blob: 49d7c997fa1ee7f759b5ba319bb57be464f0bd47 [file] [log] [blame]
Tejun Heo6c292092015-11-16 11:13:34 -05001
2Control Group v2
3
4October, 2015 Tejun Heo <tj@kernel.org>
5
6This is the authoritative documentation on the design, interface and
7conventions of cgroup v2. It describes all userland-visible aspects
8of cgroup including core and specific controller behaviors. All
9future changes must be reflected in this document. Documentation for
W. Trevor King9a2ddda2016-01-27 13:01:52 -080010v1 is available under Documentation/cgroup-v1/.
Tejun Heo6c292092015-11-16 11:13:34 -050011
12CONTENTS
13
141. Introduction
15 1-1. Terminology
16 1-2. What is cgroup?
172. Basic Operations
18 2-1. Mounting
19 2-2. Organizing Processes
20 2-3. [Un]populated Notification
21 2-4. Controlling Controllers
22 2-4-1. Enabling and Disabling
23 2-4-2. Top-down Constraint
24 2-4-3. No Internal Process Constraint
25 2-5. Delegation
26 2-5-1. Model of Delegation
27 2-5-2. Delegation Containment
28 2-6. Guidelines
29 2-6-1. Organize Once and Control
30 2-6-2. Avoid Name Collisions
313. Resource Distribution Models
32 3-1. Weights
33 3-2. Limits
34 3-3. Protections
35 3-4. Allocations
364. Interface Files
37 4-1. Format
38 4-2. Conventions
39 4-3. Core Interface Files
405. Controllers
41 5-1. CPU
42 5-1-1. CPU Interface Files
43 5-2. Memory
44 5-2-1. Memory Interface Files
45 5-2-2. Usage Guidelines
46 5-2-3. Memory Ownership
47 5-3. IO
48 5-3-1. IO Interface Files
49 5-3-2. Writeback
Hans Ragas20c56e52017-01-10 17:42:34 +000050 5-4. PID
51 5-4-1. PID Interface Files
Tejun Heo63f1ca52017-02-02 13:50:35 -050052 5-5. RDMA
53 5-5-1. RDMA Interface Files
54 5-6. Misc
55 5-6-1. perf_event
Serge Hallynd4021f62016-01-29 02:54:10 -0600566. Namespace
57 6-1. Basics
58 6-2. The Root and Views
59 6-3. Migration and setns(2)
60 6-4. Interaction with Other Namespaces
Tejun Heo6c292092015-11-16 11:13:34 -050061P. Information on Kernel Programming
62 P-1. Filesystem Support for Writeback
63D. Deprecated v1 Core Features
64R. Issues with v1 and Rationales for v2
65 R-1. Multiple Hierarchies
66 R-2. Thread Granularity
67 R-3. Competition Between Inner Nodes and Threads
68 R-4. Other Interface Issues
69 R-5. Controller Issues and Remedies
70 R-5-1. Memory
71
72
731. Introduction
74
751-1. Terminology
76
77"cgroup" stands for "control group" and is never capitalized. The
78singular form is used to designate the whole feature and also as a
79qualifier as in "cgroup controllers". When explicitly referring to
80multiple individual control groups, the plural form "cgroups" is used.
81
82
831-2. What is cgroup?
84
85cgroup is a mechanism to organize processes hierarchically and
86distribute system resources along the hierarchy in a controlled and
87configurable manner.
88
89cgroup is largely composed of two parts - the core and controllers.
90cgroup core is primarily responsible for hierarchically organizing
91processes. A cgroup controller is usually responsible for
92distributing a specific type of system resource along the hierarchy
93although there are utility controllers which serve purposes other than
94resource distribution.
95
96cgroups form a tree structure and every process in the system belongs
97to one and only one cgroup. All threads of a process belong to the
98same cgroup. On creation, all processes are put in the cgroup that
99the parent process belongs to at the time. A process can be migrated
100to another cgroup. Migration of a process doesn't affect already
101existing descendant processes.
102
103Following certain structural constraints, controllers may be enabled or
104disabled selectively on a cgroup. All controller behaviors are
105hierarchical - if a controller is enabled on a cgroup, it affects all
106processes which belong to the cgroups consisting the inclusive
107sub-hierarchy of the cgroup. When a controller is enabled on a nested
108cgroup, it always restricts the resource distribution further. The
109restrictions set closer to the root in the hierarchy can not be
110overridden from further away.
111
112
1132. Basic Operations
114
1152-1. Mounting
116
117Unlike v1, cgroup v2 has only single hierarchy. The cgroup v2
118hierarchy can be mounted with the following mount command.
119
120 # mount -t cgroup2 none $MOUNT_POINT
121
122cgroup2 filesystem has the magic number 0x63677270 ("cgrp"). All
123controllers which support v2 and are not bound to a v1 hierarchy are
124automatically bound to the v2 hierarchy and show up at the root.
125Controllers which are not in active use in the v2 hierarchy can be
126bound to other hierarchies. This allows mixing v2 hierarchy with the
127legacy v1 multiple hierarchies in a fully backward compatible way.
128
129A controller can be moved across hierarchies only after the controller
130is no longer referenced in its current hierarchy. Because per-cgroup
131controller states are destroyed asynchronously and controllers may
132have lingering references, a controller may not show up immediately on
133the v2 hierarchy after the final umount of the previous hierarchy.
134Similarly, a controller should be fully disabled to be moved out of
135the unified hierarchy and it may take some time for the disabled
136controller to become available for other hierarchies; furthermore, due
137to inter-controller dependencies, other controllers may need to be
138disabled too.
139
140While useful for development and manual configurations, moving
141controllers dynamically between the v2 and other hierarchies is
142strongly discouraged for production use. It is recommended to decide
143the hierarchies and controller associations before starting using the
144controllers after system boot.
145
Johannes Weiner1619b6d2016-02-16 13:21:14 -0500146During transition to v2, system management software might still
147automount the v1 cgroup filesystem and so hijack all controllers
148during boot, before manual intervention is possible. To make testing
149and experimenting easier, the kernel parameter cgroup_no_v1= allows
150disabling controllers in v1 and make them always available in v2.
151
Tejun Heo6c292092015-11-16 11:13:34 -0500152
1532-2. Organizing Processes
154
155Initially, only the root cgroup exists to which all processes belong.
156A child cgroup can be created by creating a sub-directory.
157
158 # mkdir $CGROUP_NAME
159
160A given cgroup may have multiple child cgroups forming a tree
161structure. Each cgroup has a read-writable interface file
162"cgroup.procs". When read, it lists the PIDs of all processes which
163belong to the cgroup one-per-line. The PIDs are not ordered and the
164same PID may show up more than once if the process got moved to
165another cgroup and then back or the PID got recycled while reading.
166
167A process can be migrated into a cgroup by writing its PID to the
168target cgroup's "cgroup.procs" file. Only one process can be migrated
169on a single write(2) call. If a process is composed of multiple
170threads, writing the PID of any thread migrates all threads of the
171process.
172
173When a process forks a child process, the new process is born into the
174cgroup that the forking process belongs to at the time of the
175operation. After exit, a process stays associated with the cgroup
176that it belonged to at the time of exit until it's reaped; however, a
177zombie process does not appear in "cgroup.procs" and thus can't be
178moved to another cgroup.
179
180A cgroup which doesn't have any children or live processes can be
181destroyed by removing the directory. Note that a cgroup which doesn't
182have any children and is associated only with zombie processes is
183considered empty and can be removed.
184
185 # rmdir $CGROUP_NAME
186
187"/proc/$PID/cgroup" lists a process's cgroup membership. If legacy
188cgroup is in use in the system, this file may contain multiple lines,
189one for each hierarchy. The entry for cgroup v2 is always in the
190format "0::$PATH".
