]>
Commit | Line | Data |
---|---|---|
014cb63b | 1 | .\" Copyright (C) 2015 Serge Hallyn <serge@hallyn.com> |
4242dfbe | 2 | .\" and Copyright (C) 2016, 2017 Michael Kerrisk <mtk.manpages@gmail.com> |
014cb63b MK |
3 | .\" |
4 | .\" %%%LICENSE_START(VERBATIM) | |
5 | .\" Permission is granted to make and distribute verbatim copies of this | |
6 | .\" manual provided the copyright notice and this permission notice are | |
7 | .\" preserved on all copies. | |
8 | .\" | |
9 | .\" Permission is granted to copy and distribute modified versions of this | |
10 | .\" manual under the conditions for verbatim copying, provided that the | |
11 | .\" entire resulting derived work is distributed under the terms of a | |
12 | .\" permission notice identical to this one. | |
13 | .\" | |
14 | .\" Since the Linux kernel and libraries are constantly changing, this | |
15 | .\" manual page may be incorrect or out-of-date. The author(s) assume no | |
16 | .\" responsibility for errors or omissions, or for damages resulting from | |
17 | .\" the use of the information contained herein. The author(s) may not | |
18 | .\" have taken the same level of care in the production of this manual, | |
19 | .\" which is licensed free of charge, as they might when working | |
20 | .\" professionally. | |
21 | .\" | |
22 | .\" Formatted or processed versions of this manual, if unaccompanied by | |
23 | .\" the source, must acknowledge the copyright and authors of this work. | |
24 | .\" %%%LICENSE_END | |
25 | .\" | |
4b8c67d9 | 26 | .TH CGROUPS 7 2017-09-15 "Linux" "Linux Programmer's Manual" |
21f0d132 MK |
27 | .SH NAME |
28 | cgroups \- Linux control groups | |
29 | .SH DESCRIPTION | |
30 | Control cgroups, usually referred to as cgroups, | |
a15e0673 | 31 | are a Linux kernel feature which allow processes to |
8bff7140 MK |
32 | be organized into hierarchical groups whose usage of |
33 | various types of resources can then be limited and monitored. | |
34 | The kernel's cgroup interface is provided through | |
21f0d132 | 35 | a pseudo-filesystem called cgroupfs. |
6398ca15 | 36 | Grouping is implemented in the core cgroup kernel code, |
21f0d132 | 37 | while resource tracking and limits are implemented in |
8bff7140 | 38 | a set of per-resource-type subsystems (memory, CPU, and so on). |
21f0d132 | 39 | .\" |
176a4211 MK |
40 | .SS Terminology |
41 | A | |
42 | .I cgroup | |
43 | is a collection of processes that are bound to a set of | |
44 | limits or parameters defined via the cgroup filesystem. | |
a721e8b2 | 45 | .PP |
176a4211 MK |
46 | A |
47 | .I subsystem | |
48 | is a kernel component that modifies the behavior of | |
49 | the processes in a cgroup. | |
50 | Various subsystems have been implemented, making it possible to do things | |
51 | such as limiting the amount of CPU time and memory available to a cgroup, | |
52 | accounting for the CPU time used by a cgroup, | |
53 | and freezing and resuming execution of the processes in a cgroup. | |
54 | Subsystems are sometimes also known as | |
55 | .IR "resource controllers" | |
56 | (or simply, controllers). | |
a721e8b2 | 57 | .PP |
55f52de8 | 58 | The cgroups for a controller are arranged in a |
176a4211 MK |
59 | .IR hierarchy . |
60 | This hierarchy is defined by creating, removing, and | |
61 | renaming subdirectories within the cgroup filesystem. | |
8fc9db1e MK |
62 | At each level of the hierarchy, attributes (e.g., limits) can be defined. |
63 | The limits, control, and accounting provided by cgroups generally have | |
64 | effect throughout the subhierarchy underneath the cgroup where the | |
65 | attributes are defined. | |
8bff7140 MK |
66 | Thus, for example, the limits placed on |
67 | a cgroup at a higher level in the hierarchy cannot be exceeded | |
68 | by descendant cgroups. | |
176a4211 | 69 | .\" |
43df1ab3 MK |
70 | .SS Cgroups version 1 and version 2 |
71 | The initial release of the cgroups implementation was in Linux 2.6.24. | |
55f52de8 | 72 | Over time, various cgroup controllers have been added |
43df1ab3 | 73 | to allow the management of various types of resources. |
55f52de8 MK |
74 | However, the development of these controllers was largely uncoordinated, |
75 | with the result that many inconsistencies arose between controllers | |
43df1ab3 MK |
76 | and management of the cgroup hierarchies became rather complex. |
77 | (A longer description of these problems can be found in | |
78 | the kernel source file | |
0a837899 | 79 | .IR Documentation/cgroup\-v2.txt .) |
a721e8b2 | 80 | .PP |
813d9220 MK |
81 | Because of the problems with the initial cgroups implementation |
82 | (cgroups version 1), | |
43df1ab3 MK |
83 | starting in Linux 3.10, work began on a new, |
84 | orthogonal implementation to remedy these problems. | |
85 | Initially marked experimental, and hidden behind the | |
86 | .I "\-o\ __DEVEL__sane_behavior" | |
87 | mount option, the new version (cgroups version 2) | |
88 | was eventually made official with the release of Linux 4.5. | |
89 | Differences between the two versions are described in the text below. | |
a721e8b2 | 90 | .PP |
43df1ab3 MK |
91 | Although cgroups v2 is intended as a replacement for cgroups v1, |
92 | the older system continues to exist | |
93 | (and for compatibility reasons is unlikely to be removed). | |
