| 204 | 2-3. [Un]populated Notification |
| 205 | |
| 206 | Each non-root cgroup has a "cgroup.events" file which contains |
| 207 | "populated" field indicating whether the cgroup's sub-hierarchy has |
| 208 | live processes in it. Its value is 0 if there is no live process in |
| 209 | the cgroup and its descendants; otherwise, 1. poll and [id]notify |
| 210 | events are triggered when the value changes. This can be used, for |
| 211 | example, to start a clean-up operation after all processes of a given |
| 212 | sub-hierarchy have exited. The populated state updates and |
| 213 | notifications are recursive. Consider the following sub-hierarchy |
| 214 | where the numbers in the parentheses represent the numbers of processes |
| 215 | in each cgroup. |
| 216 | |
| 217 | A(4) - B(0) - C(1) |
| 218 | \ D(0) |
| 219 | |
| 220 | A, B and C's "populated" fields would be 1 while D's 0. After the one |
| 221 | process in C exits, B and C's "populated" fields would flip to "0" and |
| 222 | file modified events will be generated on the "cgroup.events" files of |
| 223 | both cgroups. |
| 224 | |
| 225 | |
| 226 | 2-4. Controlling Controllers |
| 227 | |
| 228 | 2-4-1. Enabling and Disabling |
| 229 | |
| 230 | Each cgroup has a "cgroup.controllers" file which lists all |
| 231 | controllers available for the cgroup to enable. |
| 232 | |
| 233 | # cat cgroup.controllers |
| 234 | cpu io memory |
| 235 | |
| 236 | No controller is enabled by default. Controllers can be enabled and |
| 237 | disabled by writing to the "cgroup.subtree_control" file. |
| 238 | |
| 239 | # echo "+cpu +memory -io" > cgroup.subtree_control |
| 240 | |
| 241 | Only controllers which are listed in "cgroup.controllers" can be |
| 242 | enabled. When multiple operations are specified as above, either they |
| 243 | all succeed or fail. If multiple operations on the same controller |
| 244 | are specified, the last one is effective. |
| 245 | |
| 246 | Enabling a controller in a cgroup indicates that the distribution of |
| 247 | the target resource across its immediate children will be controlled. |
| 248 | Consider the following sub-hierarchy. The enabled controllers are |
| 249 | listed in parentheses. |
| 250 | |
| 251 | A(cpu,memory) - B(memory) - C() |
| 252 | \ D() |
| 253 | |
| 254 | As A has "cpu" and "memory" enabled, A will control the distribution |
| 255 | of CPU cycles and memory to its children, in this case, B. As B has |
| 256 | "memory" enabled but not "CPU", C and D will compete freely on CPU |
| 257 | cycles but their division of memory available to B will be controlled. |
| 258 | |
| 259 | As a controller regulates the distribution of the target resource to |
| 260 | the cgroup's children, enabling it creates the controller's interface |
| 261 | files in the child cgroups. In the above example, enabling "cpu" on B |
| 262 | would create the "cpu." prefixed controller interface files in C and |
| 263 | D. Likewise, disabling "memory" from B would remove the "memory." |
| 264 | prefixed controller interface files from C and D. This means that the |
| 265 | controller interface files - anything which doesn't start with |
| 266 | "cgroup." are owned by the parent rather than the cgroup itself. |
| 267 | |
| 268 | |
| 269 | 2-4-2. Top-down Constraint |
| 270 | |
| 271 | Resources are distributed top-down and a cgroup can further distribute |
| 272 | a resource only if the resource has been distributed to it from the |
| 273 | parent. This means that all non-root "cgroup.subtree_control" files |
| 274 | can only contain controllers which are enabled in the parent's |
| 275 | "cgroup.subtree_control" file. A controller can be enabled only if |
| 276 | the parent has the controller enabled and a controller can't be |
| 277 | disabled if one or more children have it enabled. |
| 278 | |
| 279 | |
| 280 | 2-4-3. No Internal Process Constraint |
| 281 | |
| 282 | Non-root cgroups can only distribute resources to their children when |
| 283 | they don't have any processes of their own. In other words, only |
| 284 | cgroups which don't contain any processes can have controllers enabled |
| 285 | in their "cgroup.subtree_control" files. |
| 286 | |
| 287 | This guarantees that, when a controller is looking at the part of the |
| 288 | hierarchy which has it enabled, processes are always only on the |
| 289 | leaves. This rules out situations where child cgroups compete against |
| 290 | internal processes of the parent. |
| 291 | |
| 292 | The root cgroup is exempt from this restriction. Root contains |
| 293 | processes and anonymous resource consumption which can't be associated |
| 294 | with any other cgroups and requires special treatment from most |
| 295 | controllers. How resource consumption in the root cgroup is governed |
| 296 | is up to each controller. |
| 297 | |
| 298 | Note that the restriction doesn't get in the way if there is no |
| 299 | enabled controller in the cgroup's "cgroup.subtree_control". This is |
| 300 | important as otherwise it wouldn't be possible to create children of a |
| 301 | populated cgroup. To control resource distribution of a cgroup, the |
| 302 | cgroup must create children and transfer all its processes to the |
| 303 | children before enabling controllers in its "cgroup.subtree_control" |
| 304 | file. |
| 305 | |
| 306 | |
| 307 | 2-5. Delegation |
| 308 | |
| 309 | 2-5-1. Model of Delegation |
| 310 | |
| 311 | A cgroup can be delegated to a less privileged user by granting write |
| 312 | access of the directory and its "cgroup.procs" file to the user. Note |
| 313 | that resource control interface files in a given directory control the |
| 314 | distribution of the parent's resources and thus must not be delegated |
| 315 | along with the directory. |
| 316 | |
| 317 | Once delegated, the user can build sub-hierarchy under the directory, |
| 318 | organize processes as it sees fit and further distribute the resources |
| 319 | it received from the parent. The limits and other settings of all |
| 320 | resource controllers are hierarchical and regardless of what happens |
| 321 | in the delegated sub-hierarchy, nothing can escape the resource |
| 322 | restrictions imposed by the parent. |
| 323 | |
| 324 | Currently, cgroup doesn't impose any restrictions on the number of |
| 325 | cgroups in or nesting depth of a delegated sub-hierarchy; however, |
| 326 | this may be limited explicitly in the future. |
| 327 | |
| 328 | |
| 329 | 2-5-2. Delegation Containment |
| 330 | |
| 331 | A delegated sub-hierarchy is contained in the sense that processes |
| 332 | can't be moved into or out of the sub-hierarchy by the delegatee. For |
| 333 | a process with a non-root euid to migrate a target process into a |
| 334 | cgroup by writing its PID to the "cgroup.procs" file, the following |
| 335 | conditions must be met. |
| 336 | |
Tejun Heo | 6c29209 | 2015-11-16 11:13:34 -0500 | [diff] [blame] | 337 | - The writer must have write access to the "cgroup.procs" file. |
| 338 | |
| 339 | - The writer must have write access to the "cgroup.procs" file of the |
| 340 | common ancestor of the source and destination cgroups. |
| 341 | |
Tejun Heo | 576dd46 | 2017-01-20 11:29:54 -0500 | [diff] [blame] | 342 | The above two constraints ensure that while a delegatee may migrate |
Tejun Heo | 6c29209 | 2015-11-16 11:13:34 -0500 | [diff] [blame] | 343 | processes around freely in the delegated sub-hierarchy it can't pull |
| 344 | in from or push out to outside the sub-hierarchy. |
| 345 | |
| 346 | For an example, let's assume cgroups C0 and C1 have been delegated to |
| 347 | user U0 who created C00, C01 under C0 and C10 under C1 as follows and |
| 348 | all processes under C0 and C1 belong to U0. |
| 349 | |
| 350 | ~~~~~~~~~~~~~ - C0 - C00 |
| 351 | ~ cgroup ~ \ C01 |
| 352 | ~ hierarchy ~ |
| 353 | ~~~~~~~~~~~~~ - C1 - C10 |
| 354 | |
| 355 | Let's also say U0 wants to write the PID of a process which is |
| 356 | currently in C10 into "C00/cgroup.procs". U0 has write access to the |
Tejun Heo | 576dd46 | 2017-01-20 11:29:54 -0500 | [diff] [blame] | 357 | file; however, the common ancestor of the source cgroup C10 and the |
| 358 | destination cgroup C00 is above the points of delegation and U0 would |
| 359 | not have write access to its "cgroup.procs" files and thus the write |
| 360 | will be denied with -EACCES. |
Tejun Heo | 6c29209 | 2015-11-16 11:13:34 -0500 | [diff] [blame] | 361 | |
| 362 | |
| 363 | 2-6. Guidelines |
| 364 | |
| 365 | 2-6-1. Organize Once and Control |
| 366 | |
| 367 | Migrating a process across cgroups is a relatively expensive operation |
| 368 | and stateful resources such as memory are not moved together with the |
