blob: 3b8449f8ac7e80a0ebeaf6dfe8c64b15503f3954 [file] [log] [blame]
Tejun Heo6c292092015-11-16 11:13:34 -05001
2Control Group v2
3
4October, 2015 Tejun Heo <tj@kernel.org>
5
6This is the authoritative documentation on the design, interface and
7conventions of cgroup v2. It describes all userland-visible aspects
8of cgroup including core and specific controller behaviors. All
9future changes must be reflected in this document. Documentation for
W. Trevor King9a2ddda2016-01-27 13:01:52 -080010v1 is available under Documentation/cgroup-v1/.
Tejun Heo6c292092015-11-16 11:13:34 -050011
12CONTENTS
13
141. Introduction
15 1-1. Terminology
16 1-2. What is cgroup?
172. Basic Operations
18 2-1. Mounting
19 2-2. Organizing Processes
20 2-3. [Un]populated Notification
21 2-4. Controlling Controllers
22 2-4-1. Enabling and Disabling
23 2-4-2. Top-down Constraint
24 2-4-3. No Internal Process Constraint
25 2-5. Delegation
26 2-5-1. Model of Delegation
27 2-5-2. Delegation Containment
28 2-6. Guidelines
29 2-6-1. Organize Once and Control
30 2-6-2. Avoid Name Collisions
313. Resource Distribution Models
32 3-1. Weights
33 3-2. Limits
34 3-3. Protections
35 3-4. Allocations
364. Interface Files
37 4-1. Format
38 4-2. Conventions
39 4-3. Core Interface Files
405. Controllers
41 5-1. CPU
42 5-1-1. CPU Interface Files
43 5-2. Memory
44 5-2-1. Memory Interface Files
45 5-2-2. Usage Guidelines
46 5-2-3. Memory Ownership
47 5-3. IO
48 5-3-1. IO Interface Files
49 5-3-2. Writeback
Hans Ragas20c56e52017-01-10 17:42:34 +000050 5-4. PID
51 5-4-1. PID Interface Files
Tejun Heo63f1ca52017-02-02 13:50:35 -050052 5-5. RDMA
53 5-5-1. RDMA Interface Files
54 5-6. Misc
55 5-6-1. perf_event
Serge Hallynd4021f62016-01-29 02:54:10 -0600566. Namespace
57 6-1. Basics
58 6-2. The Root and Views
59 6-3. Migration and setns(2)
60 6-4. Interaction with Other Namespaces
Tejun Heo6c292092015-11-16 11:13:34 -050061P. Information on Kernel Programming
62 P-1. Filesystem Support for Writeback
63D. Deprecated v1 Core Features
64R. Issues with v1 and Rationales for v2
65 R-1. Multiple Hierarchies
66 R-2. Thread Granularity
67 R-3. Competition Between Inner Nodes and Threads
68 R-4. Other Interface Issues
69 R-5. Controller Issues and Remedies
70 R-5-1. Memory
71
72
731. Introduction
74
751-1. Terminology
76
77"cgroup" stands for "control group" and is never capitalized. The
78singular form is used to designate the whole feature and also as a
79qualifier as in "cgroup controllers". When explicitly referring to
80multiple individual control groups, the plural form "cgroups" is used.
81
82
831-2. What is cgroup?
84
85cgroup is a mechanism to organize processes hierarchically and
86distribute system resources along the hierarchy in a controlled and
87configurable manner.
88
89cgroup is largely composed of two parts - the core and controllers.
90cgroup core is primarily responsible for hierarchically organizing
91processes. A cgroup controller is usually responsible for
92distributing a specific type of system resource along the hierarchy
93although there are utility controllers which serve purposes other than
94resource distribution.
95
96cgroups form a tree structure and every process in the system belongs
97to one and only one cgroup. All threads of a process belong to the
98same cgroup. On creation, all processes are put in the cgroup that
99the parent process belongs to at the time. A process can be migrated
100to another cgroup. Migration of a process doesn't affect already
101existing descendant processes.
102
103Following certain structural constraints, controllers may be enabled or
104disabled selectively on a cgroup. All controller behaviors are
105hierarchical - if a controller is enabled on a cgroup, it affects all
106processes which belong to the cgroups consisting the inclusive
107sub-hierarchy of the cgroup. When a controller is enabled on a nested
108cgroup, it always restricts the resource distribution further. The
109restrictions set closer to the root in the hierarchy can not be
110overridden from further away.
111
112
1132. Basic Operations
114
1152-1. Mounting
116
117Unlike v1, cgroup v2 has only single hierarchy. The cgroup v2
118hierarchy can be mounted with the following mount command.
119
120 # mount -t cgroup2 none $MOUNT_POINT
121
122cgroup2 filesystem has the magic number 0x63677270 ("cgrp"). All
123controllers which support v2 and are not bound to a v1 hierarchy are
124automatically bound to the v2 hierarchy and show up at the root.
125Controllers which are not in active use in the v2 hierarchy can be
126bound to other hierarchies. This allows mixing v2 hierarchy with the
127legacy v1 multiple hierarchies in a fully backward compatible way.
128
129A controller can be moved across hierarchies only after the controller
130is no longer referenced in its current hierarchy. Because per-cgroup
131controller states are destroyed asynchronously and controllers may
132have lingering references, a controller may not show up immediately on
133the v2 hierarchy after the final umount of the previous hierarchy.
134Similarly, a controller should be fully disabled to be moved out of
135the unified hierarchy and it may take some time for the disabled
136controller to become available for other hierarchies; furthermore, due
137to inter-controller dependencies, other controllers may need to be
138disabled too.
139
140While useful for development and manual configurations, moving
141controllers dynamically between the v2 and other hierarchies is
142strongly discouraged for production use. It is recommended to decide
143the hierarchies and controller associations before starting using the
144controllers after system boot.
145
Johannes Weiner1619b6d2016-02-16 13:21:14 -0500146During transition to v2, system management software might still
147automount the v1 cgroup filesystem and so hijack all controllers
148during boot, before manual intervention is possible. To make testing
149and experimenting easier, the kernel parameter cgroup_no_v1= allows
150disabling controllers in v1 and make them always available in v2.
151
Tejun Heo6c292092015-11-16 11:13:34 -0500152
1532-2. Organizing Processes
154
155Initially, only the root cgroup exists to which all processes belong.
156A child cgroup can be created by creating a sub-directory.
157
158 # mkdir $CGROUP_NAME
159
160A given cgroup may have multiple child cgroups forming a tree
161structure. Each cgroup has a read-writable interface file
162"cgroup.procs". When read, it lists the PIDs of all processes which
163belong to the cgroup one-per-line. The PIDs are not ordered and the
164same PID may show up more than once if the process got moved to
165another cgroup and then back or the PID got recycled while reading.
166
167A process can be migrated into a cgroup by writing its PID to the
168target cgroup's "cgroup.procs" file. Only one process can be migrated
169on a single write(2) call. If a process is composed of multiple
170threads, writing the PID of any thread migrates all threads of the
171process.
172
173When a process forks a child process, the new process is born into the
174cgroup that the forking process belongs to at the time of the
175operation. After exit, a process stays associated with the cgroup
176that it belonged to at the time of exit until it's reaped; however, a
177zombie process does not appear in "cgroup.procs" and thus can't be
178moved to another cgroup.
179
180A cgroup which doesn't have any children or live processes can be
181destroyed by removing the directory. Note that a cgroup which doesn't
182have any children and is associated only with zombie processes is
183considered empty and can be removed.
184
185 # rmdir $CGROUP_NAME
186
187"/proc/$PID/cgroup" lists a process's cgroup membership. If legacy
188cgroup is in use in the system, this file may contain multiple lines,
189one for each hierarchy. The entry for cgroup v2 is always in the
190format "0::$PATH".