94 | Currently, cgroups v2 implements only a subset of the controllers | |
95 | available in cgroups v1. | |
96 | The two systems are implemented so that both v1 controllers and | |
97 | v2 controllers can be mounted on the same system. | |
98 | Thus, for example, it is possible to use those controllers | |
99 | that are supported under version 2, | |
100 | while also using version 1 controllers | |
101 | where version 2 does not yet support those controllers. | |
1a90a85e MK |
102 | The only restriction here is that a controller can't be simultaneously |
103 | employed in both a cgroups v1 hierarchy and in the cgroups v2 hierarchy. | |
43df1ab3 | 104 | .\" |
5714ccee | 105 | .SH CGROUPS VERSION 1 |
8bff7140 MK |
106 | Under cgroups v1, each controller may be mounted against a separate |
107 | cgroup filesystem that provides its own hierarchical organization of the | |
108 | processes on the system. | |
109 | It is also possible comount multiple (or even all) cgroups v1 controllers | |
110 | against the same cgroup filesystem, meaning that the comounted controllers | |
111 | manage the same hierarchical organization of processes. | |
a721e8b2 | 112 | .PP |
8bff7140 MK |
113 | For each mounted hierarchy, |
114 | the directory tree mirrors the control group hierarchy. | |
115 | Each control group is represented by a directory, with each of its child | |
116 | control cgroups represented as a child directory. | |
117 | For instance, | |
118 | .IR /user/joe/1.session | |
119 | represents control group | |
120 | .IR 1.session , | |
121 | which is a child of cgroup | |
122 | .IR joe , | |
123 | which is a child of | |
124 | .IR /user . | |
125 | Under each cgroup directory is a set of files which can be read or | |
126 | written to, reflecting resource limits and a few general cgroup | |
127 | properties. | |
a721e8b2 | 128 | .PP |
8bff7140 | 129 | In addition, in cgroups v1, |
55f52de8 | 130 | cgroups can be mounted with no bound controller, in which case |
8bff7140 | 131 | they serve only to track processes. |
59dabd75 | 132 | (See the discussion of release notification below.) |
8bff7140 MK |
133 | An example of this is the |
134 | .I name=systemd | |
135 | cgroup which is used by | |
136 | .BR systemd (1) | |
137 | to track services and user sessions. | |
138 | .\" | |
6398ca15 | 139 | .SS Tasks (threads) versus processes |
c775bca2 MK |
140 | In cgroups v1, a distinction is drawn between |
141 | .I processes | |
142 | and | |
143 | .IR tasks . | |
144 | In this view, a process can consist of multiple tasks | |
6398ca15 MK |
145 | (more commonly called threads, from a user-space perspective, |
146 | and called such in the remainder of this man page). | |
0ec74e08 | 147 | In cgroups v1, it is possible to independently manipulate |
6398ca15 | 148 | the cgroup memberships of the threads in a process. |
c775bca2 MK |
149 | Because this ability caused certain problems, |
150 | .\" FIXME Add some text describing why this was a problem. | |
151 | the ability to independently manipulate the cgroup memberships | |
6398ca15 | 152 | of the threads in a process has been removed in cgroups v2. |
c775bca2 MK |
153 | Cgroups v2 allows manipulation of cgroup membership only for processes |
154 | (which has the effect of changing the cgroup membership of | |
6398ca15 | 155 | all threads in the process). |
c775bca2 | 156 | .\" |
77e0a626 MK |
157 | .SS Mounting v1 controllers |
158 | The use of cgroups requires a kernel built with the | |
8e6578f8 KF |
159 | .BR CONFIG_CGROUP |
160 | option. | |
77e0a626 MK |
161 | In addition, each of the v1 controllers has an associated |
162 | configuration option that must be set in order to employ that controller. | |
a721e8b2 | 163 | .PP |
77e0a626 MK |
164 | In order to use a v1 controller, |
165 | it must be mounted against a cgroup filesystem. | |
4e07c70f MK |
166 | The usual place for such mounts is under a |
167 | .BR tmpfs (5) | |
168 | filesystem mounted at | |
77e0a626 MK |
169 | .IR /sys/fs/cgroup . |
170 | Thus, one might mount the | |
171 | .I cpu | |
172 | controller as follows: | |
a721e8b2 | 173 | .PP |
77e0a626 | 174 | .in +4n |
b8302363 | 175 | .EX |
77e0a626 | 176 | mount \-t cgroup \-o cpu none /sys/fs/cgroup/cpu |
b8302363 | 177 | .EE |
e646a1ba | 178 | .in |
a721e8b2 | 179 | .PP |
77e0a626 MK |
180 | It is possible to comount multiple controllers against the same hierarchy. |
181 | For example, here the | |
182 | .IR cpu | |
21f0d132 | 183 | and |
77e0a626 MK |
184 | .IR cpuacct |
185 | controllers are comounted against a single hierarchy: | |
a721e8b2 | 186 | .PP |
21f0d132 | 187 | .in +4n |
b8302363 | 188 | .EX |
77e0a626 | 189 | mount \-t cgroup \-o cpu,cpuacct none /sys/fs/cgroup/cpu,cpuacct |
b8302363 | 190 | .EE |
e646a1ba | 191 | .in |
a721e8b2 | 192 | .PP |
55f52de8 | 193 | Comounting controllers has the effect that a process is in the same cgroup for |
77e0a626 | 194 | all of the comounted controllers. |
55f52de8 | 195 | Separately mounting controllers allows a process to |
21f0d132 MK |
196 | be in cgroup |
197 | .I /foo1 | |
55f52de8 | 198 | for one controller while being in |
21f0d132 MK |
199 | .I /foo2/foo3 |
200 | for another. | |
a721e8b2 | 201 | .PP |
77e0a626 | 202 | It is possible to comount all v1 controllers against the same hierarchy: |