| 369 | process. This is an explicit design decision as there often exist |
| 370 | inherent trade-offs between migration and various hot paths in terms |
| 371 | of synchronization cost. |
| 372 | |
| 373 | As such, migrating processes across cgroups frequently as a means to |
| 374 | apply different resource restrictions is discouraged. A workload |
| 375 | should be assigned to a cgroup according to the system's logical and |
| 376 | resource structure once on start-up. Dynamic adjustments to resource |
| 377 | distribution can be made by changing controller configuration through |
| 378 | the interface files. |
| 379 | |
| 380 | |
| 381 | 2-6-2. Avoid Name Collisions |
| 382 | |
| 383 | Interface files for a cgroup and its children cgroups occupy the same |
| 384 | directory and it is possible to create children cgroups which collide |
| 385 | with interface files. |
| 386 | |
| 387 | All cgroup core interface files are prefixed with "cgroup." and each |
| 388 | controller's interface files are prefixed with the controller name and |
| 389 | a dot. A controller's name is composed of lower case alphabets and |
| 390 | '_'s but never begins with an '_' so it can be used as the prefix |
| 391 | character for collision avoidance. Also, interface file names won't |
| 392 | start or end with terms which are often used in categorizing workloads |
| 393 | such as job, service, slice, unit or workload. |
| 394 | |
| 395 | cgroup doesn't do anything to prevent name collisions and it's the |
| 396 | user's responsibility to avoid them. |
| 397 | |
| 398 | |
| 399 | 3. Resource Distribution Models |
| 400 | |
| 401 | cgroup controllers implement several resource distribution schemes |
| 402 | depending on the resource type and expected use cases. This section |
| 403 | describes major schemes in use along with their expected behaviors. |
| 404 | |
| 405 | |
| 406 | 3-1. Weights |
| 407 | |
| 408 | A parent's resource is distributed by adding up the weights of all |
| 409 | active children and giving each the fraction matching the ratio of its |
| 410 | weight against the sum. As only children which can make use of the |
| 411 | resource at the moment participate in the distribution, this is |
| 412 | work-conserving. Due to the dynamic nature, this model is usually |
| 413 | used for stateless resources. |
| 414 | |
| 415 | All weights are in the range [1, 10000] with the default at 100. This |
| 416 | allows symmetric multiplicative biases in both directions at fine |
| 417 | enough granularity while staying in the intuitive range. |
| 418 | |
| 419 | As long as the weight is in range, all configuration combinations are |
| 420 | valid and there is no reason to reject configuration changes or |
| 421 | process migrations. |
| 422 | |
| 423 | "cpu.weight" proportionally distributes CPU cycles to active children |
| 424 | and is an example of this type. |
| 425 | |
| 426 | |
| 427 | 3-2. Limits |
| 428 | |
| 429 | A child can only consume upto the configured amount of the resource. |
| 430 | Limits can be over-committed - the sum of the limits of children can |
| 431 | exceed the amount of resource available to the parent. |
| 432 | |
| 433 | Limits are in the range [0, max] and defaults to "max", which is noop. |
| 434 | |
| 435 | As limits can be over-committed, all configuration combinations are |
| 436 | valid and there is no reason to reject configuration changes or |
| 437 | process migrations. |
| 438 | |
| 439 | "io.max" limits the maximum BPS and/or IOPS that a cgroup can consume |
| 440 | on an IO device and is an example of this type. |
| 441 | |
| 442 | |
| 443 | 3-3. Protections |
| 444 | |
| 445 | A cgroup is protected to be allocated upto the configured amount of |
| 446 | the resource if the usages of all its ancestors are under their |
| 447 | protected levels. Protections can be hard guarantees or best effort |
| 448 | soft boundaries. Protections can also be over-committed in which case |
| 449 | only upto the amount available to the parent is protected among |
| 450 | children. |
| 451 | |
| 452 | Protections are in the range [0, max] and defaults to 0, which is |
| 453 | noop. |
| 454 | |
| 455 | As protections can be over-committed, all configuration combinations |
| 456 | are valid and there is no reason to reject configuration changes or |
| 457 | process migrations. |
| 458 | |
| 459 | "memory.low" implements best-effort memory protection and is an |
| 460 | example of this type. |
| 461 | |
| 462 | |
| 463 | 3-4. Allocations |
| 464 | |
| 465 | A cgroup is exclusively allocated a certain amount of a finite |
| 466 | resource. Allocations can't be over-committed - the sum of the |
| 467 | allocations of children can not exceed the amount of resource |
| 468 | available to the parent. |
| 469 | |
| 470 | Allocations are in the range [0, max] and defaults to 0, which is no |
| 471 | resource. |
| 472 | |
| 473 | As allocations can't be over-committed, some configuration |
| 474 | combinations are invalid and should be rejected. Also, if the |
| 475 | resource is mandatory for execution of processes, process migrations |
| 476 | may be rejected. |
| 477 | |
| 478 | "cpu.rt.max" hard-allocates realtime slices and is an example of this |
| 479 | type. |
| 480 | |
| 481 | |
| 482 | 4. Interface Files |
| 483 | |
| 484 | 4-1. Format |
| 485 | |
| 486 | All interface files should be in one of the following formats whenever |
| 487 | possible. |
| 488 | |
| 489 | New-line separated values |
| 490 | (when only one value can be written at once) |
| 491 | |
| 492 | VAL0\n |
| 493 | VAL1\n |
| 494 | ... |
| 495 | |
| 496 | Space separated values |
| 497 | (when read-only or multiple values can be written at once) |
| 498 | |
| 499 | VAL0 VAL1 ...\n |
| 500 | |
| 501 | Flat keyed |
| 502 | |
| 503 | KEY0 VAL0\n |
| 504 | KEY1 VAL1\n |
| 505 | ... |
| 506 | |
| 507 | Nested keyed |
| 508 | |
| 509 | KEY0 SUB_KEY0=VAL00 SUB_KEY1=VAL01... |
| 510 | KEY1 SUB_KEY0=VAL10 SUB_KEY1=VAL11... |
| 511 | ... |
| 512 | |
| 513 | For a writable file, the format for writing should generally match |
| 514 | reading; however, controllers may allow omitting later fields or |
| 515 | implement restricted shortcuts for most common use cases. |
| 516 | |
| 517 | For both flat and nested keyed files, only the values for a single key |
| 518 | can be written at a time. For nested keyed files, the sub key pairs |
| 519 | may be specified in any order and not all pairs have to be specified. |
| 520 | |
| 521 | |
| 522 | 4-2. Conventions |
| 523 | |
| 524 | - Settings for a single feature should be contained in a single file. |
| 525 | |
| 526 | - The root cgroup should be exempt from resource control and thus |
| 527 | shouldn't have resource control interface files. Also, |
| 528 | informational files on the root cgroup which end up showing global |
| 529 | information available elsewhere shouldn't exist. |
| 530 | |
| 531 | - If a controller implements weight based resource distribution, its |
| 532 | interface file should be named "weight" and have the range [1, |
| 533 | 10000] with 100 as the default. The values are chosen to allow |
| 534 | enough and symmetric bias in both directions while keeping it |
| 535 | intuitive (the default is 100%). |
| 536 | |
| 537 | - If a controller implements an absolute resource guarantee and/or |
| 538 | limit, the interface files should be named "min" and "max" |
| 539 | respectively. If a controller implements best effort resource |
| 540 | guarantee and/or limit, the interface files should be named "low" |
| 541 | and "high" respectively. |
| 542 | |
| 543 | In the above four control files, the special token "max" should be |
| 544 | used to represent upward infinity for both reading and writing. |
| 545 | |
| 546 | - If a setting has a configurable default value and keyed specific |
| 547 | overrides, the default entry should be keyed with "default" and |
| 548 | appear as the first entry in the file. |
| 549 | |
| 550 | The default value can be updated by writing either "default $VAL" or |
| 551 | "$VAL". |
| 552 | |
| 553 | When writing to update a specific override, "default" can be used as |
| 554 | the value to indicate removal of the override. Override entries |
| 555 | with "default" as the value must not appear when read. |
| 556 | |
| 557 | For example, a setting which is keyed by major:minor device numbers |
| 558 | with integer values may look like the following. |
| 559 | |
| 560 | # cat cgroup-example-interface-file |
| 561 | default 150 |
| 562 | 8:0 300 |
| 563 | |
| 564 | The default value can be updated by |
| 565 | |