191
192 # cat /proc/842/cgroup
193 ...
194 0::/test-cgroup/test-cgroup-nested
195
196If the process becomes a zombie and the cgroup it was associated with
197is removed subsequently, " (deleted)" is appended to the path.
198
199 # cat /proc/842/cgroup
200 ...
201 0::/test-cgroup/test-cgroup-nested (deleted)
202
203
2042-3. [Un]populated Notification
205
206Each non-root cgroup has a "cgroup.events" file which contains
207"populated" field indicating whether the cgroup's sub-hierarchy has
208live processes in it. Its value is 0 if there is no live process in
209the cgroup and its descendants; otherwise, 1. poll and [id]notify
210events are triggered when the value changes. This can be used, for
211example, to start a clean-up operation after all processes of a given
212sub-hierarchy have exited. The populated state updates and
213notifications are recursive. Consider the following sub-hierarchy
214where the numbers in the parentheses represent the numbers of processes
215in each cgroup.
216
217 A(4) - B(0) - C(1)
218 \ D(0)
219
220A, B and C's "populated" fields would be 1 while D's 0. After the one
221process in C exits, B and C's "populated" fields would flip to "0" and
222file modified events will be generated on the "cgroup.events" files of
223both cgroups.
224
225
2262-4. Controlling Controllers
227
2282-4-1. Enabling and Disabling
229
230Each cgroup has a "cgroup.controllers" file which lists all
231controllers available for the cgroup to enable.
232
233 # cat cgroup.controllers
234 cpu io memory
235
236No controller is enabled by default. Controllers can be enabled and
237disabled by writing to the "cgroup.subtree_control" file.
238
239 # echo "+cpu +memory -io" > cgroup.subtree_control
240
241Only controllers which are listed in "cgroup.controllers" can be
242enabled. When multiple operations are specified as above, either they
243all succeed or fail. If multiple operations on the same controller
244are specified, the last one is effective.
245
246Enabling a controller in a cgroup indicates that the distribution of
247the target resource across its immediate children will be controlled.
248Consider the following sub-hierarchy. The enabled controllers are
249listed in parentheses.
250
251 A(cpu,memory) - B(memory) - C()
252 \ D()
253
254As A has "cpu" and "memory" enabled, A will control the distribution
255of CPU cycles and memory to its children, in this case, B. As B has
256"memory" enabled but not "CPU", C and D will compete freely on CPU
257cycles but their division of memory available to B will be controlled.
258
259As a controller regulates the distribution of the target resource to
260the cgroup's children, enabling it creates the controller's interface
261files in the child cgroups. In the above example, enabling "cpu" on B
262would create the "cpu." prefixed controller interface files in C and
263D. Likewise, disabling "memory" from B would remove the "memory."
264prefixed controller interface files from C and D. This means that the
265controller interface files - anything which doesn't start with
266"cgroup." are owned by the parent rather than the cgroup itself.
267
268
2692-4-2. Top-down Constraint
270
271Resources are distributed top-down and a cgroup can further distribute
272a resource only if the resource has been distributed to it from the
273parent. This means that all non-root "cgroup.subtree_control" files
274can only contain controllers which are enabled in the parent's
275"cgroup.subtree_control" file. A controller can be enabled only if
276the parent has the controller enabled and a controller can't be
277disabled if one or more children have it enabled.
278
279
2802-4-3. No Internal Process Constraint
281
282Non-root cgroups can only distribute resources to their children when
283they don't have any processes of their own. In other words, only
284cgroups which don't contain any processes can have controllers enabled
285in their "cgroup.subtree_control" files.
286
287This guarantees that, when a controller is looking at the part of the
288hierarchy which has it enabled, processes are always only on the
289leaves. This rules out situations where child cgroups compete against
290internal processes of the parent.
291
292The root cgroup is exempt from this restriction. Root contains
293processes and anonymous resource consumption which can't be associated
294with any other cgroups and requires special treatment from most
295controllers. How resource consumption in the root cgroup is governed
296is up to each controller.
297
298Note that the restriction doesn't get in the way if there is no
299enabled controller in the cgroup's "cgroup.subtree_control". This is
300important as otherwise it wouldn't be possible to create children of a
301populated cgroup. To control resource distribution of a cgroup, the
302cgroup must create children and transfer all its processes to the
303children before enabling controllers in its "cgroup.subtree_control"
304file.
305
306
3072-5. Delegation
308
3092-5-1. Model of Delegation
310
311A cgroup can be delegated to a less privileged user by granting write
312access of the directory and its "cgroup.procs" file to the user. Note
313that resource control interface files in a given directory control the
314distribution of the parent's resources and thus must not be delegated
315along with the directory.
316
317Once delegated, the user can build sub-hierarchy under the directory,
318organize processes as it sees fit and further distribute the resources
319it received from the parent. The limits and other settings of all
320resource controllers are hierarchical and regardless of what happens
321in the delegated sub-hierarchy, nothing can escape the resource
322restrictions imposed by the parent.
323
324Currently, cgroup doesn't impose any restrictions on the number of
325cgroups in or nesting depth of a delegated sub-hierarchy; however,
326this may be limited explicitly in the future.
327
328
3292-5-2. Delegation Containment
330
331A delegated sub-hierarchy is contained in the sense that processes
332can't be moved into or out of the sub-hierarchy by the delegatee. For
333a process with a non-root euid to migrate a target process into a
334cgroup by writing its PID to the "cgroup.procs" file, the following
335conditions must be met.
336
Tejun Heo6c292092015-11-16 11:13:34 -0500337- The writer must have write access to the "cgroup.procs" file.
338
339- The writer must have write access to the "cgroup.procs" file of the
340 common ancestor of the source and destination cgroups.
341
Tejun Heo576dd462017-01-20 11:29:54 -0500342The above two constraints ensure that while a delegatee may migrate
Tejun Heo6c292092015-11-16 11:13:34 -0500343processes around freely in the delegated sub-hierarchy it can't pull
344in from or push out to outside the sub-hierarchy.
345
346For an example, let's assume cgroups C0 and C1 have been delegated to
347user U0 who created C00, C01 under C0 and C10 under C1 as follows and
348all processes under C0 and C1 belong to U0.
349
350 ~~~~~~~~~~~~~ - C0 - C00
351 ~ cgroup ~ \ C01
352 ~ hierarchy ~
353 ~~~~~~~~~~~~~ - C1 - C10
354
355Let's also say U0 wants to write the PID of a process which is
356currently in C10 into "C00/cgroup.procs". U0 has write access to the
Tejun Heo576dd462017-01-20 11:29:54 -0500357file; however, the common ancestor of the source cgroup C10 and the
358destination cgroup C00 is above the points of delegation and U0 would
359not have write access to its "cgroup.procs" files and thus the write
360will be denied with -EACCES.
Tejun Heo6c292092015-11-16 11:13:34 -0500361
362
3632-6. Guidelines
364
3652-6-1. Organize Once and Control
366
367Migrating a process across cgroups is a relatively expensive operation
368and stateful resources such as memory are not moved together with the
369process. This is an explicit design decision as there often exist
370inherent trade-offs between migration and various hot paths in terms
371of synchronization cost.
372
373As such, migrating processes across cgroups frequently as a means to
374apply different resource restrictions is discouraged. A workload
375should be assigned to a cgroup according to the system's logical and
376resource structure once on start-up. Dynamic adjustments to resource
377distribution can be made by changing controller configuration through
378the interface files.
379
380
3812-6-2. Avoid Name Collisions
382
383Interface files for a cgroup and its children cgroups occupy the same
384directory and it is possible to create children cgroups which collide
385with interface files.