a721e8b2 | 203 | .PP |
77e0a626 | 204 | .in +4n |
b8302363 | 205 | .EX |
77e0a626 | 206 | mount \-t cgroup \-o all cgroup /sys/fs/cgroup |
b8302363 | 207 | .EE |
e646a1ba | 208 | .in |
a721e8b2 | 209 | .PP |
77e0a626 MK |
210 | (One can achieve the same result by omitting |
211 | .IR "\-o all" , | |
212 | since it is the default if no controllers are explicitly specified.) | |
a721e8b2 | 213 | .PP |
31ec2a5c MK |
214 | It is not possible to mount the same controller |
215 | against multiple cgroup hierarchies. | |
216 | For example, it is not possible to mount both the | |
217 | .I cpu | |
218 | and | |
219 | .I cpuacct | |
220 | controllers against one hierarchy, and to mount the | |
221 | .I cpu | |
222 | controller alone against another hierarchy. | |
223 | It is possible to create multiple mount points with exactly | |
224 | the same set of comounted controllers. | |
225 | However, in this case all that results is multiple mount points | |
226 | providing a view of the same hierarchy. | |
a721e8b2 | 227 | .PP |
77e0a626 MK |
228 | Note that on many systems, the v1 controllers are automatically mounted under |
229 | .IR /sys/fs/cgroup ; | |
230 | in particular, | |
231 | .BR systemd (1) | |
232 | automatically creates such mount points. | |
21f0d132 | 233 | .\" |
7409b54b MK |
234 | .SS Unmounting v1 controllers |
235 | A mounted cgroup filesystem can be unmounted using the | |
236 | .BR umount (8) | |
237 | command, as in the following example: | |
238 | .PP | |
239 | .in +4n | |
240 | .EX | |
241 | umount /sys/fs/cgroup/pids | |
242 | .EE | |
243 | .in | |
244 | .PP | |
245 | .IR "But note well" : | |
246 | a cgroup filesystem is unmounted only if it is not busy, | |
247 | that is, it has no child cgroups. | |
248 | If this is not the case, then the only effect of the | |
249 | .BR umount (8) | |
250 | is to make the mount invisible. | |
251 | Thus, to ensure that the mount point is really removed, | |
252 | one must first remove all child cgroups, | |
253 | which in turn can be done only after all member processes | |
254 | have been moved from those cgroups to the root cgroup. | |
255 | .\" | |
860573ad MK |
256 | .SS Cgroups version 1 controllers |
257 | Each of the cgroups version 1 controllers is governed | |
258 | by a kernel configuration option (listed below). | |
259 | Additionally, the availability of the cgroups feature is governed by the | |
260 | .BR CONFIG_CGROUPS | |
261 | kernel configuration option. | |
262 | .TP | |
263 | .IR cpu " (since Linux 2.6.24; " \fBCONFIG_CGROUP_SCHED\fP ) | |
264 | Cgroups can be guaranteed a minimum number of "CPU shares" | |
265 | when a system is busy. | |
266 | This does not limit a cgroup's CPU usage if the CPUs are not busy. | |
4ad9a706 MK |
267 | For further information, see |
268 | .IR Documentation/scheduler/sched-design-CFS.txt . | |
a721e8b2 | 269 | .IP |
4ad9a706 MK |
270 | In Linux 3.2, |
271 | this controller was extended to provide CPU "bandwidth" control. | |
272 | If the kernel is configured with | |
81ff7360 | 273 | .BR CONFIG_CFS_BANDWIDTH , |
4ad9a706 MK |
274 | then within each scheduling period |
275 | (defined via a file in the cgroup directory), it is possible to define | |
276 | an upper limit on the CPU time allocated to the processes in a cgroup. | |
277 | This upper limit applies even if there is no other competition for the CPU. | |
860573ad MK |
278 | Further information can be found in the kernel source file |
279 | .IR Documentation/scheduler/sched\-bwc.txt . | |
280 | .TP | |
281 | .IR cpuacct " (since Linux 2.6.24; " \fBCONFIG_CGROUP_CPUACCT\fP ) | |
282 | This provides accounting for CPU usage by groups of processes. | |
a721e8b2 | 283 | .IP |
860573ad MK |
284 | Further information can be found in the kernel source file |
285 | .IR Documentation/cgroup\-v1/cpuacct.txt . | |
286 | .TP | |
287 | .IR cpuset " (since Linux 2.6.24; " \fBCONFIG_CPUSETS\fP ) | |
288 | This cgroup can be used to bind the processes in a cgroup to | |
289 | a specified set of CPUs and NUMA nodes. | |
a721e8b2 | 290 | .IP |
860573ad MK |
291 | Further information can be found in the kernel source file |
292 | .IR Documentation/cgroup\-v1/cpusets.txt . | |
293 | .TP | |
294 | .IR memory " (since Linux 2.6.25; " \fBCONFIG_MEMCG\fP ) | |
295 | The memory controller supports reporting and limiting of process memory, kernel | |
296 | memory, and swap used by cgroups. | |
a721e8b2 | 297 | .IP |
860573ad MK |
298 | Further information can be found in the kernel source file |
299 | .IR Documentation/cgroup\-v1/memory.txt . | |
300 | .TP | |
301 | .IR devices " (since Linux 2.6.26; " \fBCONFIG_CGROUP_DEVICE\fP ) | |
302 | This supports controlling which processes may create (mknod) devices as | |
303 | well as open them for reading or writing. | |
304 | The policies may be specified as whitelists and blacklists. | |
305 | Hierarchy is enforced, so new rules must not | |
306 | violate existing rules for the target or ancestor cgroups. | |
a721e8b2 | 307 | .IP |
860573ad MK |
308 | Further information can be found in the kernel source file |
309 | .IR Documentation/cgroup-v1/devices.txt . | |
310 | .TP | |
311 | .IR freezer " (since Linux 2.6.28; " \fBCONFIG_CGROUP_FREEZER\fP ) | |
312 | The | |
313 | .IR freezer | |