| 566 | # echo 125 > cgroup-example-interface-file |
| 567 | |
| 568 | or |
| 569 | |
| 570 | # echo "default 125" > cgroup-example-interface-file |
| 571 | |
| 572 | An override can be set by |
| 573 | |
| 574 | # echo "8:16 170" > cgroup-example-interface-file |
| 575 | |
| 576 | and cleared by |
| 577 | |
| 578 | # echo "8:0 default" > cgroup-example-interface-file |
| 579 | # cat cgroup-example-interface-file |
| 580 | default 125 |
| 581 | 8:16 170 |
| 582 | |
| 583 | - For events which are not very high frequency, an interface file |
| 584 | "events" should be created which lists event key value pairs. |
| 585 | Whenever a notifiable event happens, file modified event should be |
| 586 | generated on the file. |
| 587 | |
| 588 | |
| 589 | 4-3. Core Interface Files |
| 590 | |
| 591 | All cgroup core files are prefixed with "cgroup." |
| 592 | |
| 593 | cgroup.procs |
| 594 | |
| 595 | A read-write new-line separated values file which exists on |
| 596 | all cgroups. |
| 597 | |
| 598 | When read, it lists the PIDs of all processes which belong to |
| 599 | the cgroup one-per-line. The PIDs are not ordered and the |
| 600 | same PID may show up more than once if the process got moved |
| 601 | to another cgroup and then back or the PID got recycled while |
| 602 | reading. |
| 603 | |
| 604 | A PID can be written to migrate the process associated with |
| 605 | the PID to the cgroup. The writer should match all of the |
| 606 | following conditions. |
| 607 | |
| 608 | - Its euid is either root or must match either uid or suid of |
| 609 | the target process. |
| 610 | |
| 611 | - It must have write access to the "cgroup.procs" file. |
| 612 | |
| 613 | - It must have write access to the "cgroup.procs" file of the |
| 614 | common ancestor of the source and destination cgroups. |
| 615 | |
| 616 | When delegating a sub-hierarchy, write access to this file |
| 617 | should be granted along with the containing directory. |
| 618 | |
| 619 | cgroup.controllers |
| 620 | |
| 621 | A read-only space separated values file which exists on all |
| 622 | cgroups. |
| 623 | |
| 624 | It shows space separated list of all controllers available to |
| 625 | the cgroup. The controllers are not ordered. |
| 626 | |
| 627 | cgroup.subtree_control |
| 628 | |
| 629 | A read-write space separated values file which exists on all |
| 630 | cgroups. Starts out empty. |
| 631 | |
| 632 | When read, it shows space separated list of the controllers |
| 633 | which are enabled to control resource distribution from the |
| 634 | cgroup to its children. |
| 635 | |
| 636 | Space separated list of controllers prefixed with '+' or '-' |
| 637 | can be written to enable or disable controllers. A controller |
| 638 | name prefixed with '+' enables the controller and '-' |
| 639 | disables. If a controller appears more than once on the list, |
| 640 | the last one is effective. When multiple enable and disable |
| 641 | operations are specified, either all succeed or all fail. |
| 642 | |
| 643 | cgroup.events |
| 644 | |
| 645 | A read-only flat-keyed file which exists on non-root cgroups. |
| 646 | The following entries are defined. Unless specified |
| 647 | otherwise, a value change in this file generates a file |
| 648 | modified event. |
| 649 | |
| 650 | populated |
| 651 | |
| 652 | 1 if the cgroup or its descendants contains any live |
| 653 | processes; otherwise, 0. |
| 654 | |
| 655 | |
| 656 | 5. Controllers |
| 657 | |
| 658 | 5-1. CPU |
| 659 | |
| 660 | [NOTE: The interface for the cpu controller hasn't been merged yet] |
| 661 | |
| 662 | The "cpu" controllers regulates distribution of CPU cycles. This |
| 663 | controller implements weight and absolute bandwidth limit models for |
| 664 | normal scheduling policy and absolute bandwidth allocation model for |
| 665 | realtime scheduling policy. |
| 666 | |
| 667 | |
| 668 | 5-1-1. CPU Interface Files |
| 669 | |
| 670 | All time durations are in microseconds. |
| 671 | |
| 672 | cpu.stat |
| 673 | |
| 674 | A read-only flat-keyed file which exists on non-root cgroups. |
| 675 | |
| 676 | It reports the following six stats. |
| 677 | |
| 678 | usage_usec |
| 679 | user_usec |
| 680 | system_usec |
| 681 | nr_periods |
| 682 | nr_throttled |
| 683 | throttled_usec |
| 684 | |
| 685 | cpu.weight |
| 686 | |
| 687 | A read-write single value file which exists on non-root |
| 688 | cgroups. The default is "100". |
| 689 | |
| 690 | The weight in the range [1, 10000]. |
| 691 | |
| 692 | cpu.max |
| 693 | |
| 694 | A read-write two value file which exists on non-root cgroups. |
| 695 | The default is "max 100000". |
| 696 | |
| 697 | The maximum bandwidth limit. It's in the following format. |
| 698 | |
| 699 | $MAX $PERIOD |
| 700 | |
| 701 | which indicates that the group may consume upto $MAX in each |
| 702 | $PERIOD duration. "max" for $MAX indicates no limit. If only |
| 703 | one number is written, $MAX is updated. |
| 704 | |
| 705 | cpu.rt.max |
| 706 | |
| 707 | [NOTE: The semantics of this file is still under discussion and the |
| 708 | interface hasn't been merged yet] |
| 709 | |
| 710 | A read-write two value file which exists on all cgroups. |
| 711 | The default is "0 100000". |
| 712 | |
| 713 | The maximum realtime runtime allocation. Over-committing |
| 714 | configurations are disallowed and process migrations are |
| 715 | rejected if not enough bandwidth is available. It's in the |
| 716 | following format. |
| 717 | |
| 718 | $MAX $PERIOD |
| 719 | |
| 720 | which indicates that the group may consume upto $MAX in each |
| 721 | $PERIOD duration. If only one number is written, $MAX is |
| 722 | updated. |
| 723 | |
| 724 | |
| 725 | 5-2. Memory |
| 726 | |
| 727 | The "memory" controller regulates distribution of memory. Memory is |
| 728 | stateful and implements both limit and protection models. Due to the |
| 729 | intertwining between memory usage and reclaim pressure and the |
| 730 | stateful nature of memory, the distribution model is relatively |
| 731 | complex. |
| 732 | |
| 733 | While not completely water-tight, all major memory usages by a given |
| 734 | cgroup are tracked so that the total memory consumption can be |
| 735 | accounted and controlled to a reasonable extent. Currently, the |
| 736 | following types of memory usages are tracked. |
| 737 | |
| 738 | - Userland memory - page cache and anonymous memory. |
| 739 | |
| 740 | - Kernel data structures such as dentries and inodes. |
| 741 | |
| 742 | - TCP socket buffers. |
| 743 | |
| 744 | The above list may expand in the future for better coverage. |
| 745 | |
| 746 | |
| 747 | 5-2-1. Memory Interface Files |
| 748 | |
| 749 | All memory amounts are in bytes. If a value which is not aligned to |
| 750 | PAGE_SIZE is written, the value may be rounded up to the closest |
| 751 | PAGE_SIZE multiple when read back. |
| 752 | |
| 753 | memory.current |
| 754 | |
| 755 | A read-only single value file which exists on non-root |
| 756 | cgroups. |
| 757 | |
| 758 | The total amount of memory currently being used by the cgroup |
| 759 | and its descendants. |
| 760 | |
| 761 | memory.low |
| 762 | |
| 763 | A read-write single value file which exists on non-root |
| 764 | cgroups. The default is "0". |
| 765 | |
| 766 | Best-effort memory protection. If the memory usages of a |
| 767 | cgroup and all its ancestors are below their low boundaries, |
| 768 | the cgroup's memory won't be reclaimed unless memory can be |
| 769 | reclaimed from unprotected cgroups. |
| 770 | |
| 771 | Putting more memory than generally available under this |
| 772 | protection is discouraged. |
| 773 | |
| 774 | memory.high |
| 775 | |
| 776 | A read-write single value file which exists on non-root |
| 777 | cgroups. The default is "max". |
| 778 | |
| 779 | Memory usage throttle limit. This is the main mechanism to |
| 780 | control memory usage of a cgroup. If a cgroup's usage goes |
| 781 | over the high boundary, the processes of the cgroup are |
| 782 | throttled and put under heavy reclaim pressure. |
| 783 | |
| 784 | Going over the high limit never invokes the OOM killer and |
| 785 | under extreme conditions the limit may be breached. |
| 786 | |
| 787 | memory.max |
| 788 | |
| 789 | A read-write single value file which exists on non-root |
| 790 | cgroups. The default is "max". |
| 791 | |
| 792 | Memory usage hard limit. This is the final protection |
| 793 | mechanism. If a cgroup's memory usage reaches this limit and |
| 794 | can't be reduced, the OOM killer is invoked in the cgroup. |
| 795 | Under certain circumstances, the usage may go over the limit |
| 796 | temporarily. |
| 797 | |
| 798 | This is the ultimate protection mechanism. As long as the |