386
387All cgroup core interface files are prefixed with "cgroup." and each
388controller's interface files are prefixed with the controller name and
389a dot. A controller's name is composed of lower case alphabets and
390'_'s but never begins with an '_' so it can be used as the prefix
391character for collision avoidance. Also, interface file names won't
392start or end with terms which are often used in categorizing workloads
393such as job, service, slice, unit or workload.
394
395cgroup doesn't do anything to prevent name collisions and it's the
396user's responsibility to avoid them.
397
398
3993. Resource Distribution Models
400
401cgroup controllers implement several resource distribution schemes
402depending on the resource type and expected use cases. This section
403describes major schemes in use along with their expected behaviors.
404
405
4063-1. Weights
407
408A parent's resource is distributed by adding up the weights of all
409active children and giving each the fraction matching the ratio of its
410weight against the sum. As only children which can make use of the
411resource at the moment participate in the distribution, this is
412work-conserving. Due to the dynamic nature, this model is usually
413used for stateless resources.
414
415All weights are in the range [1, 10000] with the default at 100. This
416allows symmetric multiplicative biases in both directions at fine
417enough granularity while staying in the intuitive range.
418
419As long as the weight is in range, all configuration combinations are
420valid and there is no reason to reject configuration changes or
421process migrations.
422
423"cpu.weight" proportionally distributes CPU cycles to active children
424and is an example of this type.
425
426
4273-2. Limits
428
429A child can only consume upto the configured amount of the resource.
430Limits can be over-committed - the sum of the limits of children can
431exceed the amount of resource available to the parent.
432
433Limits are in the range [0, max] and defaults to "max", which is noop.
434
435As limits can be over-committed, all configuration combinations are
436valid and there is no reason to reject configuration changes or
437process migrations.
438
439"io.max" limits the maximum BPS and/or IOPS that a cgroup can consume
440on an IO device and is an example of this type.
441
442
4433-3. Protections
444
445A cgroup is protected to be allocated upto the configured amount of
446the resource if the usages of all its ancestors are under their
447protected levels. Protections can be hard guarantees or best effort
448soft boundaries. Protections can also be over-committed in which case
449only upto the amount available to the parent is protected among
450children.
451
452Protections are in the range [0, max] and defaults to 0, which is
453noop.
454
455As protections can be over-committed, all configuration combinations
456are valid and there is no reason to reject configuration changes or
457process migrations.
458
459"memory.low" implements best-effort memory protection and is an
460example of this type.
461
462
4633-4. Allocations
464
465A cgroup is exclusively allocated a certain amount of a finite
466resource. Allocations can't be over-committed - the sum of the
467allocations of children can not exceed the amount of resource
468available to the parent.
469
470Allocations are in the range [0, max] and defaults to 0, which is no
471resource.
472
473As allocations can't be over-committed, some configuration
474combinations are invalid and should be rejected. Also, if the
475resource is mandatory for execution of processes, process migrations
476may be rejected.
477
478"cpu.rt.max" hard-allocates realtime slices and is an example of this
479type.
480
481
4824. Interface Files
483
4844-1. Format
485
486All interface files should be in one of the following formats whenever
487possible.
488
489 New-line separated values
490 (when only one value can be written at once)
491
492 VAL0\n
493 VAL1\n
494 ...
495
496 Space separated values
497 (when read-only or multiple values can be written at once)
498
499 VAL0 VAL1 ...\n
500
501 Flat keyed
502
503 KEY0 VAL0\n
504 KEY1 VAL1\n
505 ...
506
507 Nested keyed
508
509 KEY0 SUB_KEY0=VAL00 SUB_KEY1=VAL01...
510 KEY1 SUB_KEY0=VAL10 SUB_KEY1=VAL11...
511 ...
512
513For a writable file, the format for writing should generally match
514reading; however, controllers may allow omitting later fields or
515implement restricted shortcuts for most common use cases.
516
517For both flat and nested keyed files, only the values for a single key
518can be written at a time. For nested keyed files, the sub key pairs
519may be specified in any order and not all pairs have to be specified.
520
521
5224-2. Conventions
523
524- Settings for a single feature should be contained in a single file.
525
526- The root cgroup should be exempt from resource control and thus
527 shouldn't have resource control interface files. Also,
528 informational files on the root cgroup which end up showing global
529 information available elsewhere shouldn't exist.
530
531- If a controller implements weight based resource distribution, its
532 interface file should be named "weight" and have the range [1,
533 10000] with 100 as the default. The values are chosen to allow
534 enough and symmetric bias in both directions while keeping it
535 intuitive (the default is 100%).
536
537- If a controller implements an absolute resource guarantee and/or
538 limit, the interface files should be named "min" and "max"
539 respectively. If a controller implements best effort resource
540 guarantee and/or limit, the interface files should be named "low"
541 and "high" respectively.
542
543 In the above four control files, the special token "max" should be
544 used to represent upward infinity for both reading and writing.
545
546- If a setting has a configurable default value and keyed specific
547 overrides, the default entry should be keyed with "default" and
548 appear as the first entry in the file.
549
550 The default value can be updated by writing either "default $VAL" or
551 "$VAL".
552
553 When writing to update a specific override, "default" can be used as
554 the value to indicate removal of the override. Override entries
555 with "default" as the value must not appear when read.
556
557 For example, a setting which is keyed by major:minor device numbers
558 with integer values may look like the following.
559
560 # cat cgroup-example-interface-file
561 default 150
562 8:0 300
563
564 The default value can be updated by
565
566 # echo 125 > cgroup-example-interface-file
567
568 or
569
570 # echo "default 125" > cgroup-example-interface-file
571
572 An override can be set by
573
574 # echo "8:16 170" > cgroup-example-interface-file
575
576 and cleared by
577
578 # echo "8:0 default" > cgroup-example-interface-file
579 # cat cgroup-example-interface-file
580 default 125
581 8:16 170
582
583- For events which are not very high frequency, an interface file
584 "events" should be created which lists event key value pairs.
585 Whenever a notifiable event happens, file modified event should be
586 generated on the file.
587
588
5894-3. Core Interface Files
590
591All cgroup core files are prefixed with "cgroup."
592
593 cgroup.procs
594
595 A read-write new-line separated values file which exists on
596 all cgroups.
597
598 When read, it lists the PIDs of all processes which belong to
599 the cgroup one-per-line. The PIDs are not ordered and the
600 same PID may show up more than once if the process got moved
601 to another cgroup and then back or the PID got recycled while
602 reading.
603
604 A PID can be written to migrate the process associated with
605 the PID to the cgroup. The writer should match all of the
606 following conditions.
607
608 - Its euid is either root or must match either uid or suid of
609 the target process.
610
611 - It must have write access to the "cgroup.procs" file.
612
613 - It must have write access to the "cgroup.procs" file of the
614 common ancestor of the source and destination cgroups.
615
616 When delegating a sub-hierarchy, write access to this file
617 should be granted along with the containing directory.
618
619 cgroup.controllers
620
621 A read-only space separated values file which exists on all
622 cgroups.
623
624 It shows space separated list of all controllers available to
625 the cgroup. The controllers are not ordered.
626
627 cgroup.subtree_control
628
629 A read-write space separated values file which exists on all
630 cgroups. Starts out empty.
631
632 When read, it shows space separated list of the controllers
633 which are enabled to control resource distribution from the
634 cgroup to its children.
635
636 Space separated list of controllers prefixed with '+' or '-'
637 can be written to enable or disable controllers. A controller
638 name prefixed with '+' enables the controller and '-'
639 disables. If a controller appears more than once on the list,
640 the last one is effective. When multiple enable and disable
641 operations are specified, either all succeed or all fail.