314 | cgroup can suspend and restore (resume) all processes in a cgroup. | |
315 | Freezing a cgroup | |
316 | .I /A | |
317 | also causes its children, for example, processes in | |
318 | .IR /A/B , | |
319 | to be frozen. | |
a721e8b2 | 320 | .IP |
860573ad MK |
321 | Further information can be found in the kernel source file |
322 | .IR Documentation/cgroup-v1/freezer-subsystem.txt . | |
323 | .TP | |
324 | .IR net_cls " (since Linux 2.6.29; " \fBCONFIG_CGROUP_NET_CLASSID\fP ) | |
325 | This places a classid, specified for the cgroup, on network packets | |
326 | created by a cgroup. | |
327 | These classids can then be used in firewall rules, | |
328 | as well as used to shape traffic using | |
329 | .BR tc (8). | |
330 | This applies only to packets | |
331 | leaving the cgroup, not to traffic arriving at the cgroup. | |
a721e8b2 | 332 | .IP |
860573ad MK |
333 | Further information can be found in the kernel source file |
334 | .IR Documentation/cgroup-v1/net_cls.txt . | |
335 | .TP | |
336 | .IR blkio " (since Linux 2.6.33; " \fBCONFIG_BLK_CGROUP\fP ) | |
337 | The | |
338 | .I blkio | |
339 | cgroup controls and limits access to specified block devices by | |
340 | applying IO control in the form of throttling and upper limits against leaf | |
341 | nodes and intermediate nodes in the storage hierarchy. | |
a721e8b2 | 342 | .IP |
860573ad MK |
343 | Two policies are available. |
344 | The first is a proportional-weight time-based division | |
345 | of disk implemented with CFQ. | |
346 | This is in effect for leaf nodes using CFQ. | |
347 | The second is a throttling policy which specifies | |
348 | upper I/O rate limits on a device. | |
a721e8b2 | 349 | .IP |
860573ad MK |
350 | Further information can be found in the kernel source file |
351 | .IR Documentation/cgroup-v1/blkio-controller.txt . | |
352 | .TP | |
353 | .IR perf_event " (since Linux 2.6.39; " \fBCONFIG_CGROUP_PERF\fP ) | |
354 | This controller allows | |
355 | .I perf | |
356 | monitoring of the set of processes grouped in a cgroup. | |
a721e8b2 | 357 | .IP |
860573ad | 358 | Further information can be found in the kernel source file |
c174eb6a | 359 | .IR tools/perf/Documentation/perf-record.txt . |
860573ad MK |
360 | .TP |
361 | .IR net_prio " (since Linux 3.3; " \fBCONFIG_CGROUP_NET_PRIO\fP ) | |
362 | This allows priorities to be specified, per network interface, for cgroups. | |
a721e8b2 | 363 | .IP |
860573ad MK |
364 | Further information can be found in the kernel source file |
365 | .IR Documentation/cgroup-v1/net_prio.txt . | |
366 | .TP | |
367 | .IR hugetlb " (since Linux 3.5; " \fBCONFIG_CGROUP_HUGETLB\fP ) | |
368 | This supports limiting the use of huge pages by cgroups. | |
a721e8b2 | 369 | .IP |
860573ad MK |
370 | Further information can be found in the kernel source file |
371 | .IR Documentation/cgroup-v1/hugetlb.txt . | |
372 | .TP | |
373 | .IR pids " (since Linux 4.3; " \fBCONFIG_CGROUP_PIDS\fP ) | |
374 | This controller permits limiting the number of process that may be created | |
375 | in a cgroup (and its descendants). | |
a721e8b2 | 376 | .IP |
860573ad MK |
377 | Further information can be found in the kernel source file |
378 | .IR Documentation/cgroup-v1/pids.txt . | |
cfec905e NB |
379 | .TP |
380 | .IR rdma " (since Linux 4.11; " \fBCONFIG_CGROUP_RDMA\fP ) | |
d145c025 MK |
381 | The RDMA controller permits limiting the use of |
382 | RDMA/IB-specific resources per cgroup. | |
cfec905e NB |
383 | .IP |
384 | Further information can be found in the kernel source file | |
385 | .IR Documentation/cgroup-v1/rdma.txt . | |
860573ad | 386 | .\" |
6398ca15 | 387 | .SS Creating cgroups and moving processes |
9ed582ac | 388 | A cgroup filesystem initially contains a single root cgroup, '/', |
6398ca15 | 389 | which all processes belong to. |
21f0d132 | 390 | A new cgroup is created by creating a directory in the cgroup filesystem: |
a721e8b2 | 391 | .PP |
4769a778 MK |
392 | .in +4n |
393 | .EX | |
394 | mkdir /sys/fs/cgroup/cpu/cg1 | |
395 | .EE | |
396 | .in | |
a721e8b2 | 397 | .PP |
21f0d132 | 398 | This creates a new empty cgroup. |
a721e8b2 | 399 | .PP |
f524e7f8 | 400 | A process may be moved to this cgroup by writing its PID into the cgroup's |
21f0d132 | 401 | .I cgroup.procs |
21f0d132 | 402 | file: |
a721e8b2 | 403 | .PP |
4769a778 MK |
404 | .in +4n |
405 | .EX | |
406 | echo $$ > /sys/fs/cgroup/cpu/cg1/cgroup.procs | |
407 | .EE | |
408 | .in | |
a721e8b2 | 409 | .PP |
f524e7f8 | 410 | Only one PID at a time should be written to this file. |
a721e8b2 | 411 | .PP |
f524e7f8 MK |
412 | Writing the value 0 to a |
413 | .IR cgroup.procs | |
414 | file causes the writing process to be moved to the corresponding cgroup. | |
a721e8b2 | 415 | .PP |
6398ca15 MK |
416 | When writing a PID into the |
417 | .IR cgroup.procs , | |
87402a2e | 418 | all threads in the process are moved into the new cgroup at once. |
a721e8b2 | 419 | .PP |
f524e7f8 MK |
420 | Within a hierarchy, a process can be a member of exactly one cgroup. |
421 | Writing a process's PID to a | |
422 | .IR cgroup.procs | |
423 | file automatically removes it from the cgroup of | |
424 | which it was previously a member. | |
a721e8b2 | 425 | .PP |
f524e7f8 MK |
426 | The |
427 | .I cgroup.procs | |
428 | file can be read to obtain a list of the processes that are | |