| 799 | high limit is used and monitored properly, this limit's |
| 800 | utility is limited to providing the final safety net. |
| 801 | |
| 802 | memory.events |
| 803 | |
| 804 | A read-only flat-keyed file which exists on non-root cgroups. |
| 805 | The following entries are defined. Unless specified |
| 806 | otherwise, a value change in this file generates a file |
| 807 | modified event. |
| 808 | |
| 809 | low |
| 810 | |
| 811 | The number of times the cgroup is reclaimed due to |
| 812 | high memory pressure even though its usage is under |
| 813 | the low boundary. This usually indicates that the low |
| 814 | boundary is over-committed. |
| 815 | |
| 816 | high |
| 817 | |
| 818 | The number of times processes of the cgroup are |
| 819 | throttled and routed to perform direct memory reclaim |
| 820 | because the high memory boundary was exceeded. For a |
| 821 | cgroup whose memory usage is capped by the high limit |
| 822 | rather than global memory pressure, this event's |
| 823 | occurrences are expected. |
| 824 | |
| 825 | max |
| 826 | |
| 827 | The number of times the cgroup's memory usage was |
| 828 | about to go over the max boundary. If direct reclaim |
| 829 | fails to bring it down, the OOM killer is invoked. |
| 830 | |
| 831 | oom |
| 832 | |
| 833 | The number of times the OOM killer has been invoked in |
| 834 | the cgroup. This may not exactly match the number of |
| 835 | processes killed but should generally be close. |
| 836 | |
Johannes Weiner | 587d9f7 | 2016-01-20 15:03:19 -0800 | [diff] [blame] | 837 | memory.stat |
| 838 | |
| 839 | A read-only flat-keyed file which exists on non-root cgroups. |
| 840 | |
| 841 | This breaks down the cgroup's memory footprint into different |
| 842 | types of memory, type-specific details, and other information |
| 843 | on the state and past events of the memory management system. |
| 844 | |
| 845 | All memory amounts are in bytes. |
| 846 | |
| 847 | The entries are ordered to be human readable, and new entries |
| 848 | can show up in the middle. Don't rely on items remaining in a |
| 849 | fixed position; use the keys to look up specific values! |
| 850 | |
| 851 | anon |
| 852 | |
| 853 | Amount of memory used in anonymous mappings such as |
| 854 | brk(), sbrk(), and mmap(MAP_ANONYMOUS) |
| 855 | |
| 856 | file |
| 857 | |
| 858 | Amount of memory used to cache filesystem data, |
| 859 | including tmpfs and shared memory. |
| 860 | |
Vladimir Davydov | 12580e4 | 2016-03-17 14:17:38 -0700 | [diff] [blame] | 861 | kernel_stack |
| 862 | |
| 863 | Amount of memory allocated to kernel stacks. |
| 864 | |
Vladimir Davydov | 27ee57c | 2016-03-17 14:17:35 -0700 | [diff] [blame] | 865 | slab |
| 866 | |
| 867 | Amount of memory used for storing in-kernel data |
| 868 | structures. |
| 869 | |
Johannes Weiner | 4758e19 | 2016-02-02 16:57:41 -0800 | [diff] [blame] | 870 | sock |
| 871 | |
| 872 | Amount of memory used in network transmission buffers |
| 873 | |
Johannes Weiner | 587d9f7 | 2016-01-20 15:03:19 -0800 | [diff] [blame] | 874 | file_mapped |
| 875 | |
| 876 | Amount of cached filesystem data mapped with mmap() |
| 877 | |
| 878 | file_dirty |
| 879 | |
| 880 | Amount of cached filesystem data that was modified but |
| 881 | not yet written back to disk |
| 882 | |
| 883 | file_writeback |
| 884 | |
| 885 | Amount of cached filesystem data that was modified and |
| 886 | is currently being written back to disk |
| 887 | |
| 888 | inactive_anon |
| 889 | active_anon |
| 890 | inactive_file |
| 891 | active_file |
| 892 | unevictable |
| 893 | |
| 894 | Amount of memory, swap-backed and filesystem-backed, |
| 895 | on the internal memory management lists used by the |
| 896 | page reclaim algorithm |
| 897 | |
Vladimir Davydov | 27ee57c | 2016-03-17 14:17:35 -0700 | [diff] [blame] | 898 | slab_reclaimable |
| 899 | |
| 900 | Part of "slab" that might be reclaimed, such as |
| 901 | dentries and inodes. |
| 902 | |
| 903 | slab_unreclaimable |
| 904 | |
| 905 | Part of "slab" that cannot be reclaimed on memory |
| 906 | pressure. |
| 907 | |
Johannes Weiner | 587d9f7 | 2016-01-20 15:03:19 -0800 | [diff] [blame] | 908 | pgfault |
| 909 | |
| 910 | Total number of page faults incurred |
| 911 | |
| 912 | pgmajfault |
| 913 | |
| 914 | Number of major page faults incurred |
| 915 | |
Vladimir Davydov | 3e24b19 | 2016-01-20 15:03:13 -0800 | [diff] [blame] | 916 | memory.swap.current |
| 917 | |
| 918 | A read-only single value file which exists on non-root |
| 919 | cgroups. |
| 920 | |
| 921 | The total amount of swap currently being used by the cgroup |
| 922 | and its descendants. |
| 923 | |
| 924 | memory.swap.max |
| 925 | |
| 926 | A read-write single value file which exists on non-root |
| 927 | cgroups. The default is "max". |
| 928 | |
| 929 | Swap usage hard limit. If a cgroup's swap usage reaches this |
| 930 | limit, anonymous meomry of the cgroup will not be swapped out. |
| 931 | |
Tejun Heo | 6c29209 | 2015-11-16 11:13:34 -0500 | [diff] [blame] | 932 | |
Parav Pandit | 6c83e6cb | 2016-03-05 11:20:58 +0530 | [diff] [blame] | 933 | 5-2-2. Usage Guidelines |
Tejun Heo | 6c29209 | 2015-11-16 11:13:34 -0500 | [diff] [blame] | 934 | |
| 935 | "memory.high" is the main mechanism to control memory usage. |
| 936 | Over-committing on high limit (sum of high limits > available memory) |
| 937 | and letting global memory pressure to distribute memory according to |
| 938 | usage is a viable strategy. |
| 939 | |
| 940 | Because breach of the high limit doesn't trigger the OOM killer but |
| 941 | throttles the offending cgroup, a management agent has ample |
| 942 | opportunities to monitor and take appropriate actions such as granting |
| 943 | more memory or terminating the workload. |
| 944 | |
| 945 | Determining whether a cgroup has enough memory is not trivial as |
| 946 | memory usage doesn't indicate whether the workload can benefit from |
| 947 | more memory. For example, a workload which writes data received from |
| 948 | network to a file can use all available memory but can also operate as |
| 949 | performant with a small amount of memory. A measure of memory |
| 950 | pressure - how much the workload is being impacted due to lack of |
| 951 | memory - is necessary to determine whether a workload needs more |
| 952 | memory; unfortunately, memory pressure monitoring mechanism isn't |
| 953 | implemented yet. |
| 954 | |
| 955 | |
| 956 | 5-2-3. Memory Ownership |
| 957 | |
| 958 | A memory area is charged to the cgroup which instantiated it and stays |
| 959 | charged to the cgroup until the area is released. Migrating a process |
| 960 | to a different cgroup doesn't move the memory usages that it |
| 961 | instantiated while in the previous cgroup to the new cgroup. |
| 962 | |
| 963 | A memory area may be used by processes belonging to different cgroups. |
| 964 | To which cgroup the area will be charged is in-deterministic; however, |
| 965 | over time, the memory area is likely to end up in a cgroup which has |
| 966 | enough memory allowance to avoid high reclaim pressure. |
| 967 | |
| 968 | If a cgroup sweeps a considerable amount of memory which is expected |
| 969 | to be accessed repeatedly by other cgroups, it may make sense to use |
| 970 | POSIX_FADV_DONTNEED to relinquish the ownership of memory areas |
| 971 | belonging to the affected files to ensure correct memory ownership. |
| 972 | |
| 973 | |
| 974 | 5-3. IO |
| 975 | |
| 976 | The "io" controller regulates the distribution of IO resources. This |
| 977 | controller implements both weight based and absolute bandwidth or IOPS |
| 978 | limit distribution; however, weight based distribution is available |
| 979 | only if cfq-iosched is in use and neither scheme is available for |
| 980 | blk-mq devices. |
| 981 | |
| 982 | |
| 983 | 5-3-1. IO Interface Files |
| 984 | |
| 985 | io.stat |
| 986 | |
| 987 | A read-only nested-keyed file which exists on non-root |
| 988 | cgroups. |
| 989 | |
| 990 | Lines are keyed by $MAJ:$MIN device numbers and not ordered. |
| 991 | The following nested keys are defined. |
| 992 | |
| 993 | rbytes Bytes read |
| 994 | wbytes Bytes written |
| 995 | rios Number of read IOs |
| 996 | wios Number of write IOs |
| 997 | |
| 998 | An example read output follows. |
| 999 | |
| 1000 | 8:16 rbytes=1459200 wbytes=314773504 rios=192 wios=353 |
| 1001 | 8:0 rbytes=90430464 wbytes=299008000 rios=8950 wios=1252 |
| 1002 | |
| 1003 | io.weight |
| 1004 | |
| 1005 | A read-write flat-keyed file which exists on non-root cgroups. |
| 1006 | The default is "default 100". |
| 1007 | |
| 1008 | The first line is the default weight applied to devices |