191
192 # cat /proc/842/cgroup
193 ...
194 0::/test-cgroup/test-cgroup-nested
195
196If the process becomes a zombie and the cgroup it was associated with
197is removed subsequently, " (deleted)" is appended to the path.
198
199 # cat /proc/842/cgroup
200 ...
201 0::/test-cgroup/test-cgroup-nested (deleted)
202
203
2042-3. [Un]populated Notification
205
206Each non-root cgroup has a "cgroup.events" file which contains
207"populated" field indicating whether the cgroup's sub-hierarchy has
208live processes in it. Its value is 0 if there is no live process in
209the cgroup and its descendants; otherwise, 1. poll and [id]notify
210events are triggered when the value changes. This can be used, for
211example, to start a clean-up operation after all processes of a given
212sub-hierarchy have exited. The populated state updates and
213notifications are recursive. Consider the following sub-hierarchy
214where the numbers in the parentheses represent the numbers of processes
215in each cgroup.
216
217 A(4) - B(0) - C(1)
218 \ D(0)
219
220A, B and C's "populated" fields would be 1 while D's 0. After the one
221process in C exits, B and C's "populated" fields would flip to "0" and
222file modified events will be generated on the "cgroup.events" files of
223both cgroups.
224
225
2262-4. Controlling Controllers
227
2282-4-1. Enabling and Disabling
229
230Each cgroup has a "cgroup.controllers" file which lists all
231controllers available for the cgroup to enable.
232
233 # cat cgroup.controllers
234 cpu io memory
235
236No controller is enabled by default. Controllers can be enabled and
237disabled by writing to the "cgroup.subtree_control" file.
238
239 # echo "+cpu +memory -io" > cgroup.subtree_control
240
241Only controllers which are listed in "cgroup.controllers" can be
242enabled. When multiple operations are specified as above, either they
243all succeed or fail. If multiple operations on the same controller
244are specified, the last one is effective.
245
246Enabling a controller in a cgroup indicates that the distribution of
247the target resource across its immediate children will be controlled.
248Consider the following sub-hierarchy. The enabled controllers are
249listed in parentheses.
250
251 A(cpu,memory) - B(memory) - C()
252 \ D()
253
254As A has "cpu" and "memory" enabled, A will control the distribution
255of CPU cycles and memory to its children, in this case, B. As B has
256"memory" enabled but not "CPU", C and D will compete freely on CPU
257cycles but their division of memory available to B will be controlled.
258
259As a controller regulates the distribution of the target resource to
260the cgroup's children, enabling it creates the controller's interface
261files in the child cgroups. In the above example, enabling "cpu" on B
262would create the "cpu." prefixed controller interface files in C and
263D. Likewise, disabling "memory" from B would remove the "memory."
264prefixed controller interface files from C and D. This means that the
265controller interface files - anything which doesn't start with
266"cgroup." are owned by the parent rather than the cgroup itself.
267
268
2692-4-2. Top-down Constraint
270
271Resources are distributed top-down and a cgroup can further distribute
272a resource only if the resource has been distributed to it from the
273parent. This means that all non-root "cgroup.subtree_control" files
274can only contain controllers which are enabled in the parent's
275"cgroup.subtree_control" file. A controller can be enabled only if
276the parent has the controller enabled and a controller can't be
277disabled if one or more children have it enabled.
278
279
2802-4-3. No Internal Process Constraint
281
282Non-root cgroups can only distribute resources to their children when
283they don't have any processes of their own. In other words, only
284cgroups which don't contain any processes can have controllers enabled
285in their "cgroup.subtree_control" files.
286
287This guarantees that, when a controller is looking at the part of the
288hierarchy which has it enabled, processes are always only on the
289leaves. This rules out situations where child cgroups compete against
290internal processes of the parent.
291
292The root cgroup is exempt from this restriction. Root contains
293processes and anonymous resource consumption which can't be associated
294with any other cgroups and requires special treatment from most
295controllers. How resource consumption in the root cgroup is governed
296is up to each controller.
297
298Note that the restriction doesn't get in the way if there is no
299enabled controller in the cgroup's "cgroup.subtree_control". This is
300important as otherwise it wouldn't be possible to create children of a
301populated cgroup. To control resource distribution of a cgroup, the
302cgroup must create children and transfer all its processes to the
303children before enabling controllers in its "cgroup.subtree_control"
304file.
305
306
3072-5. Delegation
308
3092-5-1. Model of Delegation
310
311A cgroup can be delegated to a less privileged user by granting write
312access of the directory and its "cgroup.procs" file to the user. Note
313that resource control interface files in a given directory control the
314distribution of the parent's resources and thus must not be delegated
315along with the directory.
316
317Once delegated, the user can build sub-hierarchy under the directory,
318organize processes as it sees fit and further distribute the resources
319it received from the parent. The limits and other settings of all
320resource controllers are hierarchical and regardless of what happens
321in the delegated sub-hierarchy, nothing can escape the resource
322restrictions imposed by the parent.
323
324Currently, cgroup doesn't impose any restrictions on the number of
325cgroups in or nesting depth of a delegated sub-hierarchy; however,
326this may be limited explicitly in the future.
327
328
3292-5-2. Delegation Containment
330
331A delegated sub-hierarchy is contained in the sense that processes
332can't be moved into or out of the sub-hierarchy by the delegatee. For
333a process with a non-root euid to migrate a target process into a
334cgroup by writing its PID to the "cgroup.procs" file, the following
335conditions must be met.
336
Tejun Heo6c292092015-11-16 11:13:34 -0500337- The writer must have write access to the "cgroup.procs" file.
338
339- The writer must have write access to the "cgroup.procs" file of the
340 common ancestor of the source and destination cgroups.
341
Tejun Heo576dd462017-01-20 11:29:54 -0500342The above two constraints ensure that while a delegatee may migrate
Tejun Heo6c292092015-11-16 11:13:34 -0500343processes around freely in the delegated sub-hierarchy it can't pull
344in from or push out to outside the sub-hierarchy.
345
346For an example, let's assume cgroups C0 and C1 have been delegated to
347user U0 who created C00, C01 under C0 and C10 under C1 as follows and
348all processes under C0 and C1 belong to U0.
349
350 ~~~~~~~~~~~~~ - C0 - C00
351 ~ cgroup ~ \ C01
352 ~ hierarchy ~
353 ~~~~~~~~~~~~~ - C1 - C10
354
355Let's also say U0 wants to write the PID of a process which is
356currently in C10 into "C00/cgroup.procs". U0 has write access to the
Tejun Heo576dd462017-01-20 11:29:54 -0500357file; however, the common ancestor of the source cgroup C10 and the
358destination cgroup C00 is above the points of delegation and U0 would
359not have write access to its "cgroup.procs" files and thus the write
360will be denied with -EACCES.
Tejun Heo6c292092015-11-16 11:13:34 -0500361
362
3632-6. Guidelines
364
3652-6-1. Organize Once and Control
366
367Migrating a process across cgroups is a relatively expensive operation
368and stateful resources such as memory are not moved together with the
369process. This is an explicit design decision as there often exist
370inherent trade-offs between migration and various hot paths in terms
371of synchronization cost.
372
373As such, migrating processes across cgroups frequently as a means to
374apply different resource restrictions is discouraged. A workload
375should be assigned to a cgroup according to the system's logical and
376resource structure once on start-up. Dynamic adjustments to resource
377distribution can be made by changing controller configuration through
378the interface files.
379
380
3812-6-2. Avoid Name Collisions
382
383Interface files for a cgroup and its children cgroups occupy the same
384directory and it is possible to create children cgroups which collide
385with interface files.