429 | members of a cgroup. | |
430 | The returned list of PIDs is not guaranteed to be in order. | |
431 | Nor is it guaranteed to be free of duplicates. | |
432 | (For example, a PID may be recycled while reading from the list.) | |
a721e8b2 | 433 | .PP |
87402a2e MK |
434 | In cgroups v1 (but not cgroups v2), an individual thread can be moved to |
435 | another cgroup by writing its thread ID | |
436 | (i.e., the kernel thread ID returned by | |
437 | .BR clone (2) | |
438 | and | |
439 | .BR gettid (2)) | |
440 | to the | |
441 | .IR tasks | |
442 | file in a cgroup directory. | |
443 | This file can be read to discover the set of threads | |
444 | that are members of the cgroup. | |
445 | This file is not present in cgroup v2 directories. | |
b43be47e MK |
446 | .\" |
447 | .SS Removing cgroups | |
448 | To remove a cgroup, | |
449 | it must first have no child cgroups and contain no (nonzombie) processes. | |
450 | So long as that is the case, one can simply | |
451 | remove the corresponding directory pathname. | |
452 | Note that files in a cgroup directory cannot and need not be | |
453 | removed. | |
454 | .\" | |
88afe701 | 455 | .SS Cgroups v1 release notification |
23388d41 MK |
456 | Two files can be used to determine whether the kernel provides |
457 | notifications when a cgroup becomes empty. | |
458 | A cgroup is considered to be empty when it contains no child | |
459 | cgroups and no member processes. | |
a721e8b2 | 460 | .PP |
23388d41 | 461 | A special file in the root directory of each cgroup hierarchy, |
88afe701 | 462 | .IR release_agent , |
23388d41 MK |
463 | can be used to register the pathname of a program that may be invoked when |
464 | a cgroup in the hierarchy becomes empty. | |
465 | The pathname of the newly empty cgroup (relative to the cgroup mount point) | |
466 | is provided as the sole command-line argument when the | |
467 | .IR release_agent | |
468 | program is invoked. | |
469 | The | |
470 | .IR release_agent | |
471 | program might remove the cgroup directory, | |
472 | or perhaps repopulate with a process. | |
a721e8b2 | 473 | .PP |
23388d41 MK |
474 | The default value of the |
475 | .IR release_agent | |
476 | file is empty, meaning that no release agent is invoked. | |
a721e8b2 | 477 | .PP |
23388d41 MK |
478 | Whether or not the |
479 | .IR release_agent | |
480 | program is invoked when a particular cgroup becomes empty is determined | |
481 | by the value in the | |
88afe701 | 482 | .IR notify_on_release |
23388d41 MK |
483 | file in the corresponding cgroup directory. |
484 | If this file contains the value 0, then the | |
485 | .IR release_agent | |
486 | program is not invoked. | |
487 | If it contains the value 1, the | |
488 | .IR release_agent | |
489 | program is invoked. | |
490 | The default value for this file in the root cgroup is 0. | |
491 | At the time when a new cgroup is created, | |
492 | the value in this file is inherited from the corresponding file | |
493 | in the parent cgroup. | |
88afe701 | 494 | .\" |
5714ccee | 495 | .SH CGROUPS VERSION 2 |
b43be47e MK |
496 | In cgroups v2, |
497 | all mounted controllers reside in a single unified hierarchy. | |
498 | While (different) controllers may be simultaneously | |
499 | mounted under the v1 and v2 hierarchies, | |
500 | it is not possible to mount the same controller simultaneously | |
501 | under both the v1 and the v2 hierarchies. | |
a721e8b2 | 502 | .PP |
2befa495 MK |
503 | The new behaviors in cgroups v2 are summarized here, |
504 | and in some cases elaborated in the following subsections. | |
505 | .IP 1. 3 | |
a15e0673 | 506 | Cgroups v2 provides a unified hierarchy against |
dddb7ea1 MK |
507 | which all controllers are mounted. |
508 | .IP 2. | |
2befa495 MK |
509 | "Internal" processes are not permitted. |
510 | With the exception of the root cgroup, processes may reside | |
511 | only in leaf nodes (cgroups that do not themselves contain child cgroups). | |
4f017a68 | 512 | The details are somewhat more subtle than this, and are described below. |
dddb7ea1 | 513 | .IP 3. |
2befa495 MK |
514 | Active cgroups must be specified via the files |
515 | .IR cgroup.controllers | |
516 | and | |
517 | .IR cgroup.subtree_control . | |
dddb7ea1 | 518 | .IP 4. |
2befa495 MK |
519 | The |
520 | .I tasks | |
521 | file has been removed. | |
522 | In addition, the | |
523 | .I cgroup.clone_children | |
524 | file that is employed by the | |
525 | .I cpuset | |
526 | controller has been removed. | |
dddb7ea1 | 527 | .IP 5. |
2befa495 MK |
528 | An improved mechanism for notification of empty cgroups is provided by the |
529 | .IR cgroup.events | |
530 | file. | |
531 | .PP | |
532 | For more changes, see the | |
533 | .I Documentation/cgroup-v2.txt | |
534 | file in the kernel source. | |
e91d4f9e MK |
535 | .PP |
536 | Some of the new behaviors listed above saw subsequent modification with | |
537 | the addition in Linux 4.14 of "thread mode" (described below). | |
2befa495 | 538 | .\" |
dddb7ea1 MK |
539 | .SS Cgroups v2 unified hierarchy |
540 | In cgroups v1, the ability to mount different controllers | |
541 | against different hierarchies was intended to allow great flexibility | |
542 | for application design. | |
543 | In practice, though, the flexibility turned out to less useful than expected, | |