| 1009 | without specific override. The rest are overrides keyed by |
| 1010 | $MAJ:$MIN device numbers and not ordered. The weights are in |
| 1011 | the range [1, 10000] and specifies the relative amount IO time |
| 1012 | the cgroup can use in relation to its siblings. |
| 1013 | |
| 1014 | The default weight can be updated by writing either "default |
| 1015 | $WEIGHT" or simply "$WEIGHT". Overrides can be set by writing |
| 1016 | "$MAJ:$MIN $WEIGHT" and unset by writing "$MAJ:$MIN default". |
| 1017 | |
| 1018 | An example read output follows. |
| 1019 | |
| 1020 | default 100 |
| 1021 | 8:16 200 |
| 1022 | 8:0 50 |
| 1023 | |
| 1024 | io.max |
| 1025 | |
| 1026 | A read-write nested-keyed file which exists on non-root |
| 1027 | cgroups. |
| 1028 | |
| 1029 | BPS and IOPS based IO limit. Lines are keyed by $MAJ:$MIN |
| 1030 | device numbers and not ordered. The following nested keys are |
| 1031 | defined. |
| 1032 | |
| 1033 | rbps Max read bytes per second |
| 1034 | wbps Max write bytes per second |
| 1035 | riops Max read IO operations per second |
| 1036 | wiops Max write IO operations per second |
| 1037 | |
| 1038 | When writing, any number of nested key-value pairs can be |
| 1039 | specified in any order. "max" can be specified as the value |
| 1040 | to remove a specific limit. If the same key is specified |
| 1041 | multiple times, the outcome is undefined. |
| 1042 | |
| 1043 | BPS and IOPS are measured in each IO direction and IOs are |
| 1044 | delayed if limit is reached. Temporary bursts are allowed. |
| 1045 | |
| 1046 | Setting read limit at 2M BPS and write at 120 IOPS for 8:16. |
| 1047 | |
| 1048 | echo "8:16 rbps=2097152 wiops=120" > io.max |
| 1049 | |
| 1050 | Reading returns the following. |
| 1051 | |
| 1052 | 8:16 rbps=2097152 wbps=max riops=max wiops=120 |
| 1053 | |
| 1054 | Write IOPS limit can be removed by writing the following. |
| 1055 | |
| 1056 | echo "8:16 wiops=max" > io.max |
| 1057 | |
| 1058 | Reading now returns the following. |
| 1059 | |
| 1060 | 8:16 rbps=2097152 wbps=max riops=max wiops=max |
| 1061 | |
| 1062 | |
| 1063 | 5-3-2. Writeback |
| 1064 | |
| 1065 | Page cache is dirtied through buffered writes and shared mmaps and |
| 1066 | written asynchronously to the backing filesystem by the writeback |
| 1067 | mechanism. Writeback sits between the memory and IO domains and |
| 1068 | regulates the proportion of dirty memory by balancing dirtying and |
| 1069 | write IOs. |
| 1070 | |
| 1071 | The io controller, in conjunction with the memory controller, |
| 1072 | implements control of page cache writeback IOs. The memory controller |
| 1073 | defines the memory domain that dirty memory ratio is calculated and |
| 1074 | maintained for and the io controller defines the io domain which |
| 1075 | writes out dirty pages for the memory domain. Both system-wide and |
| 1076 | per-cgroup dirty memory states are examined and the more restrictive |
| 1077 | of the two is enforced. |
| 1078 | |
| 1079 | cgroup writeback requires explicit support from the underlying |
| 1080 | filesystem. Currently, cgroup writeback is implemented on ext2, ext4 |
| 1081 | and btrfs. On other filesystems, all writeback IOs are attributed to |
| 1082 | the root cgroup. |
| 1083 | |
| 1084 | There are inherent differences in memory and writeback management |
| 1085 | which affects how cgroup ownership is tracked. Memory is tracked per |
| 1086 | page while writeback per inode. For the purpose of writeback, an |
| 1087 | inode is assigned to a cgroup and all IO requests to write dirty pages |
| 1088 | from the inode are attributed to that cgroup. |
| 1089 | |
| 1090 | As cgroup ownership for memory is tracked per page, there can be pages |
| 1091 | which are associated with different cgroups than the one the inode is |
| 1092 | associated with. These are called foreign pages. The writeback |
| 1093 | constantly keeps track of foreign pages and, if a particular foreign |
| 1094 | cgroup becomes the majority over a certain period of time, switches |
| 1095 | the ownership of the inode to that cgroup. |
| 1096 | |
| 1097 | While this model is enough for most use cases where a given inode is |
| 1098 | mostly dirtied by a single cgroup even when the main writing cgroup |
| 1099 | changes over time, use cases where multiple cgroups write to a single |
| 1100 | inode simultaneously are not supported well. In such circumstances, a |
| 1101 | significant portion of IOs are likely to be attributed incorrectly. |
| 1102 | As memory controller assigns page ownership on the first use and |
| 1103 | doesn't update it until the page is released, even if writeback |
| 1104 | strictly follows page ownership, multiple cgroups dirtying overlapping |
| 1105 | areas wouldn't work as expected. It's recommended to avoid such usage |
| 1106 | patterns. |
| 1107 | |
| 1108 | The sysctl knobs which affect writeback behavior are applied to cgroup |
| 1109 | writeback as follows. |
| 1110 | |
| 1111 | vm.dirty_background_ratio |
| 1112 | vm.dirty_ratio |
| 1113 | |
| 1114 | These ratios apply the same to cgroup writeback with the |
| 1115 | amount of available memory capped by limits imposed by the |
| 1116 | memory controller and system-wide clean memory. |
| 1117 | |
| 1118 | vm.dirty_background_bytes |
| 1119 | vm.dirty_bytes |
| 1120 | |
| 1121 | For cgroup writeback, this is calculated into ratio against |
| 1122 | total available memory and applied the same way as |
| 1123 | vm.dirty[_background]_ratio. |
| 1124 | |
| 1125 | |
Hans Ragas | 20c56e5 | 2017-01-10 17:42:34 +0000 | [diff] [blame] | 1126 | 5-4. PID |
| 1127 | |
| 1128 | The process number controller is used to allow a cgroup to stop any |
| 1129 | new tasks from being fork()'d or clone()'d after a specified limit is |
| 1130 | reached. |
| 1131 | |
| 1132 | The number of tasks in a cgroup can be exhausted in ways which other |
| 1133 | controllers cannot prevent, thus warranting its own controller. For |
| 1134 | example, a fork bomb is likely to exhaust the number of tasks before |
| 1135 | hitting memory restrictions. |
| 1136 | |
| 1137 | Note that PIDs used in this controller refer to TIDs, process IDs as |
| 1138 | used by the kernel. |
| 1139 | |
| 1140 | |
| 1141 | 5-4-1. PID Interface Files |
| 1142 | |
| 1143 | pids.max |
| 1144 | |
Tobias Klauser | 312eb71 | 2017-02-17 18:44:11 +0100 | [diff] [blame] | 1145 | A read-write single value file which exists on non-root |
| 1146 | cgroups. The default is "max". |
Hans Ragas | 20c56e5 | 2017-01-10 17:42:34 +0000 | [diff] [blame] | 1147 | |
Tobias Klauser | 312eb71 | 2017-02-17 18:44:11 +0100 | [diff] [blame] | 1148 | Hard limit of number of processes. |
Hans Ragas | 20c56e5 | 2017-01-10 17:42:34 +0000 | [diff] [blame] | 1149 | |
| 1150 | pids.current |
| 1151 | |
Tobias Klauser | 312eb71 | 2017-02-17 18:44:11 +0100 | [diff] [blame] | 1152 | A read-only single value file which exists on all cgroups. |
Hans Ragas | 20c56e5 | 2017-01-10 17:42:34 +0000 | [diff] [blame] | 1153 | |
Tobias Klauser | 312eb71 | 2017-02-17 18:44:11 +0100 | [diff] [blame] | 1154 | The number of processes currently in the cgroup and its |
| 1155 | descendants. |
Hans Ragas | 20c56e5 | 2017-01-10 17:42:34 +0000 | [diff] [blame] | 1156 | |
| 1157 | Organisational operations are not blocked by cgroup policies, so it is |
| 1158 | possible to have pids.current > pids.max. This can be done by either |
| 1159 | setting the limit to be smaller than pids.current, or attaching enough |
| 1160 | processes to the cgroup such that pids.current is larger than |
| 1161 | pids.max. However, it is not possible to violate a cgroup PID policy |
| 1162 | through fork() or clone(). These will return -EAGAIN if the creation |
| 1163 | of a new process would cause a cgroup policy to be violated. |
| 1164 | |
| 1165 | |
Tejun Heo | 63f1ca5 | 2017-02-02 13:50:35 -0500 | [diff] [blame] | 1166 | 5-5. RDMA |
Tejun Heo | 968ebff | 2017-01-29 14:35:20 -0500 | [diff] [blame] | 1167 | |
Parav Pandit | 9c1e67f | 2017-01-10 00:02:15 +0000 | [diff] [blame] | 1168 | The "rdma" controller regulates the distribution and accounting of |
| 1169 | of RDMA resources. |
| 1170 | |
Tejun Heo | 63f1ca5 | 2017-02-02 13:50:35 -0500 | [diff] [blame] | 1171 | 5-5-1. RDMA Interface Files |
Parav Pandit | 9c1e67f | 2017-01-10 00:02:15 +0000 | [diff] [blame] | 1172 | |
| 1173 | rdma.max |
| 1174 | A readwrite nested-keyed file that exists for all the cgroups |
| 1175 | except root that describes current configured resource limit |
| 1176 | for a RDMA/IB device. |
| 1177 | |
| 1178 | Lines are keyed by device name and are not ordered. |