386
387All cgroup core interface files are prefixed with "cgroup." and each
388controller's interface files are prefixed with the controller name and
389a dot. A controller's name is composed of lower case alphabets and
390'_'s but never begins with an '_' so it can be used as the prefix
391character for collision avoidance. Also, interface file names won't
392start or end with terms which are often used in categorizing workloads
393such as job, service, slice, unit or workload.
394
395cgroup doesn't do anything to prevent name collisions and it's the
396user's responsibility to avoid them.
397
398
3993. Resource Distribution Models
400
401cgroup controllers implement several resource distribution schemes
402depending on the resource type and expected use cases. This section
403describes major schemes in use along with their expected behaviors.
404
405
4063-1. Weights
407
408A parent's resource is distributed by adding up the weights of all
409active children and giving each the fraction matching the ratio of its
410weight against the sum. As only children which can make use of the
411resource at the moment participate in the distribution, this is
412work-conserving. Due to the dynamic nature, this model is usually
413used for stateless resources.
414
415All weights are in the range [1, 10000] with the default at 100. This
416allows symmetric multiplicative biases in both directions at fine
417enough granularity while staying in the intuitive range.
418
419As long as the weight is in range, all configuration combinations are
420valid and there is no reason to reject configuration changes or
421process migrations.
422
423"cpu.weight" proportionally distributes CPU cycles to active children
424and is an example of this type.
425
426
4273-2. Limits
428
429A child can only consume upto the configured amount of the resource.
430Limits can be over-committed - the sum of the limits of children can
431exceed the amount of resource available to the parent.
432
433Limits are in the range [0, max] and defaults to "max", which is noop.
434
435As limits can be over-committed, all configuration combinations are
436valid and there is no reason to reject configuration changes or
437process migrations.
438
439"io.max" limits the maximum BPS and/or IOPS that a cgroup can consume
440on an IO device and is an example of this type.
441
442
4433-3. Protections
444
445A cgroup is protected to be allocated upto the configured amount of
446the resource if the usages of all its ancestors are under their
447protected levels. Protections can be hard guarantees or best effort
448soft boundaries. Protections can also be over-committed in which case
449only upto the amount available to the parent is protected among
450children.
451
452Protections are in the range [0, max] and defaults to 0, which is
453noop.
454
455As protections can be over-committed, all configuration combinations
456are valid and there is no reason to reject configuration changes or
457process migrations.
458
459"memory.low" implements best-effort memory protection and is an
460example of this type.
461
462
4633-4. Allocations
464
465A cgroup is exclusively allocated a certain amount of a finite
466resource. Allocations can't be over-committed - the sum of the
467allocations of children can not exceed the amount of resource
468available to the parent.
469
470Allocations are in the range [0, max] and defaults to 0, which is no
471resource.
472
473As allocations can't be over-committed, some configuration
474combinations are invalid and should be rejected. Also, if the
475resource is mandatory for execution of processes, process migrations
476may be rejected.
477
478"cpu.rt.max" hard-allocates realtime slices and is an example of this
479type.
480
481
4824. Interface Files
483
4844-1. Format
485
486All interface files should be in one of the following formats whenever
487possible.
488
489 New-line separated values
490 (when only one value can be written at once)
491
492 VAL0\n
493 VAL1\n
494 ...
495
496 Space separated values
497 (when read-only or multiple values can be written at once)
498
499 VAL0 VAL1 ...\n
500
501 Flat keyed
502
503 KEY0 VAL0\n
504 KEY1 VAL1\n
505 ...
506
507 Nested keyed
508
509 KEY0 SUB_KEY0=VAL00 SUB_KEY1=VAL01...
510 KEY1 SUB_KEY0=VAL10 SUB_KEY1=VAL11...
511 ...
512
513For a writable file, the format for writing should generally match
514reading; however, controllers may allow omitting later fields or
515implement restricted shortcuts for most common use cases.
516
517For both flat and nested keyed files, only the values for a single key
518can be written at a time. For nested keyed files, the sub key pairs
519may be specified in any order and not all pairs have to be specified.
520
521
5224-2. Conventions
523
524- Settings for a single feature should be contained in a single file.
525
526- The root cgroup should be exempt from resource control and thus
527 shouldn't have resource control interface files. Also,
528 informational files on the root cgroup which end up showing global
529 information available elsewhere shouldn't exist.
530
531- If a controller implements weight based resource distribution, its
532 interface file should be named "weight" and have the range [1,
533 10000] with 100 as the default. The values are chosen to allow
534 enough and symmetric bias in both directions while keeping it
535 intuitive (the default is 100%).
536
537- If a controller implements an absolute resource guarantee and/or
538 limit, the interface files should be named "min" and "max"
539 respectively. If a controller implements best effort resource
540 guarantee and/or limit, the interface files should be named "low"
541 and "high" respectively.
542
543 In the above four control files, the special token "max" should be
544 used to represent upward infinity for both reading and writing.
545
546- If a setting has a configurable default value and keyed specific
547 overrides, the default entry should be keyed with "default" and
548 appear as the first entry in the file.
549
550 The default value can be updated by writing either "default $VAL" or
551 "$VAL".
552
553 When writing to update a specific override, "default" can be used as
554 the value to indicate removal of the override. Override entries
555 with "default" as the value must not appear when read.
556
557 For example, a setting which is keyed by major:minor device numbers
558 with integer values may look like the following.
559
560 # cat cgroup-example-interface-file
561 default 150
562 8:0 300
563
564 The default value can be updated by
565
566 # echo 125 > cgroup-example-interface-file
567
568 or
569
570 # echo "default 125" > cgroup-example-interface-file
571
572 An override can be set by
573
574 # echo "8:16 170" > cgroup-example-interface-file
575
576 and cleared by
577
578 # echo "8:0 default" > cgroup-example-interface-file
579 # cat cgroup-example-interface-file
580 default 125
581 8:16 170
582
583- For events which are not very high frequency, an interface file
584 "events" should be created which lists event key value pairs.
585 Whenever a notifiable event happens, file modified event should be
586 generated on the file.
587
588
5894-3. Core Interface Files
590
591All cgroup core files are prefixed with "cgroup."
592
593 cgroup.procs
594
595 A read-write new-line separated values file which exists on
596 all cgroups.
597
598 When read, it lists the PIDs of all processes which belong to
599 the cgroup one-per-line. The PIDs are not ordered and the
600 same PID may show up more than once if the process got moved
601 to another cgroup and then back or the PID got recycled while
602 reading.
603
604 A PID can be written to migrate the process associated with
605 the PID to the cgroup. The writer should match all of the
606 following conditions.
607
608 - Its euid is either root or must match either uid or suid of
609 the target process.
610
611 - It must have write access to the "cgroup.procs" file.
612
613 - It must have write access to the "cgroup.procs" file of the
614 common ancestor of the source and destination cgroups.
615
616 When delegating a sub-hierarchy, write access to this file
617 should be granted along with the containing directory.
618
619 cgroup.controllers
620
621 A read-only space separated values file which exists on all
622 cgroups.
623
624 It shows space separated list of all controllers available to
625 the cgroup. The controllers are not ordered.
626
627 cgroup.subtree_control
628
629 A read-write space separated values file which exists on all
630 cgroups. Starts out empty.
631
632 When read, it shows space separated list of the controllers
633 which are enabled to control resource distribution from the
634 cgroup to its children.
635
636 Space separated list of controllers prefixed with '+' or '-'
637 can be written to enable or disable controllers. A controller
638 name prefixed with '+' enables the controller and '-'
639 disables. If a controller appears more than once on the list,
640 the last one is effective. When multiple enable and disable
641 operations are specified, either all succeed or all fail.
642
643 cgroup.events
644
645 A read-only flat-keyed file which exists on non-root cgroups.
646 The following entries are defined. Unless specified
647 otherwise, a value change in this file generates a file
648 modified event.
649
650 populated
651
652 1 if the cgroup or its descendants contains any live
653 processes; otherwise, 0.