544 | and in many cases added complexity. | |
545 | Therefore, in cgroups v2, | |
546 | all available controllers are mounted against a single hierarchy. | |
547 | The available controllers are automatically mounted, | |
548 | meaning that it is not necessary (or possible) to specify the controllers | |
549 | when mounting the cgroup v2 filesystem using a command such as the following: | |
a721e8b2 | 550 | .PP |
4769a778 MK |
551 | .in +4n |
552 | .EX | |
553 | mount -t cgroup2 none /mnt/cgroup2 | |
554 | .EE | |
555 | .in | |
a721e8b2 | 556 | .PP |
dddb7ea1 MK |
557 | A cgroup v2 controller is available only if it is not currently in use |
558 | via a mount against a cgroup v1 hierarchy. | |
559 | Or, to put things another way, it is not possible to employ | |
560 | the same controller against both a v1 hierarchy and the unified v2 hierarchy. | |
57cbb0db MK |
561 | This means that it may be necessary first to unmount a v1 controller |
562 | (as described above) before that controller is available in v2. | |
563 | Since | |
564 | .BR systemd (1) | |
565 | makes heavy use of some v1 controllers by default, | |
566 | it can in some cases be simpler to boot the system with | |
567 | selected v1 controllers disabled. | |
568 | To do this, specify the | |
569 | .IR cgroup_no_v1=list | |
570 | option on the kernel boot command line; | |
571 | .I list | |
572 | is a comma-separated list of the names of the controllers to disable, | |
573 | or the word | |
574 | .I all | |
575 | to disable all v1 controllers. | |
576 | (This situation is correctly handled by | |
577 | .BR systemd (1), | |
578 | which falls back to operating without the specified controllers.) | |
03bb1264 MK |
579 | .PP |
580 | Note that on many modern systems, | |
581 | .BR systemd (1) | |
582 | automatically mounts the | |
583 | .I cgroup2 | |
584 | filesystem at | |
585 | .I /sys/fs/cgroup/unified | |
586 | during the boot process. | |
dddb7ea1 | 587 | .\" |
44c429ed MK |
588 | .SS Cgroups v2 controllers |
589 | The following controllers, documented in the kernel source file | |
590 | .IR Documentation/cgroup-v2.txt , | |
591 | are supported in cgroups version 2: | |
592 | .TP | |
593 | .IR io " (since Linux 4.5)" | |
594 | This is the successor of the version 1 | |
595 | .I blkio | |
596 | controller. | |
597 | .TP | |
598 | .IR memory " (since Linux 4.5)" | |
599 | This is the successor of the version 1 | |
600 | .I memory | |
601 | controller. | |
602 | .TP | |
603 | .IR pids " (since Linux 4.5)" | |
604 | This is the same as the version 1 | |
605 | .I pids | |
606 | controller. | |
607 | .TP | |
608 | .IR perf_event " (since Linux 4.11)" | |
f7286edc | 609 | This is the same as the version 1 |
44c429ed MK |
610 | .I perf_event |
611 | controller. | |
612 | .TP | |
613 | .IR rdma " (since Linux 4.11)" | |
614 | This is the same as the version 1 | |
615 | .I rdma | |
616 | controller. | |
617 | .TP | |
618 | .IR cpu " (since Linux 4.15)" | |
619 | This is the successor to the version 1 | |
620 | .I cpu | |
621 | and | |
622 | .I cpuacct | |
623 | controllers. | |
624 | .\" | |
2befa495 | 625 | .SS Cgroups v2 subtree control |
8d5f42dc MK |
626 | Each cgroup in the v2 hierarchy contains the following two files: |
627 | .TP | |
628 | .IR cgroup.controllers | |
629 | This is a list of the controllers that are | |
630 | .I available | |
631 | in this cgroup. | |
632 | The contents of this file match the contents of the | |
633 | .I cgroup.subtree_control | |
634 | file in the parent cgroup. | |
635 | .TP | |
636 | .I cgroup.subtree_control | |
637 | This is a list of controllers that are | |
638 | .IR active | |
639 | .RI ( enabled ) | |
640 | in the cgroup. | |
641 | The set of controllers in this file is a subset of the set in the | |
21f0d132 | 642 | .IR cgroup.controllers |
8d5f42dc MK |
643 | of this cgroup. |
644 | The set of active controllers is modified by writing strings to this file | |
645 | containing space-delimited controller names, | |
646 | each preceded by '+' (to enable a controller) | |
647 | or '\-' (to disable a controller), as in the following example: | |
648 | .IP | |
649 | .in +4n | |
650 | .EX | |
651 | echo '+pids -memory' > x/y/cgroup.subtree_control | |
652 | .EE | |
653 | .in | |
654 | .IP | |
c9b101d1 MK |
655 | An attempt to enable a controller |
656 | that is not present in | |
657 | .I cgroup.controllers | |
658 | leads to an | |
659 | .B ENOENT | |
660 | error when writing to the | |
661 | .I cgroup.subtree_control | |
662 | file. | |
663 | .PP | |
8d5f42dc MK |
664 | Because the list of controllers in |
665 | .I cgroup.subtree_control | |
666 | is a subset of those | |
667 | .IR cgroup.controllers , | |
668 | a controller that has been disabled in one cgroup in the hierarchy | |
669 | can never be re-enabled in the subtree below that cgroup. | |
670 | .PP | |
671 | A cgroup's | |
672 | .I cgroup.subtree_control | |
673 | file determines the set of controllers that are exercised in the | |
674 | .I child | |
675 | cgroups. | |
676 | When a controller (e.g., | |
677 | .IR pids ) | |
678 | is present in the | |
679 | .I cgroup.subtree_control | |
680 | file of a parent cgroup, | |
681 | then the corresponding controller-interface files (e.g., | |
682 | .IR pids.max ) | |