642
643 cgroup.events
644
645 A read-only flat-keyed file which exists on non-root cgroups.
646 The following entries are defined. Unless specified
647 otherwise, a value change in this file generates a file
648 modified event.
649
650 populated
651
652 1 if the cgroup or its descendants contains any live
653 processes; otherwise, 0.
654
655
6565. Controllers
657
6585-1. CPU
659
660[NOTE: The interface for the cpu controller hasn't been merged yet]
661
662The "cpu" controllers regulates distribution of CPU cycles. This
663controller implements weight and absolute bandwidth limit models for
664normal scheduling policy and absolute bandwidth allocation model for
665realtime scheduling policy.
666
667
6685-1-1. CPU Interface Files
669
670All time durations are in microseconds.
671
672 cpu.stat
673
674 A read-only flat-keyed file which exists on non-root cgroups.
675
676 It reports the following six stats.
677
678 usage_usec
679 user_usec
680 system_usec
681 nr_periods
682 nr_throttled
683 throttled_usec
684
685 cpu.weight
686
687 A read-write single value file which exists on non-root
688 cgroups. The default is "100".
689
690 The weight in the range [1, 10000].
691
692 cpu.max
693
694 A read-write two value file which exists on non-root cgroups.
695 The default is "max 100000".
696
697 The maximum bandwidth limit. It's in the following format.
698
699 $MAX $PERIOD
700
701 which indicates that the group may consume upto $MAX in each
702 $PERIOD duration. "max" for $MAX indicates no limit. If only
703 one number is written, $MAX is updated.
704
705 cpu.rt.max
706
707 [NOTE: The semantics of this file is still under discussion and the
708 interface hasn't been merged yet]
709
710 A read-write two value file which exists on all cgroups.
711 The default is "0 100000".
712
713 The maximum realtime runtime allocation. Over-committing
714 configurations are disallowed and process migrations are
715 rejected if not enough bandwidth is available. It's in the
716 following format.
717
718 $MAX $PERIOD
719
720 which indicates that the group may consume upto $MAX in each
721 $PERIOD duration. If only one number is written, $MAX is
722 updated.
723
724
7255-2. Memory
726
727The "memory" controller regulates distribution of memory. Memory is
728stateful and implements both limit and protection models. Due to the
729intertwining between memory usage and reclaim pressure and the
730stateful nature of memory, the distribution model is relatively
731complex.
732
733While not completely water-tight, all major memory usages by a given
734cgroup are tracked so that the total memory consumption can be
735accounted and controlled to a reasonable extent. Currently, the
736following types of memory usages are tracked.
737
738- Userland memory - page cache and anonymous memory.
739
740- Kernel data structures such as dentries and inodes.
741
742- TCP socket buffers.
743
744The above list may expand in the future for better coverage.
745
746
7475-2-1. Memory Interface Files
748
749All memory amounts are in bytes. If a value which is not aligned to
750PAGE_SIZE is written, the value may be rounded up to the closest
751PAGE_SIZE multiple when read back.
752
753 memory.current
754
755 A read-only single value file which exists on non-root
756 cgroups.
757
758 The total amount of memory currently being used by the cgroup
759 and its descendants.
760
761 memory.low
762
763 A read-write single value file which exists on non-root
764 cgroups. The default is "0".
765
766 Best-effort memory protection. If the memory usages of a
767 cgroup and all its ancestors are below their low boundaries,
768 the cgroup's memory won't be reclaimed unless memory can be
769 reclaimed from unprotected cgroups.
770
771 Putting more memory than generally available under this
772 protection is discouraged.
773
774 memory.high
775
776 A read-write single value file which exists on non-root
777 cgroups. The default is "max".
778
779 Memory usage throttle limit. This is the main mechanism to
780 control memory usage of a cgroup. If a cgroup's usage goes
781 over the high boundary, the processes of the cgroup are
782 throttled and put under heavy reclaim pressure.
783
784 Going over the high limit never invokes the OOM killer and
785 under extreme conditions the limit may be breached.
786
787 memory.max
788
789 A read-write single value file which exists on non-root
790 cgroups. The default is "max".
791
792 Memory usage hard limit. This is the final protection
793 mechanism. If a cgroup's memory usage reaches this limit and
794 can't be reduced, the OOM killer is invoked in the cgroup.
795 Under certain circumstances, the usage may go over the limit
796 temporarily.
797
798 This is the ultimate protection mechanism. As long as the
799 high limit is used and monitored properly, this limit's
800 utility is limited to providing the final safety net.
801
802 memory.events
803
804 A read-only flat-keyed file which exists on non-root cgroups.
805 The following entries are defined. Unless specified
806 otherwise, a value change in this file generates a file
807 modified event.
808
809 low
810
811 The number of times the cgroup is reclaimed due to
812 high memory pressure even though its usage is under
813 the low boundary. This usually indicates that the low
814 boundary is over-committed.
815
816 high
817
818 The number of times processes of the cgroup are
819 throttled and routed to perform direct memory reclaim
820 because the high memory boundary was exceeded. For a
821 cgroup whose memory usage is capped by the high limit
822 rather than global memory pressure, this event's
823 occurrences are expected.
824
825 max
826
827 The number of times the cgroup's memory usage was
828 about to go over the max boundary. If direct reclaim
829 fails to bring it down, the OOM killer is invoked.
830
831 oom
832
833 The number of times the OOM killer has been invoked in
834 the cgroup. This may not exactly match the number of
835 processes killed but should generally be close.
836
Johannes Weiner587d9f72016-01-20 15:03:19 -0800837 memory.stat
838
839 A read-only flat-keyed file which exists on non-root cgroups.
840
841 This breaks down the cgroup's memory footprint into different
842 types of memory, type-specific details, and other information
843 on the state and past events of the memory management system.
844
845 All memory amounts are in bytes.
846
847 The entries are ordered to be human readable, and new entries
848 can show up in the middle. Don't rely on items remaining in a
849 fixed position; use the keys to look up specific values!
850
851 anon
852
853 Amount of memory used in anonymous mappings such as
854 brk(), sbrk(), and mmap(MAP_ANONYMOUS)
855
856 file
857
858 Amount of memory used to cache filesystem data,
859 including tmpfs and shared memory.
860
Vladimir Davydov12580e42016-03-17 14:17:38 -0700861 kernel_stack
862
863 Amount of memory allocated to kernel stacks.
864
Vladimir Davydov27ee57c2016-03-17 14:17:35 -0700865 slab
866
867 Amount of memory used for storing in-kernel data
868 structures.
869
Johannes Weiner4758e192016-02-02 16:57:41 -0800870 sock
871
872 Amount of memory used in network transmission buffers
873
Johannes Weiner587d9f72016-01-20 15:03:19 -0800874 file_mapped
875
876 Amount of cached filesystem data mapped with mmap()
877
878 file_dirty
879
880 Amount of cached filesystem data that was modified but
881 not yet written back to disk
882
883 file_writeback
884
885 Amount of cached filesystem data that was modified and
886 is currently being written back to disk
887
888 inactive_anon
889 active_anon
890 inactive_file
891 active_file
892 unevictable
893
894 Amount of memory, swap-backed and filesystem-backed,
895 on the internal memory management lists used by the
896 page reclaim algorithm
897
Vladimir Davydov27ee57c2016-03-17 14:17:35 -0700898 slab_reclaimable
899
900 Part of "slab" that might be reclaimed, such as
901 dentries and inodes.
902
903 slab_unreclaimable
904
905 Part of "slab" that cannot be reclaimed on memory
906 pressure.
907
Johannes Weiner587d9f72016-01-20 15:03:19 -0800908 pgfault
909
910 Total number of page faults incurred
911
912 pgmajfault
913
914 Number of major page faults incurred
915
Vladimir Davydov3e24b192016-01-20 15:03:13 -0800916 memory.swap.current
917
918 A read-only single value file which exists on non-root
919 cgroups.