654
655
6565. Controllers
657
6585-1. CPU
659
660[NOTE: The interface for the cpu controller hasn't been merged yet]
661
662The "cpu" controllers regulates distribution of CPU cycles. This
663controller implements weight and absolute bandwidth limit models for
664normal scheduling policy and absolute bandwidth allocation model for
665realtime scheduling policy.
666
667
6685-1-1. CPU Interface Files
669
670All time durations are in microseconds.
671
672 cpu.stat
673
674 A read-only flat-keyed file which exists on non-root cgroups.
675
676 It reports the following six stats.
677
678 usage_usec
679 user_usec
680 system_usec
681 nr_periods
682 nr_throttled
683 throttled_usec
684
685 cpu.weight
686
687 A read-write single value file which exists on non-root
688 cgroups. The default is "100".
689
690 The weight in the range [1, 10000].
691
692 cpu.max
693
694 A read-write two value file which exists on non-root cgroups.
695 The default is "max 100000".
696
697 The maximum bandwidth limit. It's in the following format.
698
699 $MAX $PERIOD
700
701 which indicates that the group may consume upto $MAX in each
702 $PERIOD duration. "max" for $MAX indicates no limit. If only
703 one number is written, $MAX is updated.
704
705 cpu.rt.max
706
707 [NOTE: The semantics of this file is still under discussion and the
708 interface hasn't been merged yet]
709
710 A read-write two value file which exists on all cgroups.
711 The default is "0 100000".
712
713 The maximum realtime runtime allocation. Over-committing
714 configurations are disallowed and process migrations are
715 rejected if not enough bandwidth is available. It's in the
716 following format.
717
718 $MAX $PERIOD
719
720 which indicates that the group may consume upto $MAX in each
721 $PERIOD duration. If only one number is written, $MAX is
722 updated.
723
724
7255-2. Memory
726
727The "memory" controller regulates distribution of memory. Memory is
728stateful and implements both limit and protection models. Due to the
729intertwining between memory usage and reclaim pressure and the
730stateful nature of memory, the distribution model is relatively
731complex.
732
733While not completely water-tight, all major memory usages by a given
734cgroup are tracked so that the total memory consumption can be
735accounted and controlled to a reasonable extent. Currently, the
736following types of memory usages are tracked.
737
738- Userland memory - page cache and anonymous memory.
739
740- Kernel data structures such as dentries and inodes.
741
742- TCP socket buffers.
743
744The above list may expand in the future for better coverage.
745
746
7475-2-1. Memory Interface Files
748
749All memory amounts are in bytes. If a value which is not aligned to
750PAGE_SIZE is written, the value may be rounded up to the closest
751PAGE_SIZE multiple when read back.
752
753 memory.current
754
755 A read-only single value file which exists on non-root
756 cgroups.
757
758 The total amount of memory currently being used by the cgroup
759 and its descendants.
760
761 memory.low
762
763 A read-write single value file which exists on non-root
764 cgroups. The default is "0".
765
766 Best-effort memory protection. If the memory usages of a
767 cgroup and all its ancestors are below their low boundaries,
768 the cgroup's memory won't be reclaimed unless memory can be
769 reclaimed from unprotected cgroups.
770
771 Putting more memory than generally available under this
772 protection is discouraged.
773
774 memory.high
775
776 A read-write single value file which exists on non-root
777 cgroups. The default is "max".
778
779 Memory usage throttle limit. This is the main mechanism to
780 control memory usage of a cgroup. If a cgroup's usage goes
781 over the high boundary, the processes of the cgroup are
782 throttled and put under heavy reclaim pressure.
783
784 Going over the high limit never invokes the OOM killer and
785 under extreme conditions the limit may be breached.
786
787 memory.max
788
789 A read-write single value file which exists on non-root
790 cgroups. The default is "max".
791
792 Memory usage hard limit. This is the final protection
793 mechanism. If a cgroup's memory usage reaches this limit and
794 can't be reduced, the OOM killer is invoked in the cgroup.
795 Under certain circumstances, the usage may go over the limit
796 temporarily.
797
798 This is the ultimate protection mechanism. As long as the
799 high limit is used and monitored properly, this limit's
800 utility is limited to providing the final safety net.
801
802 memory.events
803
804 A read-only flat-keyed file which exists on non-root cgroups.
805 The following entries are defined. Unless specified
806 otherwise, a value change in this file generates a file
807 modified event.
808
809 low
810
811 The number of times the cgroup is reclaimed due to
812 high memory pressure even though its usage is under
813 the low boundary. This usually indicates that the low
814 boundary is over-committed.
815
816 high
817
818 The number of times processes of the cgroup are
819 throttled and routed to perform direct memory reclaim
820 because the high memory boundary was exceeded. For a
821 cgroup whose memory usage is capped by the high limit
822 rather than global memory pressure, this event's
823 occurrences are expected.
824
825 max
826
827 The number of times the cgroup's memory usage was
828 about to go over the max boundary. If direct reclaim
829 fails to bring it down, the OOM killer is invoked.
830
831 oom
832
833 The number of times the OOM killer has been invoked in
834 the cgroup. This may not exactly match the number of
835 processes killed but should generally be close.
836
Johannes Weiner587d9f72016-01-20 15:03:19 -0800837 memory.stat
838
839 A read-only flat-keyed file which exists on non-root cgroups.
840
841 This breaks down the cgroup's memory footprint into different
842 types of memory, type-specific details, and other information
843 on the state and past events of the memory management system.
844
845 All memory amounts are in bytes.
846
847 The entries are ordered to be human readable, and new entries
848 can show up in the middle. Don't rely on items remaining in a
849 fixed position; use the keys to look up specific values!
850
851 anon
852
853 Amount of memory used in anonymous mappings such as
854 brk(), sbrk(), and mmap(MAP_ANONYMOUS)
855
856 file
857
858 Amount of memory used to cache filesystem data,
859 including tmpfs and shared memory.
860
Vladimir Davydov12580e42016-03-17 14:17:38 -0700861 kernel_stack
862
863 Amount of memory allocated to kernel stacks.
864
Vladimir Davydov27ee57c2016-03-17 14:17:35 -0700865 slab
866
867 Amount of memory used for storing in-kernel data
868 structures.
869
Johannes Weiner4758e192016-02-02 16:57:41 -0800870 sock
871
872 Amount of memory used in network transmission buffers
873
Johannes Weiner587d9f72016-01-20 15:03:19 -0800874 file_mapped
875
876 Amount of cached filesystem data mapped with mmap()
877
878 file_dirty
879
880 Amount of cached filesystem data that was modified but
881 not yet written back to disk
882
883 file_writeback
884
885 Amount of cached filesystem data that was modified and
886 is currently being written back to disk
887
888 inactive_anon
889 active_anon
890 inactive_file
891 active_file
892 unevictable
893
894 Amount of memory, swap-backed and filesystem-backed,
895 on the internal memory management lists used by the
896 page reclaim algorithm
897
Vladimir Davydov27ee57c2016-03-17 14:17:35 -0700898 slab_reclaimable
899
900 Part of "slab" that might be reclaimed, such as
901 dentries and inodes.
902
903 slab_unreclaimable
904
905 Part of "slab" that cannot be reclaimed on memory
906 pressure.
907
Johannes Weiner587d9f72016-01-20 15:03:19 -0800908 pgfault
909
910 Total number of page faults incurred
911
912 pgmajfault
913
914 Number of major page faults incurred
915
Vladimir Davydov3e24b192016-01-20 15:03:13 -0800916 memory.swap.current
917
918 A read-only single value file which exists on non-root
919 cgroups.
920
921 The total amount of swap currently being used by the cgroup
922 and its descendants.
923
924 memory.swap.max
925
926 A read-write single value file which exists on non-root
927 cgroups. The default is "max".