683 | are automatically created in the children of that cgroup | |
684 | and can be used to exert resource control in the child cgroups. | |
21f0d132 | 685 | .\" |
2468f14e MK |
686 | .SS Cgroups v2 """no internal processes""" rule |
687 | Cgroups v2 enforces a so-called "no internal processes" rule. | |
688 | Roughly speaking, this rule means that, | |
689 | with the exception of the root cgroup, processes may reside | |
690 | only in leaf nodes (cgroups that do not themselves contain child cgroups). | |
691 | This avoids the need to decide how to partition resources between | |
692 | processes which are members of cgroup A and processes in child cgroups of A. | |
693 | .PP | |
694 | For instance, if cgroup | |
695 | .I /cg1/cg2 | |
696 | exists, then a process may reside in | |
697 | .IR /cg1/cg2 , | |
698 | but not in | |
699 | .IR /cg1 . | |
700 | This is to avoid an ambiguity in cgroups v1 | |
701 | with respect to the delegation of resources between processes in | |
702 | .I /cg1 | |
703 | and its child cgroups. | |
704 | The recommended approach in cgroups v2 is to create a subdirectory called | |
705 | .I leaf | |
706 | for any nonleaf cgroup which should contain processes, but no child cgroups. | |
707 | Thus, processes which previously would have gone into | |
708 | .I /cg1 | |
709 | would now go into | |
710 | .IR /cg1/leaf . | |
711 | This has the advantage of making explicit | |
712 | the relationship between processes in | |
713 | .I /cg1/leaf | |
714 | and | |
715 | .IR /cg1 's | |
716 | other children. | |
717 | .PP | |
718 | The "no internal processes" rule is in fact more subtle than stated above. | |
719 | More precisely, the rule is that a (nonroot) cgroup can't both | |
720 | (1) have member processes, and | |
721 | (2) distribute resources into child cgroups\(emthat is, have a nonempty | |
722 | .I cgroup.subtree_control | |
723 | file. | |
724 | Thus, it | |
725 | .I is | |
726 | possible for a cgroup to have both member processes and child cgroups, | |
727 | but before controllers can be enabled for that cgroup, | |
728 | the member processes must be moved out of the cgroup | |
729 | (e.g., perhaps into the child cgroups). | |
e91d4f9e MK |
730 | .PP |
731 | With the Linux 4.14 addition of "thread mode" (described below), | |
732 | the "no internal processes" rule has been relaxed in some cases. | |
2468f14e | 733 | .\" |
754f4cf5 MK |
734 | .SS Cgroups v2 cgroup.events file |
735 | With cgroups v2, a new mechanism is provided to obtain notification | |
736 | about when a cgroup becomes empty. | |
737 | The cgroups v1 | |
738 | .IR release_agent | |
739 | and | |
740 | .IR notify_on_release | |
741 | files are removed, and replaced by a new, more general-purpose file, | |
742 | .IR cgroup.events . | |
e5bd7e65 | 743 | This read-only file contains key-value pairs |
754f4cf5 MK |
744 | (delimited by newline characters, with the key and value separated by spaces) |
745 | that identify events or state for a cgroup. | |
746 | Currently, only one key appears in this file, | |
747 | .IR populated , | |
748 | which has either the value 0, | |
749 | meaning that the cgroup (and its descendants) | |
750 | contain no (nonzombie) processes, | |
751 | or 1, meaning that the cgroup contains member processes. | |
a721e8b2 | 752 | .PP |
754f4cf5 MK |
753 | The |
754 | .IR cgroup.events | |
755 | file can be monitored, in order to receive notification when a cgroup | |
756 | transitions between the populated and unpopulated states (or vice versa). | |
757 | When monitoring this file using | |
758 | .BR inotify (7), | |
759 | transitions generate | |
760 | .BR IN_MODIFY | |
761 | events, and when monitoring the file using | |
762 | .BR poll (2), | |
763 | transitions generate | |
764 | .B POLLPRI | |
765 | events. | |
a721e8b2 | 766 | .PP |
ccb1a262 MK |
767 | The cgroups v2 release-notification mechanism provided by the |
768 | .I populated | |
769 | field of the | |
770 | .I cgroup.events | |
771 | file offers at least two advantages over the cgroups v1 | |
754f4cf5 MK |
772 | .IR release_agent |
773 | mechanism. | |
774 | First, it allows for cheaper notification, | |
775 | since a single process can monitor multiple | |
776 | .IR cgroup.events | |
777 | files. | |
778 | By contrast, the cgroups v1 mechanism requires the creation | |
779 | of a process for each notification. | |
a15e0673 | 780 | Second, notification can be delegated to a process that lives inside |
754f4cf5 | 781 | a container associated with the newly empty cgroup. |
c91a9f8a | 782 | .\" |
5e071499 MK |
783 | .SS Cgroups v2 cgroup.stat file |
784 | .\" commit ec39225cca42c05ac36853d11d28f877fde5c42e | |
785 | Each cgroup in the v2 hierarchy contains a read-only | |
786 | .IR cgroup.stat | |
787 | file (first introduced in Linux 4.14) | |
788 | that consists of lines containing key-value pairs. | |
789 | The following keys currently appear in this file: | |
790 | .TP | |
791 | .I nr_descendants | |
792 | This is the total number of visible (i.e., living) descendant cgroups | |
793 | underneath this cgroup. | |
794 | .TP | |
795 | .I nr_dying_descendants | |
796 | This is the total number of dying descendant cgroups | |
797 | underneath this cgroup. | |
798 | A cgroup enters the dying state after being deleted. | |