920
921 The total amount of swap currently being used by the cgroup
922 and its descendants.
923
924 memory.swap.max
925
926 A read-write single value file which exists on non-root
927 cgroups. The default is "max".
928
929 Swap usage hard limit. If a cgroup's swap usage reaches this
930 limit, anonymous meomry of the cgroup will not be swapped out.
931
Tejun Heo6c292092015-11-16 11:13:34 -0500932
Parav Pandit6c83e6cb2016-03-05 11:20:58 +05309335-2-2. Usage Guidelines
Tejun Heo6c292092015-11-16 11:13:34 -0500934
935"memory.high" is the main mechanism to control memory usage.
936Over-committing on high limit (sum of high limits > available memory)
937and letting global memory pressure to distribute memory according to
938usage is a viable strategy.
939
940Because breach of the high limit doesn't trigger the OOM killer but
941throttles the offending cgroup, a management agent has ample
942opportunities to monitor and take appropriate actions such as granting
943more memory or terminating the workload.
944
945Determining whether a cgroup has enough memory is not trivial as
946memory usage doesn't indicate whether the workload can benefit from
947more memory. For example, a workload which writes data received from
948network to a file can use all available memory but can also operate as
949performant with a small amount of memory. A measure of memory
950pressure - how much the workload is being impacted due to lack of
951memory - is necessary to determine whether a workload needs more
952memory; unfortunately, memory pressure monitoring mechanism isn't
953implemented yet.
954
955
9565-2-3. Memory Ownership
957
958A memory area is charged to the cgroup which instantiated it and stays
959charged to the cgroup until the area is released. Migrating a process
960to a different cgroup doesn't move the memory usages that it
961instantiated while in the previous cgroup to the new cgroup.
962
963A memory area may be used by processes belonging to different cgroups.
964To which cgroup the area will be charged is in-deterministic; however,
965over time, the memory area is likely to end up in a cgroup which has
966enough memory allowance to avoid high reclaim pressure.
967
968If a cgroup sweeps a considerable amount of memory which is expected
969to be accessed repeatedly by other cgroups, it may make sense to use
970POSIX_FADV_DONTNEED to relinquish the ownership of memory areas
971belonging to the affected files to ensure correct memory ownership.
972
973
9745-3. IO
975
976The "io" controller regulates the distribution of IO resources. This
977controller implements both weight based and absolute bandwidth or IOPS
978limit distribution; however, weight based distribution is available
979only if cfq-iosched is in use and neither scheme is available for
980blk-mq devices.
981
982
9835-3-1. IO Interface Files
984
985 io.stat
986
987 A read-only nested-keyed file which exists on non-root
988 cgroups.
989
990 Lines are keyed by $MAJ:$MIN device numbers and not ordered.
991 The following nested keys are defined.
992
993 rbytes Bytes read
994 wbytes Bytes written
995 rios Number of read IOs
996 wios Number of write IOs
997
998 An example read output follows.
999
1000 8:16 rbytes=1459200 wbytes=314773504 rios=192 wios=353
1001 8:0 rbytes=90430464 wbytes=299008000 rios=8950 wios=1252
1002
1003 io.weight
1004
1005 A read-write flat-keyed file which exists on non-root cgroups.
1006 The default is "default 100".
1007
1008 The first line is the default weight applied to devices
1009 without specific override. The rest are overrides keyed by
1010 $MAJ:$MIN device numbers and not ordered. The weights are in
1011 the range [1, 10000] and specifies the relative amount IO time
1012 the cgroup can use in relation to its siblings.
1013
1014 The default weight can be updated by writing either "default
1015 $WEIGHT" or simply "$WEIGHT". Overrides can be set by writing
1016 "$MAJ:$MIN $WEIGHT" and unset by writing "$MAJ:$MIN default".
1017
1018 An example read output follows.
1019
1020 default 100
1021 8:16 200
1022 8:0 50
1023
1024 io.max
1025
1026 A read-write nested-keyed file which exists on non-root
1027 cgroups.
1028
1029 BPS and IOPS based IO limit. Lines are keyed by $MAJ:$MIN
1030 device numbers and not ordered. The following nested keys are
1031 defined.
1032
1033 rbps Max read bytes per second
1034 wbps Max write bytes per second
1035 riops Max read IO operations per second
1036 wiops Max write IO operations per second
1037
1038 When writing, any number of nested key-value pairs can be
1039 specified in any order. "max" can be specified as the value
1040 to remove a specific limit. If the same key is specified
1041 multiple times, the outcome is undefined.
1042
1043 BPS and IOPS are measured in each IO direction and IOs are
1044 delayed if limit is reached. Temporary bursts are allowed.
1045
1046 Setting read limit at 2M BPS and write at 120 IOPS for 8:16.
1047
1048 echo "8:16 rbps=2097152 wiops=120" > io.max
1049
1050 Reading returns the following.
1051
1052 8:16 rbps=2097152 wbps=max riops=max wiops=120
1053
1054 Write IOPS limit can be removed by writing the following.
1055
1056 echo "8:16 wiops=max" > io.max
1057
1058 Reading now returns the following.
1059
1060 8:16 rbps=2097152 wbps=max riops=max wiops=max
1061
1062
10635-3-2. Writeback
1064
1065Page cache is dirtied through buffered writes and shared mmaps and
1066written asynchronously to the backing filesystem by the writeback
1067mechanism. Writeback sits between the memory and IO domains and
1068regulates the proportion of dirty memory by balancing dirtying and
1069write IOs.
1070
1071The io controller, in conjunction with the memory controller,
1072implements control of page cache writeback IOs. The memory controller
1073defines the memory domain that dirty memory ratio is calculated and
1074maintained for and the io controller defines the io domain which
1075writes out dirty pages for the memory domain. Both system-wide and
1076per-cgroup dirty memory states are examined and the more restrictive
1077of the two is enforced.
1078
1079cgroup writeback requires explicit support from the underlying
1080filesystem. Currently, cgroup writeback is implemented on ext2, ext4
1081and btrfs. On other filesystems, all writeback IOs are attributed to
1082the root cgroup.
1083
1084There are inherent differences in memory and writeback management
1085which affects how cgroup ownership is tracked. Memory is tracked per
1086page while writeback per inode. For the purpose of writeback, an
1087inode is assigned to a cgroup and all IO requests to write dirty pages
1088from the inode are attributed to that cgroup.
1089
1090As cgroup ownership for memory is tracked per page, there can be pages
1091which are associated with different cgroups than the one the inode is
1092associated with. These are called foreign pages. The writeback
1093constantly keeps track of foreign pages and, if a particular foreign
1094cgroup becomes the majority over a certain period of time, switches
1095the ownership of the inode to that cgroup.
1096
1097While this model is enough for most use cases where a given inode is
1098mostly dirtied by a single cgroup even when the main writing cgroup
1099changes over time, use cases where multiple cgroups write to a single
1100inode simultaneously are not supported well. In such circumstances, a
1101significant portion of IOs are likely to be attributed incorrectly.
1102As memory controller assigns page ownership on the first use and
1103doesn't update it until the page is released, even if writeback
1104strictly follows page ownership, multiple cgroups dirtying overlapping
1105areas wouldn't work as expected. It's recommended to avoid such usage
1106patterns.
1107
1108The sysctl knobs which affect writeback behavior are applied to cgroup
1109writeback as follows.
1110
1111 vm.dirty_background_ratio
1112 vm.dirty_ratio
1113
1114 These ratios apply the same to cgroup writeback with the
1115 amount of available memory capped by limits imposed by the
1116 memory controller and system-wide clean memory.