928
929 Swap usage hard limit. If a cgroup's swap usage reaches this
930 limit, anonymous meomry of the cgroup will not be swapped out.
931
Tejun Heo6c292092015-11-16 11:13:34 -0500932
Parav Pandit6c83e6cb2016-03-05 11:20:58 +05309335-2-2. Usage Guidelines
Tejun Heo6c292092015-11-16 11:13:34 -0500934
935"memory.high" is the main mechanism to control memory usage.
936Over-committing on high limit (sum of high limits > available memory)
937and letting global memory pressure to distribute memory according to
938usage is a viable strategy.
939
940Because breach of the high limit doesn't trigger the OOM killer but
941throttles the offending cgroup, a management agent has ample
942opportunities to monitor and take appropriate actions such as granting
943more memory or terminating the workload.
944
945Determining whether a cgroup has enough memory is not trivial as
946memory usage doesn't indicate whether the workload can benefit from
947more memory. For example, a workload which writes data received from
948network to a file can use all available memory but can also operate as
949performant with a small amount of memory. A measure of memory
950pressure - how much the workload is being impacted due to lack of
951memory - is necessary to determine whether a workload needs more
952memory; unfortunately, memory pressure monitoring mechanism isn't
953implemented yet.
954
955
9565-2-3. Memory Ownership
957
958A memory area is charged to the cgroup which instantiated it and stays
959charged to the cgroup until the area is released. Migrating a process
960to a different cgroup doesn't move the memory usages that it
961instantiated while in the previous cgroup to the new cgroup.
962
963A memory area may be used by processes belonging to different cgroups.
964To which cgroup the area will be charged is in-deterministic; however,
965over time, the memory area is likely to end up in a cgroup which has
966enough memory allowance to avoid high reclaim pressure.
967
968If a cgroup sweeps a considerable amount of memory which is expected
969to be accessed repeatedly by other cgroups, it may make sense to use
970POSIX_FADV_DONTNEED to relinquish the ownership of memory areas
971belonging to the affected files to ensure correct memory ownership.
972
973
9745-3. IO
975
976The "io" controller regulates the distribution of IO resources. This
977controller implements both weight based and absolute bandwidth or IOPS
978limit distribution; however, weight based distribution is available
979only if cfq-iosched is in use and neither scheme is available for
980blk-mq devices.
981
982
9835-3-1. IO Interface Files
984
985 io.stat
986
987 A read-only nested-keyed file which exists on non-root
988 cgroups.
989
990 Lines are keyed by $MAJ:$MIN device numbers and not ordered.
991 The following nested keys are defined.
992
993 rbytes Bytes read
994 wbytes Bytes written
995 rios Number of read IOs
996 wios Number of write IOs
997
998 An example read output follows.
999
1000 8:16 rbytes=1459200 wbytes=314773504 rios=192 wios=353
1001 8:0 rbytes=90430464 wbytes=299008000 rios=8950 wios=1252
1002
1003 io.weight
1004
1005 A read-write flat-keyed file which exists on non-root cgroups.
1006 The default is "default 100".
1007
1008 The first line is the default weight applied to devices
1009 without specific override. The rest are overrides keyed by
1010 $MAJ:$MIN device numbers and not ordered. The weights are in
1011 the range [1, 10000] and specifies the relative amount IO time
1012 the cgroup can use in relation to its siblings.
1013
1014 The default weight can be updated by writing either "default
1015 $WEIGHT" or simply "$WEIGHT". Overrides can be set by writing
1016 "$MAJ:$MIN $WEIGHT" and unset by writing "$MAJ:$MIN default".
1017
1018 An example read output follows.
1019
1020 default 100
1021 8:16 200
1022 8:0 50
1023
1024 io.max
1025
1026 A read-write nested-keyed file which exists on non-root
1027 cgroups.
1028
1029 BPS and IOPS based IO limit. Lines are keyed by $MAJ:$MIN
1030 device numbers and not ordered. The following nested keys are
1031 defined.
1032
1033 rbps Max read bytes per second
1034 wbps Max write bytes per second
1035 riops Max read IO operations per second
1036 wiops Max write IO operations per second
1037
1038 When writing, any number of nested key-value pairs can be
1039 specified in any order. "max" can be specified as the value
1040 to remove a specific limit. If the same key is specified
1041 multiple times, the outcome is undefined.
1042
1043 BPS and IOPS are measured in each IO direction and IOs are
1044 delayed if limit is reached. Temporary bursts are allowed.
1045
1046 Setting read limit at 2M BPS and write at 120 IOPS for 8:16.
1047
1048 echo "8:16 rbps=2097152 wiops=120" > io.max
1049
1050 Reading returns the following.
1051
1052 8:16 rbps=2097152 wbps=max riops=max wiops=120
1053
1054 Write IOPS limit can be removed by writing the following.
1055
1056 echo "8:16 wiops=max" > io.max
1057
1058 Reading now returns the following.
1059
1060 8:16 rbps=2097152 wbps=max riops=max wiops=max
1061
1062
10635-3-2. Writeback
1064
1065Page cache is dirtied through buffered writes and shared mmaps and
1066written asynchronously to the backing filesystem by the writeback
1067mechanism. Writeback sits between the memory and IO domains and
1068regulates the proportion of dirty memory by balancing dirtying and
1069write IOs.
1070
1071The io controller, in conjunction with the memory controller,
1072implements control of page cache writeback IOs. The memory controller
1073defines the memory domain that dirty memory ratio is calculated and
1074maintained for and the io controller defines the io domain which
1075writes out dirty pages for the memory domain. Both system-wide and
1076per-cgroup dirty memory states are examined and the more restrictive
1077of the two is enforced.
1078
1079cgroup writeback requires explicit support from the underlying
1080filesystem. Currently, cgroup writeback is implemented on ext2, ext4
1081and btrfs. On other filesystems, all writeback IOs are attributed to
1082the root cgroup.
1083
1084There are inherent differences in memory and writeback management
1085which affects how cgroup ownership is tracked. Memory is tracked per
1086page while writeback per inode. For the purpose of writeback, an
1087inode is assigned to a cgroup and all IO requests to write dirty pages
1088from the inode are attributed to that cgroup.
1089
1090As cgroup ownership for memory is tracked per page, there can be pages
1091which are associated with different cgroups than the one the inode is
1092associated with. These are called foreign pages. The writeback
1093constantly keeps track of foreign pages and, if a particular foreign
1094cgroup becomes the majority over a certain period of time, switches
1095the ownership of the inode to that cgroup.
1096
1097While this model is enough for most use cases where a given inode is
1098mostly dirtied by a single cgroup even when the main writing cgroup
1099changes over time, use cases where multiple cgroups write to a single
1100inode simultaneously are not supported well. In such circumstances, a
1101significant portion of IOs are likely to be attributed incorrectly.
1102As memory controller assigns page ownership on the first use and
1103doesn't update it until the page is released, even if writeback
1104strictly follows page ownership, multiple cgroups dirtying overlapping
1105areas wouldn't work as expected. It's recommended to avoid such usage
1106patterns.
1107
1108The sysctl knobs which affect writeback behavior are applied to cgroup
1109writeback as follows.
1110
1111 vm.dirty_background_ratio
1112 vm.dirty_ratio
1113
1114 These ratios apply the same to cgroup writeback with the
1115 amount of available memory capped by limits imposed by the
1116 memory controller and system-wide clean memory.
1117
1118 vm.dirty_background_bytes
1119 vm.dirty_bytes
1120
1121 For cgroup writeback, this is calculated into ratio against
1122 total available memory and applied the same way as
1123 vm.dirty[_background]_ratio.