| 1179 | Each line contains space separated resource name and its configured |
| 1180 | limit that can be distributed. |
| 1181 | |
| 1182 | The following nested keys are defined. |
| 1183 | |
| 1184 | hca_handle Maximum number of HCA Handles |
| 1185 | hca_object Maximum number of HCA Objects |
| 1186 | |
| 1187 | An example for mlx4 and ocrdma device follows. |
| 1188 | |
| 1189 | mlx4_0 hca_handle=2 hca_object=2000 |
| 1190 | ocrdma1 hca_handle=3 hca_object=max |
| 1191 | |
| 1192 | rdma.current |
| 1193 | A read-only file that describes current resource usage. |
| 1194 | It exists for all the cgroup except root. |
| 1195 | |
| 1196 | An example for mlx4 and ocrdma device follows. |
| 1197 | |
| 1198 | mlx4_0 hca_handle=1 hca_object=20 |
| 1199 | ocrdma1 hca_handle=1 hca_object=23 |
| 1200 | |
| 1201 | |
Tejun Heo | 63f1ca5 | 2017-02-02 13:50:35 -0500 | [diff] [blame] | 1202 | 5-6. Misc |
| 1203 | |
| 1204 | 5-6-1. perf_event |
Tejun Heo | 968ebff | 2017-01-29 14:35:20 -0500 | [diff] [blame] | 1205 | |
| 1206 | perf_event controller, if not mounted on a legacy hierarchy, is |
| 1207 | automatically enabled on the v2 hierarchy so that perf events can |
| 1208 | always be filtered by cgroup v2 path. The controller can still be |
| 1209 | moved to a legacy hierarchy after v2 hierarchy is populated. |
| 1210 | |
| 1211 | |
Serge Hallyn | d4021f6 | 2016-01-29 02:54:10 -0600 | [diff] [blame] | 1212 | 6. Namespace |
| 1213 | |
| 1214 | 6-1. Basics |
| 1215 | |
| 1216 | cgroup namespace provides a mechanism to virtualize the view of the |
| 1217 | "/proc/$PID/cgroup" file and cgroup mounts. The CLONE_NEWCGROUP clone |
| 1218 | flag can be used with clone(2) and unshare(2) to create a new cgroup |
| 1219 | namespace. The process running inside the cgroup namespace will have |
| 1220 | its "/proc/$PID/cgroup" output restricted to cgroupns root. The |
| 1221 | cgroupns root is the cgroup of the process at the time of creation of |
| 1222 | the cgroup namespace. |
| 1223 | |
| 1224 | Without cgroup namespace, the "/proc/$PID/cgroup" file shows the |
| 1225 | complete path of the cgroup of a process. In a container setup where |
| 1226 | a set of cgroups and namespaces are intended to isolate processes the |
| 1227 | "/proc/$PID/cgroup" file may leak potential system level information |
| 1228 | to the isolated processes. For Example: |
| 1229 | |
| 1230 | # cat /proc/self/cgroup |
| 1231 | 0::/batchjobs/container_id1 |
| 1232 | |
| 1233 | The path '/batchjobs/container_id1' can be considered as system-data |
| 1234 | and undesirable to expose to the isolated processes. cgroup namespace |
| 1235 | can be used to restrict visibility of this path. For example, before |
| 1236 | creating a cgroup namespace, one would see: |
| 1237 | |
| 1238 | # ls -l /proc/self/ns/cgroup |
| 1239 | lrwxrwxrwx 1 root root 0 2014-07-15 10:37 /proc/self/ns/cgroup -> cgroup:[4026531835] |
| 1240 | # cat /proc/self/cgroup |
| 1241 | 0::/batchjobs/container_id1 |
| 1242 | |
| 1243 | After unsharing a new namespace, the view changes. |
| 1244 | |
| 1245 | # ls -l /proc/self/ns/cgroup |
| 1246 | lrwxrwxrwx 1 root root 0 2014-07-15 10:35 /proc/self/ns/cgroup -> cgroup:[4026532183] |
| 1247 | # cat /proc/self/cgroup |
| 1248 | 0::/ |
| 1249 | |
| 1250 | When some thread from a multi-threaded process unshares its cgroup |
| 1251 | namespace, the new cgroupns gets applied to the entire process (all |
| 1252 | the threads). This is natural for the v2 hierarchy; however, for the |
| 1253 | legacy hierarchies, this may be unexpected. |
| 1254 | |
| 1255 | A cgroup namespace is alive as long as there are processes inside or |
| 1256 | mounts pinning it. When the last usage goes away, the cgroup |
| 1257 | namespace is destroyed. The cgroupns root and the actual cgroups |
| 1258 | remain. |
| 1259 | |
| 1260 | |
| 1261 | 6-2. The Root and Views |
| 1262 | |
| 1263 | The 'cgroupns root' for a cgroup namespace is the cgroup in which the |
| 1264 | process calling unshare(2) is running. For example, if a process in |
| 1265 | /batchjobs/container_id1 cgroup calls unshare, cgroup |
| 1266 | /batchjobs/container_id1 becomes the cgroupns root. For the |
| 1267 | init_cgroup_ns, this is the real root ('/') cgroup. |
| 1268 | |
| 1269 | The cgroupns root cgroup does not change even if the namespace creator |
| 1270 | process later moves to a different cgroup. |
| 1271 | |
| 1272 | # ~/unshare -c # unshare cgroupns in some cgroup |
| 1273 | # cat /proc/self/cgroup |
| 1274 | 0::/ |
| 1275 | # mkdir sub_cgrp_1 |
| 1276 | # echo 0 > sub_cgrp_1/cgroup.procs |
| 1277 | # cat /proc/self/cgroup |
| 1278 | 0::/sub_cgrp_1 |
| 1279 | |
| 1280 | Each process gets its namespace-specific view of "/proc/$PID/cgroup" |
| 1281 | |
| 1282 | Processes running inside the cgroup namespace will be able to see |
| 1283 | cgroup paths (in /proc/self/cgroup) only inside their root cgroup. |
| 1284 | From within an unshared cgroupns: |
| 1285 | |
| 1286 | # sleep 100000 & |
| 1287 | [1] 7353 |
| 1288 | # echo 7353 > sub_cgrp_1/cgroup.procs |
| 1289 | # cat /proc/7353/cgroup |
| 1290 | 0::/sub_cgrp_1 |
| 1291 | |
| 1292 | From the initial cgroup namespace, the real cgroup path will be |
| 1293 | visible: |
| 1294 | |
| 1295 | $ cat /proc/7353/cgroup |
| 1296 | 0::/batchjobs/container_id1/sub_cgrp_1 |
| 1297 | |
| 1298 | From a sibling cgroup namespace (that is, a namespace rooted at a |
| 1299 | different cgroup), the cgroup path relative to its own cgroup |
| 1300 | namespace root will be shown. For instance, if PID 7353's cgroup |
| 1301 | namespace root is at '/batchjobs/container_id2', then it will see |
| 1302 | |
| 1303 | # cat /proc/7353/cgroup |
| 1304 | 0::/../container_id2/sub_cgrp_1 |
| 1305 | |
| 1306 | Note that the relative path always starts with '/' to indicate that |
| 1307 | its relative to the cgroup namespace root of the caller. |
| 1308 | |
| 1309 | |
| 1310 | 6-3. Migration and setns(2) |
| 1311 | |
| 1312 | Processes inside a cgroup namespace can move into and out of the |
| 1313 | namespace root if they have proper access to external cgroups. For |
| 1314 | example, from inside a namespace with cgroupns root at |
| 1315 | /batchjobs/container_id1, and assuming that the global hierarchy is |
| 1316 | still accessible inside cgroupns: |
| 1317 | |
| 1318 | # cat /proc/7353/cgroup |
| 1319 | 0::/sub_cgrp_1 |
| 1320 | # echo 7353 > batchjobs/container_id2/cgroup.procs |
| 1321 | # cat /proc/7353/cgroup |
| 1322 | 0::/../container_id2 |
| 1323 | |
| 1324 | Note that this kind of setup is not encouraged. A task inside cgroup |
| 1325 | namespace should only be exposed to its own cgroupns hierarchy. |
| 1326 | |
| 1327 | setns(2) to another cgroup namespace is allowed when: |
| 1328 | |
| 1329 | (a) the process has CAP_SYS_ADMIN against its current user namespace |
| 1330 | (b) the process has CAP_SYS_ADMIN against the target cgroup |
| 1331 | namespace's userns |
| 1332 | |
| 1333 | No implicit cgroup changes happen with attaching to another cgroup |
| 1334 | namespace. It is expected that the someone moves the attaching |
| 1335 | process under the target cgroup namespace root. |
| 1336 | |
| 1337 | |
| 1338 | 6-4. Interaction with Other Namespaces |
| 1339 | |
| 1340 | Namespace specific cgroup hierarchy can be mounted by a process |
| 1341 | running inside a non-init cgroup namespace. |
| 1342 | |
| 1343 | # mount -t cgroup2 none $MOUNT_POINT |
| 1344 | |
| 1345 | This will mount the unified cgroup hierarchy with cgroupns root as the |
| 1346 | filesystem root. The process needs CAP_SYS_ADMIN against its user and |
| 1347 | mount namespaces. |
| 1348 | |
| 1349 | The virtualization of /proc/self/cgroup file combined with restricting |
| 1350 | the view of cgroup hierarchy by namespace-private cgroupfs mount |
| 1351 | provides a properly isolated cgroup view inside the container. |
| 1352 | |
| 1353 | |
Tejun Heo | 6c29209 | 2015-11-16 11:13:34 -0500 | [diff] [blame] | 1354 | P. Information on Kernel Programming |
| 1355 | |
| 1356 | This section contains kernel programming information in the areas |
| 1357 | where interacting with cgroup is necessary. cgroup core and |
| 1358 | controllers are not covered. |
| 1359 | |
| 1360 | |
| 1361 | P-1. Filesystem Support for Writeback |
| 1362 | |
| 1363 | A filesystem can support cgroup writeback by updating |
| 1364 | address_space_operations->writepage[s]() to annotate bio's using the |
| 1365 | following two functions. |
| 1366 | |
| 1367 | wbc_init_bio(@wbc, @bio) |
| 1368 | |
| 1369 | Should be called for each bio carrying writeback data and |
| 1370 | associates the bio with the inode's owner cgroup. Can be |