1117
1118 vm.dirty_background_bytes
1119 vm.dirty_bytes
1120
1121 For cgroup writeback, this is calculated into ratio against
1122 total available memory and applied the same way as
1123 vm.dirty[_background]_ratio.
1124
1125
Hans Ragas20c56e52017-01-10 17:42:34 +000011265-4. PID
1127
1128The process number controller is used to allow a cgroup to stop any
1129new tasks from being fork()'d or clone()'d after a specified limit is
1130reached.
1131
1132The number of tasks in a cgroup can be exhausted in ways which other
1133controllers cannot prevent, thus warranting its own controller. For
1134example, a fork bomb is likely to exhaust the number of tasks before
1135hitting memory restrictions.
1136
1137Note that PIDs used in this controller refer to TIDs, process IDs as
1138used by the kernel.
1139
1140
11415-4-1. PID Interface Files
1142
1143 pids.max
1144
1145 A read-write single value file which exists on non-root cgroups. The
1146 default is "max".
1147
1148 Hard limit of number of processes.
1149
1150 pids.current
1151
1152 A read-only single value file which exists on all cgroups.
1153
1154 The number of processes currently in the cgroup and its descendants.
1155
1156Organisational operations are not blocked by cgroup policies, so it is
1157possible to have pids.current > pids.max. This can be done by either
1158setting the limit to be smaller than pids.current, or attaching enough
1159processes to the cgroup such that pids.current is larger than
1160pids.max. However, it is not possible to violate a cgroup PID policy
1161through fork() or clone(). These will return -EAGAIN if the creation
1162of a new process would cause a cgroup policy to be violated.
1163
1164
Tejun Heo63f1ca52017-02-02 13:50:35 -050011655-5. RDMA
Tejun Heo968ebff2017-01-29 14:35:20 -05001166
Parav Pandit9c1e67f2017-01-10 00:02:15 +00001167The "rdma" controller regulates the distribution and accounting of
1168of RDMA resources.
1169
Tejun Heo63f1ca52017-02-02 13:50:35 -050011705-5-1. RDMA Interface Files
Parav Pandit9c1e67f2017-01-10 00:02:15 +00001171
1172 rdma.max
1173 A readwrite nested-keyed file that exists for all the cgroups
1174 except root that describes current configured resource limit
1175 for a RDMA/IB device.
1176
1177 Lines are keyed by device name and are not ordered.
1178 Each line contains space separated resource name and its configured
1179 limit that can be distributed.
1180
1181 The following nested keys are defined.
1182
1183 hca_handle Maximum number of HCA Handles
1184 hca_object Maximum number of HCA Objects
1185
1186 An example for mlx4 and ocrdma device follows.
1187
1188 mlx4_0 hca_handle=2 hca_object=2000
1189 ocrdma1 hca_handle=3 hca_object=max
1190
1191 rdma.current
1192 A read-only file that describes current resource usage.
1193 It exists for all the cgroup except root.
1194
1195 An example for mlx4 and ocrdma device follows.
1196
1197 mlx4_0 hca_handle=1 hca_object=20
1198 ocrdma1 hca_handle=1 hca_object=23
1199
1200
Tejun Heo63f1ca52017-02-02 13:50:35 -050012015-6. Misc
1202
12035-6-1. perf_event
Tejun Heo968ebff2017-01-29 14:35:20 -05001204
1205perf_event controller, if not mounted on a legacy hierarchy, is
1206automatically enabled on the v2 hierarchy so that perf events can
1207always be filtered by cgroup v2 path. The controller can still be
1208moved to a legacy hierarchy after v2 hierarchy is populated.
1209
1210
Serge Hallynd4021f62016-01-29 02:54:10 -060012116. Namespace
1212
12136-1. Basics
1214
1215cgroup namespace provides a mechanism to virtualize the view of the
1216"/proc/$PID/cgroup" file and cgroup mounts. The CLONE_NEWCGROUP clone
1217flag can be used with clone(2) and unshare(2) to create a new cgroup
1218namespace. The process running inside the cgroup namespace will have
1219its "/proc/$PID/cgroup" output restricted to cgroupns root. The
1220cgroupns root is the cgroup of the process at the time of creation of
1221the cgroup namespace.
1222
1223Without cgroup namespace, the "/proc/$PID/cgroup" file shows the
1224complete path of the cgroup of a process. In a container setup where
1225a set of cgroups and namespaces are intended to isolate processes the
1226"/proc/$PID/cgroup" file may leak potential system level information
1227to the isolated processes. For Example:
1228
1229 # cat /proc/self/cgroup
1230 0::/batchjobs/container_id1
1231
1232The path '/batchjobs/container_id1' can be considered as system-data
1233and undesirable to expose to the isolated processes. cgroup namespace
1234can be used to restrict visibility of this path. For example, before
1235creating a cgroup namespace, one would see:
1236
1237 # ls -l /proc/self/ns/cgroup
1238 lrwxrwxrwx 1 root root 0 2014-07-15 10:37 /proc/self/ns/cgroup -> cgroup:[4026531835]
1239 # cat /proc/self/cgroup
1240 0::/batchjobs/container_id1
1241
1242After unsharing a new namespace, the view changes.
1243
1244 # ls -l /proc/self/ns/cgroup
1245 lrwxrwxrwx 1 root root 0 2014-07-15 10:35 /proc/self/ns/cgroup -> cgroup:[4026532183]
1246 # cat /proc/self/cgroup
1247 0::/
1248
1249When some thread from a multi-threaded process unshares its cgroup
1250namespace, the new cgroupns gets applied to the entire process (all
1251the threads). This is natural for the v2 hierarchy; however, for the
1252legacy hierarchies, this may be unexpected.
1253
1254A cgroup namespace is alive as long as there are processes inside or
1255mounts pinning it. When the last usage goes away, the cgroup
1256namespace is destroyed. The cgroupns root and the actual cgroups
1257remain.
1258
1259
12606-2. The Root and Views
1261
1262The 'cgroupns root' for a cgroup namespace is the cgroup in which the
1263process calling unshare(2) is running. For example, if a process in
1264/batchjobs/container_id1 cgroup calls unshare, cgroup
1265/batchjobs/container_id1 becomes the cgroupns root. For the
1266init_cgroup_ns, this is the real root ('/') cgroup.
1267
1268The cgroupns root cgroup does not change even if the namespace creator
1269process later moves to a different cgroup.
1270
1271 # ~/unshare -c # unshare cgroupns in some cgroup
1272 # cat /proc/self/cgroup
1273 0::/
1274 # mkdir sub_cgrp_1
1275 # echo 0 > sub_cgrp_1/cgroup.procs
1276 # cat /proc/self/cgroup
1277 0::/sub_cgrp_1
1278
1279Each process gets its namespace-specific view of "/proc/$PID/cgroup"
1280
1281Processes running inside the cgroup namespace will be able to see
1282cgroup paths (in /proc/self/cgroup) only inside their root cgroup.
1283From within an unshared cgroupns:
1284
1285 # sleep 100000 &
1286 [1] 7353
1287 # echo 7353 > sub_cgrp_1/cgroup.procs
1288 # cat /proc/7353/cgroup
1289 0::/sub_cgrp_1
1290
1291From the initial cgroup namespace, the real cgroup path will be
1292visible:
1293
1294 $ cat /proc/7353/cgroup
1295 0::/batchjobs/container_id1/sub_cgrp_1
1296
1297From a sibling cgroup namespace (that is, a namespace rooted at a
1298different cgroup), the cgroup path relative to its own cgroup
1299namespace root will be shown. For instance, if PID 7353's cgroup
1300namespace root is at '/batchjobs/container_id2', then it will see
1301
1302 # cat /proc/7353/cgroup
1303 0::/../container_id2/sub_cgrp_1
1304
1305Note that the relative path always starts with '/' to indicate that
1306its relative to the cgroup namespace root of the caller.