1124
1125
Hans Ragas20c56e52017-01-10 17:42:34 +000011265-4. PID
1127
1128The process number controller is used to allow a cgroup to stop any
1129new tasks from being fork()'d or clone()'d after a specified limit is
1130reached.
1131
1132The number of tasks in a cgroup can be exhausted in ways which other
1133controllers cannot prevent, thus warranting its own controller. For
1134example, a fork bomb is likely to exhaust the number of tasks before
1135hitting memory restrictions.
1136
1137Note that PIDs used in this controller refer to TIDs, process IDs as
1138used by the kernel.
1139
1140
11415-4-1. PID Interface Files
1142
1143 pids.max
1144
Tobias Klauser312eb712017-02-17 18:44:11 +01001145 A read-write single value file which exists on non-root
1146 cgroups. The default is "max".
Hans Ragas20c56e52017-01-10 17:42:34 +00001147
Tobias Klauser312eb712017-02-17 18:44:11 +01001148 Hard limit of number of processes.
Hans Ragas20c56e52017-01-10 17:42:34 +00001149
1150 pids.current
1151
Tobias Klauser312eb712017-02-17 18:44:11 +01001152 A read-only single value file which exists on all cgroups.
Hans Ragas20c56e52017-01-10 17:42:34 +00001153
Tobias Klauser312eb712017-02-17 18:44:11 +01001154 The number of processes currently in the cgroup and its
1155 descendants.
Hans Ragas20c56e52017-01-10 17:42:34 +00001156
1157Organisational operations are not blocked by cgroup policies, so it is
1158possible to have pids.current > pids.max. This can be done by either
1159setting the limit to be smaller than pids.current, or attaching enough
1160processes to the cgroup such that pids.current is larger than
1161pids.max. However, it is not possible to violate a cgroup PID policy
1162through fork() or clone(). These will return -EAGAIN if the creation
1163of a new process would cause a cgroup policy to be violated.
1164
1165
Tejun Heo63f1ca52017-02-02 13:50:35 -050011665-5. RDMA
Tejun Heo968ebff2017-01-29 14:35:20 -05001167
Parav Pandit9c1e67f2017-01-10 00:02:15 +00001168The "rdma" controller regulates the distribution and accounting of
1169of RDMA resources.
1170
Tejun Heo63f1ca52017-02-02 13:50:35 -050011715-5-1. RDMA Interface Files
Parav Pandit9c1e67f2017-01-10 00:02:15 +00001172
1173 rdma.max
1174 A readwrite nested-keyed file that exists for all the cgroups
1175 except root that describes current configured resource limit
1176 for a RDMA/IB device.
1177
1178 Lines are keyed by device name and are not ordered.
1179 Each line contains space separated resource name and its configured
1180 limit that can be distributed.
1181
1182 The following nested keys are defined.
1183
1184 hca_handle Maximum number of HCA Handles
1185 hca_object Maximum number of HCA Objects
1186
1187 An example for mlx4 and ocrdma device follows.
1188
1189 mlx4_0 hca_handle=2 hca_object=2000
1190 ocrdma1 hca_handle=3 hca_object=max
1191
1192 rdma.current
1193 A read-only file that describes current resource usage.
1194 It exists for all the cgroup except root.
1195
1196 An example for mlx4 and ocrdma device follows.
1197
1198 mlx4_0 hca_handle=1 hca_object=20
1199 ocrdma1 hca_handle=1 hca_object=23
1200
1201
Tejun Heo63f1ca52017-02-02 13:50:35 -050012025-6. Misc
1203
12045-6-1. perf_event
Tejun Heo968ebff2017-01-29 14:35:20 -05001205
1206perf_event controller, if not mounted on a legacy hierarchy, is
1207automatically enabled on the v2 hierarchy so that perf events can
1208always be filtered by cgroup v2 path. The controller can still be
1209moved to a legacy hierarchy after v2 hierarchy is populated.
1210
1211
Serge Hallynd4021f62016-01-29 02:54:10 -060012126. Namespace
1213
12146-1. Basics
1215
1216cgroup namespace provides a mechanism to virtualize the view of the
1217"/proc/$PID/cgroup" file and cgroup mounts. The CLONE_NEWCGROUP clone
1218flag can be used with clone(2) and unshare(2) to create a new cgroup
1219namespace. The process running inside the cgroup namespace will have
1220its "/proc/$PID/cgroup" output restricted to cgroupns root. The
1221cgroupns root is the cgroup of the process at the time of creation of
1222the cgroup namespace.
1223
1224Without cgroup namespace, the "/proc/$PID/cgroup" file shows the
1225complete path of the cgroup of a process. In a container setup where
1226a set of cgroups and namespaces are intended to isolate processes the
1227"/proc/$PID/cgroup" file may leak potential system level information
1228to the isolated processes. For Example:
1229
1230 # cat /proc/self/cgroup
1231 0::/batchjobs/container_id1
1232
1233The path '/batchjobs/container_id1' can be considered as system-data
1234and undesirable to expose to the isolated processes. cgroup namespace
1235can be used to restrict visibility of this path. For example, before
1236creating a cgroup namespace, one would see:
1237
1238 # ls -l /proc/self/ns/cgroup
1239 lrwxrwxrwx 1 root root 0 2014-07-15 10:37 /proc/self/ns/cgroup -> cgroup:[4026531835]
1240 # cat /proc/self/cgroup
1241 0::/batchjobs/container_id1
1242
1243After unsharing a new namespace, the view changes.
1244
1245 # ls -l /proc/self/ns/cgroup
1246 lrwxrwxrwx 1 root root 0 2014-07-15 10:35 /proc/self/ns/cgroup -> cgroup:[4026532183]
1247 # cat /proc/self/cgroup
1248 0::/
1249
1250When some thread from a multi-threaded process unshares its cgroup
1251namespace, the new cgroupns gets applied to the entire process (all
1252the threads). This is natural for the v2 hierarchy; however, for the
1253legacy hierarchies, this may be unexpected.
1254
1255A cgroup namespace is alive as long as there are processes inside or
1256mounts pinning it. When the last usage goes away, the cgroup
1257namespace is destroyed. The cgroupns root and the actual cgroups
1258remain.
1259
1260
12616-2. The Root and Views
1262
1263The 'cgroupns root' for a cgroup namespace is the cgroup in which the
1264process calling unshare(2) is running. For example, if a process in
1265/batchjobs/container_id1 cgroup calls unshare, cgroup
1266/batchjobs/container_id1 becomes the cgroupns root. For the
1267init_cgroup_ns, this is the real root ('/') cgroup.
1268
1269The cgroupns root cgroup does not change even if the namespace creator
1270process later moves to a different cgroup.
1271
1272 # ~/unshare -c # unshare cgroupns in some cgroup
1273 # cat /proc/self/cgroup
1274 0::/
1275 # mkdir sub_cgrp_1
1276 # echo 0 > sub_cgrp_1/cgroup.procs
1277 # cat /proc/self/cgroup
1278 0::/sub_cgrp_1
1279
1280Each process gets its namespace-specific view of "/proc/$PID/cgroup"
1281
1282Processes running inside the cgroup namespace will be able to see
1283cgroup paths (in /proc/self/cgroup) only inside their root cgroup.
1284From within an unshared cgroupns:
1285
1286 # sleep 100000 &
1287 [1] 7353
1288 # echo 7353 > sub_cgrp_1/cgroup.procs
1289 # cat /proc/7353/cgroup
1290 0::/sub_cgrp_1
1291
1292From the initial cgroup namespace, the real cgroup path will be
1293visible:
1294
1295 $ cat /proc/7353/cgroup
1296 0::/batchjobs/container_id1/sub_cgrp_1
1297
1298From a sibling cgroup namespace (that is, a namespace rooted at a
1299different cgroup), the cgroup path relative to its own cgroup
1300namespace root will be shown. For instance, if PID 7353's cgroup
1301namespace root is at '/batchjobs/container_id2', then it will see
1302
1303 # cat /proc/7353/cgroup
1304 0::/../container_id2/sub_cgrp_1
1305
1306Note that the relative path always starts with '/' to indicate that
1307its relative to the cgroup namespace root of the caller.