| 1371 | called anytime between bio allocation and submission. |
| 1372 | |
| 1373 | wbc_account_io(@wbc, @page, @bytes) |
| 1374 | |
| 1375 | Should be called for each data segment being written out. |
| 1376 | While this function doesn't care exactly when it's called |
| 1377 | during the writeback session, it's the easiest and most |
| 1378 | natural to call it as data segments are added to a bio. |
| 1379 | |
| 1380 | With writeback bio's annotated, cgroup support can be enabled per |
| 1381 | super_block by setting SB_I_CGROUPWB in ->s_iflags. This allows for |
| 1382 | selective disabling of cgroup writeback support which is helpful when |
| 1383 | certain filesystem features, e.g. journaled data mode, are |
| 1384 | incompatible. |
| 1385 | |
| 1386 | wbc_init_bio() binds the specified bio to its cgroup. Depending on |
| 1387 | the configuration, the bio may be executed at a lower priority and if |
| 1388 | the writeback session is holding shared resources, e.g. a journal |
| 1389 | entry, may lead to priority inversion. There is no one easy solution |
| 1390 | for the problem. Filesystems can try to work around specific problem |
| 1391 | cases by skipping wbc_init_bio() or using bio_associate_blkcg() |
| 1392 | directly. |
| 1393 | |
| 1394 | |
| 1395 | D. Deprecated v1 Core Features |
| 1396 | |
| 1397 | - Multiple hierarchies including named ones are not supported. |
| 1398 | |
| 1399 | - All mount options and remounting are not supported. |
| 1400 | |
| 1401 | - The "tasks" file is removed and "cgroup.procs" is not sorted. |
| 1402 | |
| 1403 | - "cgroup.clone_children" is removed. |
| 1404 | |
| 1405 | - /proc/cgroups is meaningless for v2. Use "cgroup.controllers" file |
| 1406 | at the root instead. |
| 1407 | |
| 1408 | |
| 1409 | R. Issues with v1 and Rationales for v2 |
| 1410 | |
| 1411 | R-1. Multiple Hierarchies |
| 1412 | |
| 1413 | cgroup v1 allowed an arbitrary number of hierarchies and each |
| 1414 | hierarchy could host any number of controllers. While this seemed to |
| 1415 | provide a high level of flexibility, it wasn't useful in practice. |
| 1416 | |
| 1417 | For example, as there is only one instance of each controller, utility |
| 1418 | type controllers such as freezer which can be useful in all |
| 1419 | hierarchies could only be used in one. The issue is exacerbated by |
| 1420 | the fact that controllers couldn't be moved to another hierarchy once |
| 1421 | hierarchies were populated. Another issue was that all controllers |
| 1422 | bound to a hierarchy were forced to have exactly the same view of the |
| 1423 | hierarchy. It wasn't possible to vary the granularity depending on |
| 1424 | the specific controller. |
| 1425 | |
| 1426 | In practice, these issues heavily limited which controllers could be |
| 1427 | put on the same hierarchy and most configurations resorted to putting |
| 1428 | each controller on its own hierarchy. Only closely related ones, such |
| 1429 | as the cpu and cpuacct controllers, made sense to be put on the same |
| 1430 | hierarchy. This often meant that userland ended up managing multiple |
| 1431 | similar hierarchies repeating the same steps on each hierarchy |
| 1432 | whenever a hierarchy management operation was necessary. |
| 1433 | |
| 1434 | Furthermore, support for multiple hierarchies came at a steep cost. |
| 1435 | It greatly complicated cgroup core implementation but more importantly |
| 1436 | the support for multiple hierarchies restricted how cgroup could be |
| 1437 | used in general and what controllers was able to do. |
| 1438 | |
| 1439 | There was no limit on how many hierarchies there might be, which meant |
| 1440 | that a thread's cgroup membership couldn't be described in finite |
| 1441 | length. The key might contain any number of entries and was unlimited |
| 1442 | in length, which made it highly awkward to manipulate and led to |
| 1443 | addition of controllers which existed only to identify membership, |
| 1444 | which in turn exacerbated the original problem of proliferating number |
| 1445 | of hierarchies. |
| 1446 | |
| 1447 | Also, as a controller couldn't have any expectation regarding the |
| 1448 | topologies of hierarchies other controllers might be on, each |
| 1449 | controller had to assume that all other controllers were attached to |
| 1450 | completely orthogonal hierarchies. This made it impossible, or at |
| 1451 | least very cumbersome, for controllers to cooperate with each other. |
| 1452 | |
| 1453 | In most use cases, putting controllers on hierarchies which are |
| 1454 | completely orthogonal to each other isn't necessary. What usually is |
| 1455 | called for is the ability to have differing levels of granularity |
| 1456 | depending on the specific controller. In other words, hierarchy may |
| 1457 | be collapsed from leaf towards root when viewed from specific |
| 1458 | controllers. For example, a given configuration might not care about |
| 1459 | how memory is distributed beyond a certain level while still wanting |
| 1460 | to control how CPU cycles are distributed. |
| 1461 | |
| 1462 | |
| 1463 | R-2. Thread Granularity |
| 1464 | |
| 1465 | cgroup v1 allowed threads of a process to belong to different cgroups. |
| 1466 | This didn't make sense for some controllers and those controllers |
| 1467 | ended up implementing different ways to ignore such situations but |
| 1468 | much more importantly it blurred the line between API exposed to |
| 1469 | individual applications and system management interface. |
| 1470 | |
| 1471 | Generally, in-process knowledge is available only to the process |
| 1472 | itself; thus, unlike service-level organization of processes, |
| 1473 | categorizing threads of a process requires active participation from |
| 1474 | the application which owns the target process. |
| 1475 | |
| 1476 | cgroup v1 had an ambiguously defined delegation model which got abused |
| 1477 | in combination with thread granularity. cgroups were delegated to |
| 1478 | individual applications so that they can create and manage their own |
| 1479 | sub-hierarchies and control resource distributions along them. This |
| 1480 | effectively raised cgroup to the status of a syscall-like API exposed |
| 1481 | to lay programs. |
| 1482 | |
| 1483 | First of all, cgroup has a fundamentally inadequate interface to be |
| 1484 | exposed this way. For a process to access its own knobs, it has to |
| 1485 | extract the path on the target hierarchy from /proc/self/cgroup, |
| 1486 | construct the path by appending the name of the knob to the path, open |
| 1487 | and then read and/or write to it. This is not only extremely clunky |
| 1488 | and unusual but also inherently racy. There is no conventional way to |
| 1489 | define transaction across the required steps and nothing can guarantee |
| 1490 | that the process would actually be operating on its own sub-hierarchy. |
| 1491 | |
| 1492 | cgroup controllers implemented a number of knobs which would never be |
| 1493 | accepted as public APIs because they were just adding control knobs to |
| 1494 | system-management pseudo filesystem. cgroup ended up with interface |
| 1495 | knobs which were not properly abstracted or refined and directly |
| 1496 | revealed kernel internal details. These knobs got exposed to |
| 1497 | individual applications through the ill-defined delegation mechanism |
| 1498 | effectively abusing cgroup as a shortcut to implementing public APIs |
| 1499 | without going through the required scrutiny. |
| 1500 | |
| 1501 | This was painful for both userland and kernel. Userland ended up with |
| 1502 | misbehaving and poorly abstracted interfaces and kernel exposing and |
| 1503 | locked into constructs inadvertently. |
| 1504 | |
| 1505 | |
| 1506 | R-3. Competition Between Inner Nodes and Threads |
| 1507 | |
| 1508 | cgroup v1 allowed threads to be in any cgroups which created an |
| 1509 | interesting problem where threads belonging to a parent cgroup and its |
| 1510 | children cgroups competed for resources. This was nasty as two |
| 1511 | different types of entities competed and there was no obvious way to |
| 1512 | settle it. Different controllers did different things. |
| 1513 | |
| 1514 | The cpu controller considered threads and cgroups as equivalents and |
| 1515 | mapped nice levels to cgroup weights. This worked for some cases but |
| 1516 | fell flat when children wanted to be allocated specific ratios of CPU |
| 1517 | cycles and the number of internal threads fluctuated - the ratios |
| 1518 | constantly changed as the number of competing entities fluctuated. |
| 1519 | There also were other issues. The mapping from nice level to weight |
