Last Updated: 2024-04-25

Control Groups, or cgroups are a feature allowing processes to be organized into multiple hierarchical resources that can be limited and monitored, and which can stay partitioned even with future children.

vs. init

With cgroups there are many "root" processes, vs. 1 with init

vs. traditional resource limits

Traditional resource limits (as implemented by setrlimit()) are (mostly) per-process. cgroups on the other hand let you enforce limits on entire groups of processes.

Usage

• Together with namespaces, they power containers

• They are great for babysitting purposes and keeping track of daemons. This is because cgroup membership is securely inherited by child processes, they cannot escape. Compare to regular processes which can escape supervision by parent with double-forking (e.g. CGI script that won't terminate when grandparent apache is stopped) What's more, in systemd at least, they have very usable names, being based off files often

$ ps xawf -eo pid,user,cgroup,args
PID USER     CGROUP                              COMMAND
  2 root     -                                   [kthreadd]
  3 root     -                                    \_ [ksoftirqd/0]
[...]
4281 root     -                                    \_ [flush-8:0]
  1 root     name=systemd:/systemd-1             /sbin/init
455 root     name=systemd:/systemd-1/sysinit.service /sbin/udevd -d
28188 root     name=systemd:/systemd-1/sysinit.service  \_ /sbin/udevd -d
28191 root     name=systemd:/systemd-1/sysinit.service  \_ /sbin/udevd -d
1096 dbus     name=systemd:/systemd-1/dbus.service /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
1131 root     name=systemd:/systemd-1/auditd.service auditd
1133 root     name=systemd:/systemd-1/auditd.service  \_ /sbin/audispd
1135 root     name=systemd:/systemd-1/auditd.service      \_ /usr/sbin/sedispatch
1171 root     name=systemd:/systemd-1/NetworkManager.service /usr/sbin/NetworkManager --no-daemon
4028 root     name=systemd:/systemd-1/NetworkManager.service  \_ /sbin/dhclient -d -4 -sf /usr/libexec/nm-dhcp-client.action -pf /var/run/dhclient-wlan0.pid -lf /var/lib/dhclient/dhclient-7d32a784-ede9-4cf6-9ee3-60edc0bce5ff-wlan0.lease -

There's a notification system available so that a supervisor process can be notified when a cgroup runs empty. You can find the cgroups of a process by reading /proc/$PID/cgroup.

Resources

• https://stackoverflow.com/questions/34820558/difference-between-cgroups-and-namespaces
• https://man7.org/linux/man-pages/man7/cgroups.7.html
• http://0pointer.net/blog/projects/systemd-for-admins-2.html
• http://0pointer.net/blog/projects/systemd.html