1308
1309
13106-3. Migration and setns(2)
1311
1312Processes inside a cgroup namespace can move into and out of the
1313namespace root if they have proper access to external cgroups. For
1314example, from inside a namespace with cgroupns root at
1315/batchjobs/container_id1, and assuming that the global hierarchy is
1316still accessible inside cgroupns:
1317
1318 # cat /proc/7353/cgroup
1319 0::/sub_cgrp_1
1320 # echo 7353 > batchjobs/container_id2/cgroup.procs
1321 # cat /proc/7353/cgroup
1322 0::/../container_id2
1323
1324Note that this kind of setup is not encouraged. A task inside cgroup
1325namespace should only be exposed to its own cgroupns hierarchy.
1326
1327setns(2) to another cgroup namespace is allowed when:
1328
1329(a) the process has CAP_SYS_ADMIN against its current user namespace
1330(b) the process has CAP_SYS_ADMIN against the target cgroup
1331 namespace's userns
1332
1333No implicit cgroup changes happen with attaching to another cgroup
1334namespace. It is expected that the someone moves the attaching
1335process under the target cgroup namespace root.
1336
1337
13386-4. Interaction with Other Namespaces
1339
1340Namespace specific cgroup hierarchy can be mounted by a process
1341running inside a non-init cgroup namespace.
1342
1343 # mount -t cgroup2 none $MOUNT_POINT
1344
1345This will mount the unified cgroup hierarchy with cgroupns root as the
1346filesystem root. The process needs CAP_SYS_ADMIN against its user and
1347mount namespaces.
1348
1349The virtualization of /proc/self/cgroup file combined with restricting
1350the view of cgroup hierarchy by namespace-private cgroupfs mount
1351provides a properly isolated cgroup view inside the container.
1352
1353
Tejun Heo6c292092015-11-16 11:13:34 -05001354P. Information on Kernel Programming
1355
1356This section contains kernel programming information in the areas
1357where interacting with cgroup is necessary. cgroup core and
1358controllers are not covered.
1359
1360
1361P-1. Filesystem Support for Writeback
1362
1363A filesystem can support cgroup writeback by updating
1364address_space_operations->writepage[s]() to annotate bio's using the
1365following two functions.
1366
1367 wbc_init_bio(@wbc, @bio)
1368
1369 Should be called for each bio carrying writeback data and
1370 associates the bio with the inode's owner cgroup. Can be
1371 called anytime between bio allocation and submission.
1372
1373 wbc_account_io(@wbc, @page, @bytes)
1374
1375 Should be called for each data segment being written out.
1376 While this function doesn't care exactly when it's called
1377 during the writeback session, it's the easiest and most
1378 natural to call it as data segments are added to a bio.
1379
1380With writeback bio's annotated, cgroup support can be enabled per
1381super_block by setting SB_I_CGROUPWB in ->s_iflags. This allows for
1382selective disabling of cgroup writeback support which is helpful when
1383certain filesystem features, e.g. journaled data mode, are
1384incompatible.
1385
1386wbc_init_bio() binds the specified bio to its cgroup. Depending on
1387the configuration, the bio may be executed at a lower priority and if
1388the writeback session is holding shared resources, e.g. a journal
1389entry, may lead to priority inversion. There is no one easy solution
1390for the problem. Filesystems can try to work around specific problem
1391cases by skipping wbc_init_bio() or using bio_associate_blkcg()
1392directly.
1393
1394
1395D. Deprecated v1 Core Features
1396
1397- Multiple hierarchies including named ones are not supported.
1398
1399- All mount options and remounting are not supported.
1400
1401- The "tasks" file is removed and "cgroup.procs" is not sorted.
1402
1403- "cgroup.clone_children" is removed.
1404
1405- /proc/cgroups is meaningless for v2. Use "cgroup.controllers" file
1406 at the root instead.
1407
1408
1409R. Issues with v1 and Rationales for v2
1410
1411R-1. Multiple Hierarchies
1412
1413cgroup v1 allowed an arbitrary number of hierarchies and each
1414hierarchy could host any number of controllers. While this seemed to
1415provide a high level of flexibility, it wasn't useful in practice.
1416
1417For example, as there is only one instance of each controller, utility
1418type controllers such as freezer which can be useful in all
1419hierarchies could only be used in one. The issue is exacerbated by
1420the fact that controllers couldn't be moved to another hierarchy once
1421hierarchies were populated. Another issue was that all controllers
1422bound to a hierarchy were forced to have exactly the same view of the
1423hierarchy. It wasn't possible to vary the granularity depending on
1424the specific controller.
1425
1426In practice, these issues heavily limited which controllers could be
1427put on the same hierarchy and most configurations resorted to putting
1428each controller on its own hierarchy. Only closely related ones, such
1429as the cpu and cpuacct controllers, made sense to be put on the same
1430hierarchy. This often meant that userland ended up managing multiple
1431similar hierarchies repeating the same steps on each hierarchy
1432whenever a hierarchy management operation was necessary.
1433
1434Furthermore, support for multiple hierarchies came at a steep cost.
1435It greatly complicated cgroup core implementation but more importantly
1436the support for multiple hierarchies restricted how cgroup could be
1437used in general and what controllers was able to do.
1438
1439There was no limit on how many hierarchies there might be, which meant
1440that a thread's cgroup membership couldn't be described in finite
1441length. The key might contain any number of entries and was unlimited
1442in length, which made it highly awkward to manipulate and led to
1443addition of controllers which existed only to identify membership,
1444which in turn exacerbated the original problem of proliferating number
1445of hierarchies.
1446
1447Also, as a controller couldn't have any expectation regarding the
1448topologies of hierarchies other controllers might be on, each
1449controller had to assume that all other controllers were attached to
1450completely orthogonal hierarchies. This made it impossible, or at
1451least very cumbersome, for controllers to cooperate with each other.
1452
1453In most use cases, putting controllers on hierarchies which are
1454completely orthogonal to each other isn't necessary. What usually is
1455called for is the ability to have differing levels of granularity
1456depending on the specific controller. In other words, hierarchy may
1457be collapsed from leaf towards root when viewed from specific
1458controllers. For example, a given configuration might not care about
1459how memory is distributed beyond a certain level while still wanting
1460to control how CPU cycles are distributed.
1461
1462
1463R-2. Thread Granularity
1464
1465cgroup v1 allowed threads of a process to belong to different cgroups.
1466This didn't make sense for some controllers and those controllers
1467ended up implementing different ways to ignore such situations but
1468much more importantly it blurred the line between API exposed to
1469individual applications and system management interface.
1470
1471Generally, in-process knowledge is available only to the process
1472itself; thus, unlike service-level organization of processes,
1473categorizing threads of a process requires active participation from
1474the application which owns the target process.
1475
1476cgroup v1 had an ambiguously defined delegation model which got abused
1477in combination with thread granularity. cgroups were delegated to
1478individual applications so that they can create and manage their own
1479sub-hierarchies and control resource distributions along them. This
1480effectively raised cgroup to the status of a syscall-like API exposed
1481to lay programs.
1482
1483First of all, cgroup has a fundamentally inadequate interface to be
1484exposed this way. For a process to access its own knobs, it has to
1485extract the path on the target hierarchy from /proc/self/cgroup,
1486construct the path by appending the name of the knob to the path, open
1487and then read and/or write to it. This is not only extremely clunky
1488and unusual but also inherently racy. There is no conventional way to
1489define transaction across the required steps and nothing can guarantee
1490that the process would actually be operating on its own sub-hierarchy.