| 1520 | wasn't obvious or universal, and there were various other knobs which |
| 1521 | simply weren't available for threads. |
| 1522 | |
| 1523 | The io controller implicitly created a hidden leaf node for each |
| 1524 | cgroup to host the threads. The hidden leaf had its own copies of all |
| 1525 | the knobs with "leaf_" prefixed. While this allowed equivalent |
| 1526 | control over internal threads, it was with serious drawbacks. It |
| 1527 | always added an extra layer of nesting which wouldn't be necessary |
| 1528 | otherwise, made the interface messy and significantly complicated the |
| 1529 | implementation. |
| 1530 | |
| 1531 | The memory controller didn't have a way to control what happened |
| 1532 | between internal tasks and child cgroups and the behavior was not |
| 1533 | clearly defined. There were attempts to add ad-hoc behaviors and |
| 1534 | knobs to tailor the behavior to specific workloads which would have |
| 1535 | led to problems extremely difficult to resolve in the long term. |
| 1536 | |
| 1537 | Multiple controllers struggled with internal tasks and came up with |
| 1538 | different ways to deal with it; unfortunately, all the approaches were |
| 1539 | severely flawed and, furthermore, the widely different behaviors |
| 1540 | made cgroup as a whole highly inconsistent. |
| 1541 | |
| 1542 | This clearly is a problem which needs to be addressed from cgroup core |
| 1543 | in a uniform way. |
| 1544 | |
| 1545 | |
| 1546 | R-4. Other Interface Issues |
| 1547 | |
| 1548 | cgroup v1 grew without oversight and developed a large number of |
| 1549 | idiosyncrasies and inconsistencies. One issue on the cgroup core side |
| 1550 | was how an empty cgroup was notified - a userland helper binary was |
| 1551 | forked and executed for each event. The event delivery wasn't |
| 1552 | recursive or delegatable. The limitations of the mechanism also led |
| 1553 | to in-kernel event delivery filtering mechanism further complicating |
| 1554 | the interface. |
| 1555 | |
| 1556 | Controller interfaces were problematic too. An extreme example is |
| 1557 | controllers completely ignoring hierarchical organization and treating |
| 1558 | all cgroups as if they were all located directly under the root |
| 1559 | cgroup. Some controllers exposed a large amount of inconsistent |
| 1560 | implementation details to userland. |
| 1561 | |
| 1562 | There also was no consistency across controllers. When a new cgroup |
| 1563 | was created, some controllers defaulted to not imposing extra |
| 1564 | restrictions while others disallowed any resource usage until |
| 1565 | explicitly configured. Configuration knobs for the same type of |
| 1566 | control used widely differing naming schemes and formats. Statistics |
| 1567 | and information knobs were named arbitrarily and used different |
| 1568 | formats and units even in the same controller. |
| 1569 | |
| 1570 | cgroup v2 establishes common conventions where appropriate and updates |
| 1571 | controllers so that they expose minimal and consistent interfaces. |
| 1572 | |
| 1573 | |
| 1574 | R-5. Controller Issues and Remedies |
| 1575 | |
| 1576 | R-5-1. Memory |
| 1577 | |
| 1578 | The original lower boundary, the soft limit, is defined as a limit |
| 1579 | that is per default unset. As a result, the set of cgroups that |
| 1580 | global reclaim prefers is opt-in, rather than opt-out. The costs for |
| 1581 | optimizing these mostly negative lookups are so high that the |
| 1582 | implementation, despite its enormous size, does not even provide the |
| 1583 | basic desirable behavior. First off, the soft limit has no |
| 1584 | hierarchical meaning. All configured groups are organized in a global |
| 1585 | rbtree and treated like equal peers, regardless where they are located |
| 1586 | in the hierarchy. This makes subtree delegation impossible. Second, |
| 1587 | the soft limit reclaim pass is so aggressive that it not just |
| 1588 | introduces high allocation latencies into the system, but also impacts |
| 1589 | system performance due to overreclaim, to the point where the feature |
| 1590 | becomes self-defeating. |
| 1591 | |
| 1592 | The memory.low boundary on the other hand is a top-down allocated |
| 1593 | reserve. A cgroup enjoys reclaim protection when it and all its |
| 1594 | ancestors are below their low boundaries, which makes delegation of |
| 1595 | subtrees possible. Secondly, new cgroups have no reserve per default |
| 1596 | and in the common case most cgroups are eligible for the preferred |
| 1597 | reclaim pass. This allows the new low boundary to be efficiently |
| 1598 | implemented with just a minor addition to the generic reclaim code, |
| 1599 | without the need for out-of-band data structures and reclaim passes. |
| 1600 | Because the generic reclaim code considers all cgroups except for the |
| 1601 | ones running low in the preferred first reclaim pass, overreclaim of |
| 1602 | individual groups is eliminated as well, resulting in much better |
| 1603 | overall workload performance. |
| 1604 | |
| 1605 | The original high boundary, the hard limit, is defined as a strict |
| 1606 | limit that can not budge, even if the OOM killer has to be called. |
| 1607 | But this generally goes against the goal of making the most out of the |
| 1608 | available memory. The memory consumption of workloads varies during |
| 1609 | runtime, and that requires users to overcommit. But doing that with a |
| 1610 | strict upper limit requires either a fairly accurate prediction of the |
| 1611 | working set size or adding slack to the limit. Since working set size |
| 1612 | estimation is hard and error prone, and getting it wrong results in |
| 1613 | OOM kills, most users tend to err on the side of a looser limit and |
| 1614 | end up wasting precious resources. |
| 1615 | |
| 1616 | The memory.high boundary on the other hand can be set much more |
| 1617 | conservatively. When hit, it throttles allocations by forcing them |
| 1618 | into direct reclaim to work off the excess, but it never invokes the |
| 1619 | OOM killer. As a result, a high boundary that is chosen too |
| 1620 | aggressively will not terminate the processes, but instead it will |
| 1621 | lead to gradual performance degradation. The user can monitor this |
| 1622 | and make corrections until the minimal memory footprint that still |
| 1623 | gives acceptable performance is found. |
| 1624 | |
| 1625 | In extreme cases, with many concurrent allocations and a complete |
| 1626 | breakdown of reclaim progress within the group, the high boundary can |
| 1627 | be exceeded. But even then it's mostly better to satisfy the |
| 1628 | allocation from the slack available in other groups or the rest of the |
| 1629 | system than killing the group. Otherwise, memory.max is there to |
| 1630 | limit this type of spillover and ultimately contain buggy or even |
| 1631 | malicious applications. |
Vladimir Davydov | 3e24b19 | 2016-01-20 15:03:13 -0800 | [diff] [blame] | 1632 | |
Johannes Weiner | b6e6edc | 2016-03-17 14:20:28 -0700 | [diff] [blame] | 1633 | Setting the original memory.limit_in_bytes below the current usage was |
| 1634 | subject to a race condition, where concurrent charges could cause the |
| 1635 | limit setting to fail. memory.max on the other hand will first set the |
| 1636 | limit to prevent new charges, and then reclaim and OOM kill until the |
| 1637 | new limit is met - or the task writing to memory.max is killed. |
| 1638 | |
Vladimir Davydov | 3e24b19 | 2016-01-20 15:03:13 -0800 | [diff] [blame] | 1639 | The combined memory+swap accounting and limiting is replaced by real |
| 1640 | control over swap space. |
| 1641 | |
| 1642 | The main argument for a combined memory+swap facility in the original |
| 1643 | cgroup design was that global or parental pressure would always be |
| 1644 | able to swap all anonymous memory of a child group, regardless of the |
| 1645 | child's own (possibly untrusted) configuration. However, untrusted |
| 1646 | groups can sabotage swapping by other means - such as referencing its |
| 1647 | anonymous memory in a tight loop - and an admin can not assume full |
| 1648 | swappability when overcommitting untrusted jobs. |
| 1649 | |
| 1650 | For trusted jobs, on the other hand, a combined counter is not an |
| 1651 | intuitive userspace interface, and it flies in the face of the idea |
| 1652 | that cgroup controllers should account and limit specific physical |
| 1653 | resources. Swap space is a resource like all others in the system, |
| 1654 | and that's why unified hierarchy allows distributing it separately. |