1307
1308
13096-3. Migration and setns(2)
1310
1311Processes inside a cgroup namespace can move into and out of the
1312namespace root if they have proper access to external cgroups. For
1313example, from inside a namespace with cgroupns root at
1314/batchjobs/container_id1, and assuming that the global hierarchy is
1315still accessible inside cgroupns:
1316
1317 # cat /proc/7353/cgroup
1318 0::/sub_cgrp_1
1319 # echo 7353 > batchjobs/container_id2/cgroup.procs
1320 # cat /proc/7353/cgroup
1321 0::/../container_id2
1322
1323Note that this kind of setup is not encouraged. A task inside cgroup
1324namespace should only be exposed to its own cgroupns hierarchy.
1325
1326setns(2) to another cgroup namespace is allowed when:
1327
1328(a) the process has CAP_SYS_ADMIN against its current user namespace
1329(b) the process has CAP_SYS_ADMIN against the target cgroup
1330 namespace's userns
1331
1332No implicit cgroup changes happen with attaching to another cgroup
1333namespace. It is expected that the someone moves the attaching
1334process under the target cgroup namespace root.
1335
1336
13376-4. Interaction with Other Namespaces
1338
1339Namespace specific cgroup hierarchy can be mounted by a process
1340running inside a non-init cgroup namespace.
1341
1342 # mount -t cgroup2 none $MOUNT_POINT
1343
1344This will mount the unified cgroup hierarchy with cgroupns root as the
1345filesystem root. The process needs CAP_SYS_ADMIN against its user and
1346mount namespaces.
1347
1348The virtualization of /proc/self/cgroup file combined with restricting
1349the view of cgroup hierarchy by namespace-private cgroupfs mount
1350provides a properly isolated cgroup view inside the container.
1351
1352
Tejun Heo6c292092015-11-16 11:13:34 -05001353P. Information on Kernel Programming
1354
1355This section contains kernel programming information in the areas
1356where interacting with cgroup is necessary. cgroup core and
1357controllers are not covered.
1358
1359
1360P-1. Filesystem Support for Writeback
1361
1362A filesystem can support cgroup writeback by updating
1363address_space_operations->writepage[s]() to annotate bio's using the
1364following two functions.
1365
1366 wbc_init_bio(@wbc, @bio)
1367
1368 Should be called for each bio carrying writeback data and
1369 associates the bio with the inode's owner cgroup. Can be
1370 called anytime between bio allocation and submission.
1371
1372 wbc_account_io(@wbc, @page, @bytes)
1373
1374 Should be called for each data segment being written out.
1375 While this function doesn't care exactly when it's called
1376 during the writeback session, it's the easiest and most
1377 natural to call it as data segments are added to a bio.
1378
1379With writeback bio's annotated, cgroup support can be enabled per
1380super_block by setting SB_I_CGROUPWB in ->s_iflags. This allows for
1381selective disabling of cgroup writeback support which is helpful when
1382certain filesystem features, e.g. journaled data mode, are
1383incompatible.
1384
1385wbc_init_bio() binds the specified bio to its cgroup. Depending on
1386the configuration, the bio may be executed at a lower priority and if
1387the writeback session is holding shared resources, e.g. a journal
1388entry, may lead to priority inversion. There is no one easy solution
1389for the problem. Filesystems can try to work around specific problem
1390cases by skipping wbc_init_bio() or using bio_associate_blkcg()
1391directly.
1392
1393
1394D. Deprecated v1 Core Features
1395
1396- Multiple hierarchies including named ones are not supported.
1397
1398- All mount options and remounting are not supported.
1399
1400- The "tasks" file is removed and "cgroup.procs" is not sorted.
1401
1402- "cgroup.clone_children" is removed.
1403
1404- /proc/cgroups is meaningless for v2. Use "cgroup.controllers" file
1405 at the root instead.
1406
1407
1408R. Issues with v1 and Rationales for v2
1409
1410R-1. Multiple Hierarchies
1411
1412cgroup v1 allowed an arbitrary number of hierarchies and each
1413hierarchy could host any number of controllers. While this seemed to
1414provide a high level of flexibility, it wasn't useful in practice.
1415
1416For example, as there is only one instance of each controller, utility
1417type controllers such as freezer which can be useful in all
1418hierarchies could only be used in one. The issue is exacerbated by
1419the fact that controllers couldn't be moved to another hierarchy once
1420hierarchies were populated. Another issue was that all controllers
1421bound to a hierarchy were forced to have exactly the same view of the
1422hierarchy. It wasn't possible to vary the granularity depending on
1423the specific controller.
1424
1425In practice, these issues heavily limited which controllers could be
1426put on the same hierarchy and most configurations resorted to putting
1427each controller on its own hierarchy. Only closely related ones, such
1428as the cpu and cpuacct controllers, made sense to be put on the same
1429hierarchy. This often meant that userland ended up managing multiple
1430similar hierarchies repeating the same steps on each hierarchy
1431whenever a hierarchy management operation was necessary.
1432
1433Furthermore, support for multiple hierarchies came at a steep cost.
1434It greatly complicated cgroup core implementation but more importantly
1435the support for multiple hierarchies restricted how cgroup could be
1436used in general and what controllers was able to do.
1437
1438There was no limit on how many hierarchies there might be, which meant
1439that a thread's cgroup membership couldn't be described in finite
1440length. The key might contain any number of entries and was unlimited
1441in length, which made it highly awkward to manipulate and led to
1442addition of controllers which existed only to identify membership,
1443which in turn exacerbated the original problem of proliferating number
1444of hierarchies.
1445
1446Also, as a controller couldn't have any expectation regarding the
1447topologies of hierarchies other controllers might be on, each
1448controller had to assume that all other controllers were attached to
1449completely orthogonal hierarchies. This made it impossible, or at
1450least very cumbersome, for controllers to cooperate with each other.
1451
1452In most use cases, putting controllers on hierarchies which are
1453completely orthogonal to each other isn't necessary. What usually is
1454called for is the ability to have differing levels of granularity
1455depending on the specific controller. In other words, hierarchy may
1456be collapsed from leaf towards root when viewed from specific
1457controllers. For example, a given configuration might not care about
1458how memory is distributed beyond a certain level while still wanting
1459to control how CPU cycles are distributed.
1460
1461
1462R-2. Thread Granularity
1463
1464cgroup v1 allowed threads of a process to belong to different cgroups.
1465This didn't make sense for some controllers and those controllers
1466ended up implementing different ways to ignore such situations but
1467much more importantly it blurred the line between API exposed to
1468individual applications and system management interface.
1469
1470Generally, in-process knowledge is available only to the process
1471itself; thus, unlike service-level organization of processes,
1472categorizing threads of a process requires active participation from
1473the application which owns the target process.
1474
1475cgroup v1 had an ambiguously defined delegation model which got abused
1476in combination with thread granularity. cgroups were delegated to
1477individual applications so that they can create and manage their own
1478sub-hierarchies and control resource distributions along them. This
1479effectively raised cgroup to the status of a syscall-like API exposed
1480to lay programs.
1481
1482First of all, cgroup has a fundamentally inadequate interface to be
1483exposed this way. For a process to access its own knobs, it has to
1484extract the path on the target hierarchy from /proc/self/cgroup,
1485construct the path by appending the name of the knob to the path, open
1486and then read and/or write to it. This is not only extremely clunky
1487and unusual but also inherently racy. There is no conventional way to
1488define transaction across the required steps and nothing can guarantee
1489that the process would actually be operating on its own sub-hierarchy.