1491
1492cgroup controllers implemented a number of knobs which would never be
1493accepted as public APIs because they were just adding control knobs to
1494system-management pseudo filesystem. cgroup ended up with interface
1495knobs which were not properly abstracted or refined and directly
1496revealed kernel internal details. These knobs got exposed to
1497individual applications through the ill-defined delegation mechanism
1498effectively abusing cgroup as a shortcut to implementing public APIs
1499without going through the required scrutiny.
1500
1501This was painful for both userland and kernel. Userland ended up with
1502misbehaving and poorly abstracted interfaces and kernel exposing and
1503locked into constructs inadvertently.
1504
1505
1506R-3. Competition Between Inner Nodes and Threads
1507
1508cgroup v1 allowed threads to be in any cgroups which created an
1509interesting problem where threads belonging to a parent cgroup and its
1510children cgroups competed for resources. This was nasty as two
1511different types of entities competed and there was no obvious way to
1512settle it. Different controllers did different things.
1513
1514The cpu controller considered threads and cgroups as equivalents and
1515mapped nice levels to cgroup weights. This worked for some cases but
1516fell flat when children wanted to be allocated specific ratios of CPU
1517cycles and the number of internal threads fluctuated - the ratios
1518constantly changed as the number of competing entities fluctuated.
1519There also were other issues. The mapping from nice level to weight
1520wasn't obvious or universal, and there were various other knobs which
1521simply weren't available for threads.
1522
1523The io controller implicitly created a hidden leaf node for each
1524cgroup to host the threads. The hidden leaf had its own copies of all
1525the knobs with "leaf_" prefixed. While this allowed equivalent
1526control over internal threads, it was with serious drawbacks. It
1527always added an extra layer of nesting which wouldn't be necessary
1528otherwise, made the interface messy and significantly complicated the
1529implementation.
1530
1531The memory controller didn't have a way to control what happened
1532between internal tasks and child cgroups and the behavior was not
1533clearly defined. There were attempts to add ad-hoc behaviors and
1534knobs to tailor the behavior to specific workloads which would have
1535led to problems extremely difficult to resolve in the long term.
1536
1537Multiple controllers struggled with internal tasks and came up with
1538different ways to deal with it; unfortunately, all the approaches were
1539severely flawed and, furthermore, the widely different behaviors
1540made cgroup as a whole highly inconsistent.
1541
1542This clearly is a problem which needs to be addressed from cgroup core
1543in a uniform way.
1544
1545
1546R-4. Other Interface Issues
1547
1548cgroup v1 grew without oversight and developed a large number of
1549idiosyncrasies and inconsistencies. One issue on the cgroup core side
1550was how an empty cgroup was notified - a userland helper binary was
1551forked and executed for each event. The event delivery wasn't
1552recursive or delegatable. The limitations of the mechanism also led
1553to in-kernel event delivery filtering mechanism further complicating
1554the interface.
1555
1556Controller interfaces were problematic too. An extreme example is
1557controllers completely ignoring hierarchical organization and treating
1558all cgroups as if they were all located directly under the root
1559cgroup. Some controllers exposed a large amount of inconsistent
1560implementation details to userland.
1561
1562There also was no consistency across controllers. When a new cgroup
1563was created, some controllers defaulted to not imposing extra
1564restrictions while others disallowed any resource usage until
1565explicitly configured. Configuration knobs for the same type of
1566control used widely differing naming schemes and formats. Statistics
1567and information knobs were named arbitrarily and used different
1568formats and units even in the same controller.
1569
1570cgroup v2 establishes common conventions where appropriate and updates
1571controllers so that they expose minimal and consistent interfaces.
1572
1573
1574R-5. Controller Issues and Remedies
1575
1576R-5-1. Memory
1577
1578The original lower boundary, the soft limit, is defined as a limit
1579that is per default unset. As a result, the set of cgroups that
1580global reclaim prefers is opt-in, rather than opt-out. The costs for
1581optimizing these mostly negative lookups are so high that the
1582implementation, despite its enormous size, does not even provide the
1583basic desirable behavior. First off, the soft limit has no
1584hierarchical meaning. All configured groups are organized in a global
1585rbtree and treated like equal peers, regardless where they are located
1586in the hierarchy. This makes subtree delegation impossible. Second,
1587the soft limit reclaim pass is so aggressive that it not just
1588introduces high allocation latencies into the system, but also impacts
1589system performance due to overreclaim, to the point where the feature
1590becomes self-defeating.
1591
1592The memory.low boundary on the other hand is a top-down allocated
1593reserve. A cgroup enjoys reclaim protection when it and all its
1594ancestors are below their low boundaries, which makes delegation of
1595subtrees possible. Secondly, new cgroups have no reserve per default
1596and in the common case most cgroups are eligible for the preferred
1597reclaim pass. This allows the new low boundary to be efficiently
1598implemented with just a minor addition to the generic reclaim code,
1599without the need for out-of-band data structures and reclaim passes.
1600Because the generic reclaim code considers all cgroups except for the
1601ones running low in the preferred first reclaim pass, overreclaim of
1602individual groups is eliminated as well, resulting in much better
1603overall workload performance.
1604
1605The original high boundary, the hard limit, is defined as a strict
1606limit that can not budge, even if the OOM killer has to be called.
1607But this generally goes against the goal of making the most out of the
1608available memory. The memory consumption of workloads varies during
1609runtime, and that requires users to overcommit. But doing that with a
1610strict upper limit requires either a fairly accurate prediction of the
1611working set size or adding slack to the limit. Since working set size
1612estimation is hard and error prone, and getting it wrong results in
1613OOM kills, most users tend to err on the side of a looser limit and
1614end up wasting precious resources.
1615
1616The memory.high boundary on the other hand can be set much more
1617conservatively. When hit, it throttles allocations by forcing them
1618into direct reclaim to work off the excess, but it never invokes the
1619OOM killer. As a result, a high boundary that is chosen too
1620aggressively will not terminate the processes, but instead it will
1621lead to gradual performance degradation. The user can monitor this
1622and make corrections until the minimal memory footprint that still
1623gives acceptable performance is found.
1624
1625In extreme cases, with many concurrent allocations and a complete
1626breakdown of reclaim progress within the group, the high boundary can
1627be exceeded. But even then it's mostly better to satisfy the
1628allocation from the slack available in other groups or the rest of the
1629system than killing the group. Otherwise, memory.max is there to
1630limit this type of spillover and ultimately contain buggy or even
1631malicious applications.
Vladimir Davydov3e24b192016-01-20 15:03:13 -08001632
Johannes Weinerb6e6edc2016-03-17 14:20:28 -07001633Setting the original memory.limit_in_bytes below the current usage was
1634subject to a race condition, where concurrent charges could cause the
1635limit setting to fail. memory.max on the other hand will first set the
1636limit to prevent new charges, and then reclaim and OOM kill until the
1637new limit is met - or the task writing to memory.max is killed.
1638
Vladimir Davydov3e24b192016-01-20 15:03:13 -08001639The combined memory+swap accounting and limiting is replaced by real
1640control over swap space.
1641
1642The main argument for a combined memory+swap facility in the original
1643cgroup design was that global or parental pressure would always be
1644able to swap all anonymous memory of a child group, regardless of the
1645child's own (possibly untrusted) configuration. However, untrusted
1646groups can sabotage swapping by other means - such as referencing its
1647anonymous memory in a tight loop - and an admin can not assume full
1648swappability when overcommitting untrusted jobs.
1649
1650For trusted jobs, on the other hand, a combined counter is not an
1651intuitive userspace interface, and it flies in the face of the idea
1652that cgroup controllers should account and limit specific physical
1653resources. Swap space is a resource like all others in the system,
1654and that's why unified hierarchy allows distributing it separately.