1490
1491cgroup controllers implemented a number of knobs which would never be
1492accepted as public APIs because they were just adding control knobs to
1493system-management pseudo filesystem. cgroup ended up with interface
1494knobs which were not properly abstracted or refined and directly
1495revealed kernel internal details. These knobs got exposed to
1496individual applications through the ill-defined delegation mechanism
1497effectively abusing cgroup as a shortcut to implementing public APIs
1498without going through the required scrutiny.
1499
1500This was painful for both userland and kernel. Userland ended up with
1501misbehaving and poorly abstracted interfaces and kernel exposing and
1502locked into constructs inadvertently.
1503
1504
1505R-3. Competition Between Inner Nodes and Threads
1506
1507cgroup v1 allowed threads to be in any cgroups which created an
1508interesting problem where threads belonging to a parent cgroup and its
1509children cgroups competed for resources. This was nasty as two
1510different types of entities competed and there was no obvious way to
1511settle it. Different controllers did different things.
1512
1513The cpu controller considered threads and cgroups as equivalents and
1514mapped nice levels to cgroup weights. This worked for some cases but
1515fell flat when children wanted to be allocated specific ratios of CPU
1516cycles and the number of internal threads fluctuated - the ratios
1517constantly changed as the number of competing entities fluctuated.
1518There also were other issues. The mapping from nice level to weight
1519wasn't obvious or universal, and there were various other knobs which
1520simply weren't available for threads.
1521
1522The io controller implicitly created a hidden leaf node for each
1523cgroup to host the threads. The hidden leaf had its own copies of all
1524the knobs with "leaf_" prefixed. While this allowed equivalent
1525control over internal threads, it was with serious drawbacks. It
1526always added an extra layer of nesting which wouldn't be necessary
1527otherwise, made the interface messy and significantly complicated the
1528implementation.
1529
1530The memory controller didn't have a way to control what happened
1531between internal tasks and child cgroups and the behavior was not
1532clearly defined. There were attempts to add ad-hoc behaviors and
1533knobs to tailor the behavior to specific workloads which would have
1534led to problems extremely difficult to resolve in the long term.
1535
1536Multiple controllers struggled with internal tasks and came up with
1537different ways to deal with it; unfortunately, all the approaches were
1538severely flawed and, furthermore, the widely different behaviors
1539made cgroup as a whole highly inconsistent.
1540
1541This clearly is a problem which needs to be addressed from cgroup core
1542in a uniform way.
1543
1544
1545R-4. Other Interface Issues
1546
1547cgroup v1 grew without oversight and developed a large number of
1548idiosyncrasies and inconsistencies. One issue on the cgroup core side
1549was how an empty cgroup was notified - a userland helper binary was
1550forked and executed for each event. The event delivery wasn't
1551recursive or delegatable. The limitations of the mechanism also led
1552to in-kernel event delivery filtering mechanism further complicating
1553the interface.
1554
1555Controller interfaces were problematic too. An extreme example is
1556controllers completely ignoring hierarchical organization and treating
1557all cgroups as if they were all located directly under the root
1558cgroup. Some controllers exposed a large amount of inconsistent
1559implementation details to userland.
1560
1561There also was no consistency across controllers. When a new cgroup
1562was created, some controllers defaulted to not imposing extra
1563restrictions while others disallowed any resource usage until
1564explicitly configured. Configuration knobs for the same type of
1565control used widely differing naming schemes and formats. Statistics
1566and information knobs were named arbitrarily and used different
1567formats and units even in the same controller.
1568
1569cgroup v2 establishes common conventions where appropriate and updates
1570controllers so that they expose minimal and consistent interfaces.
1571
1572
1573R-5. Controller Issues and Remedies
1574
1575R-5-1. Memory
1576
1577The original lower boundary, the soft limit, is defined as a limit
1578that is per default unset. As a result, the set of cgroups that
1579global reclaim prefers is opt-in, rather than opt-out. The costs for
1580optimizing these mostly negative lookups are so high that the
1581implementation, despite its enormous size, does not even provide the
1582basic desirable behavior. First off, the soft limit has no
1583hierarchical meaning. All configured groups are organized in a global
1584rbtree and treated like equal peers, regardless where they are located
1585in the hierarchy. This makes subtree delegation impossible. Second,
1586the soft limit reclaim pass is so aggressive that it not just
1587introduces high allocation latencies into the system, but also impacts
1588system performance due to overreclaim, to the point where the feature
1589becomes self-defeating.
1590
1591The memory.low boundary on the other hand is a top-down allocated
1592reserve. A cgroup enjoys reclaim protection when it and all its
1593ancestors are below their low boundaries, which makes delegation of
1594subtrees possible. Secondly, new cgroups have no reserve per default
1595and in the common case most cgroups are eligible for the preferred
1596reclaim pass. This allows the new low boundary to be efficiently
1597implemented with just a minor addition to the generic reclaim code,
1598without the need for out-of-band data structures and reclaim passes.
1599Because the generic reclaim code considers all cgroups except for the
1600ones running low in the preferred first reclaim pass, overreclaim of
1601individual groups is eliminated as well, resulting in much better
1602overall workload performance.
1603
1604The original high boundary, the hard limit, is defined as a strict
1605limit that can not budge, even if the OOM killer has to be called.
1606But this generally goes against the goal of making the most out of the
1607available memory. The memory consumption of workloads varies during
1608runtime, and that requires users to overcommit. But doing that with a
1609strict upper limit requires either a fairly accurate prediction of the
1610working set size or adding slack to the limit. Since working set size
1611estimation is hard and error prone, and getting it wrong results in
1612OOM kills, most users tend to err on the side of a looser limit and
1613end up wasting precious resources.
1614
1615The memory.high boundary on the other hand can be set much more
1616conservatively. When hit, it throttles allocations by forcing them
1617into direct reclaim to work off the excess, but it never invokes the
1618OOM killer. As a result, a high boundary that is chosen too
1619aggressively will not terminate the processes, but instead it will
1620lead to gradual performance degradation. The user can monitor this
1621and make corrections until the minimal memory footprint that still
1622gives acceptable performance is found.
1623
1624In extreme cases, with many concurrent allocations and a complete
1625breakdown of reclaim progress within the group, the high boundary can
1626be exceeded. But even then it's mostly better to satisfy the
1627allocation from the slack available in other groups or the rest of the
1628system than killing the group. Otherwise, memory.max is there to
1629limit this type of spillover and ultimately contain buggy or even
1630malicious applications.
Vladimir Davydov3e24b192016-01-20 15:03:13 -08001631
Johannes Weinerb6e6edc2016-03-17 14:20:28 -07001632Setting the original memory.limit_in_bytes below the current usage was
1633subject to a race condition, where concurrent charges could cause the
1634limit setting to fail. memory.max on the other hand will first set the
1635limit to prevent new charges, and then reclaim and OOM kill until the
1636new limit is met - or the task writing to memory.max is killed.
1637
Vladimir Davydov3e24b192016-01-20 15:03:13 -08001638The combined memory+swap accounting and limiting is replaced by real
1639control over swap space.
1640
1641The main argument for a combined memory+swap facility in the original
1642cgroup design was that global or parental pressure would always be
1643able to swap all anonymous memory of a child group, regardless of the
1644child's own (possibly untrusted) configuration. However, untrusted
1645groups can sabotage swapping by other means - such as referencing its
1646anonymous memory in a tight loop - and an admin can not assume full
1647swappability when overcommitting untrusted jobs.
1648
1649For trusted jobs, on the other hand, a combined counter is not an
1650intuitive userspace interface, and it flies in the face of the idea
1651that cgroup controllers should account and limit specific physical
1652resources. Swap space is a resource like all others in the system,
1653and that's why unified hierarchy allows distributing it separately.