799 | It remains in that state for an undefined period | |
800 | (which will depend on system load) | |
c7f63e74 MK |
801 | while resources are freed before the cgroup is destroyed. |
802 | Note that the presence of some cgroups in the dying state is normal, | |
803 | and is not indicative of any problem. | |
5e071499 MK |
804 | .IP |
805 | A process can't be made a member of a dying cgroup, | |
806 | and a dying cgroup can't be brought back to life. | |
807 | .\" | |
5845e10b MK |
808 | .SS Limiting the number of descendant cgroups |
809 | Each cgroup in the v2 hierarchy contains the following files, | |
810 | which can be used to view and set limits on the number | |
811 | of descendant cgroups under that cgroup: | |
812 | .TP | |
813 | .IR cgroup.max.depth " (since Linux 4.14)" | |
814 | .\" commit 1a926e0bbab83bae8207d05a533173425e0496d1 | |
815 | This file defines a limit on the depth of nesting of descendant cgroups. | |
816 | A value of 0 in this file means that no descendant cgroups can be created. | |
817 | An attempt to create a descendant whose nesting level exceeds | |
818 | the limit fails | |
819 | .RI ( mkdir (2) | |
820 | fails with the error | |
821 | .BR EAGAIN ). | |
822 | .IP | |
823 | Writing the string | |
824 | .IR """max""" | |
825 | to this file means that no limit is imposed. | |
826 | The default value in this file is | |
827 | .IR """max""" . | |
828 | .TP | |
829 | .IR cgroup.max.descendants " (since Linux 4.14)" | |
830 | .\" commit 1a926e0bbab83bae8207d05a533173425e0496d1 | |
831 | This file defines a limit on the number of live descendant cgroups that | |
832 | this cgroup may have. | |
833 | An attempt to create more descendants than allowed by the limit fails | |
834 | .RI ( mkdir (2) | |
835 | fails with the error | |
836 | .BR EAGAIN ). | |
837 | .IP | |
838 | Writing the string | |
839 | .IR """max""" | |
840 | to this file means that no limit is imposed. | |
841 | The default value in this file is | |
842 | .IR """max""" . | |
843 | .\" | |
148e0800 | 844 | .SS Cgroups v2 delegation: delegation to a less privileged user |
4242dfbe MK |
845 | In the context of cgroups, |
846 | delegation means passing management of some subtree | |
847 | of the cgroup hierarchy to a nonprivileged process. | |
848 | Cgroups v1 provides support for delegation that was | |
849 | accidental and not fully secure. | |
850 | Cgroups v2 supports delegation by explicit design. | |
851 | .PP | |
852 | Some terminology is required in order to describe delegation. | |
853 | A | |
854 | .I delegater | |
855 | is a privileged user (i.e., root) who owns a parent cgroup. | |
856 | A | |
857 | .I delegatee | |
858 | is a nonprivileged user who will be granted the permissions needed | |
859 | to manage some subhierarchy under that parent cgroup, | |
860 | known as the | |
861 | .IR "delegated subtree" . | |
862 | .PP | |
863 | To perform delegation, | |
864 | the delegater makes certain directories and files writable by the delegatee, | |
865 | typically by changing the ownership of the objects to be the user ID | |
866 | of the delegatee. | |
0735069b MK |
867 | Assuming that we want to delegate the hierarchy rooted at (say) |
868 | .I /dlgt_grp | |
4242dfbe MK |
869 | and that there are not yet any child cgroups under that cgroup, |
870 | the ownership of the following is changed to the user ID of the delegatee: | |
871 | .TP | |
0735069b | 872 | .IR /dlgt_grp |
4242dfbe MK |
873 | Changing the ownership of the root of the subtree means that any new |
874 | cgroups created under the subtree (and the files they contain) | |
875 | will also be owned by the delegatee. | |
876 | .TP | |
0735069b | 877 | .IR /dlgt_grp/cgroup.procs |
f7286edc | 878 | Changing the ownership of this file means that the delegatee |
4242dfbe MK |
879 | can move processes into the root of the delegated subtree. |
880 | .TP | |
0735069b | 881 | .IR /dlgt_grp/cgroup.subtree_control |
e5936eb6 MK |
882 | Changing the ownership of this file means that that the delegatee |
883 | can enable controllers (that are present in | |
0735069b | 884 | .IR /dlgt_grp/cgroup.controllers ) |
4242dfbe | 885 | in order to further redistribute resources at lower levels in the subtree. |
e5936eb6 MK |
886 | (As an alternative to changing the ownership of this file, |
887 | the delegater might instead add selected controllers to this file.) | |
4242dfbe MK |
888 | .PP |
889 | The delegater should | |
890 | .I not | |
891 | change the ownership of any of the controller interfaces files (e.g., | |
892 | .IR pids.max , | |
893 | .IR memory.high ) | |
894 | in | |
0735069b | 895 | .IR dlgt_grp . |
4242dfbe MK |
896 | Those files are used from the next level above the delegated subtree |
897 | in order to distribute resources into the subtree, | |
898 | and the delegatee should not have permission to change | |
899 | the resources that are distributed into the delegated subtree. | |
900 | .PP | |
668ef765 MK |
901 | See also the discussion of the |
902 | .IR /sys/kernel/cgroup/delegate | |
903 | file in NOTES. | |
904 | .PP | |
4242dfbe MK |
905 | After the aforementioned steps have been performed, |
906 | the delegatee can create child cgroups within the delegated subtree | |
907 | and move processes between cgroups in the subtree. | |
908 | If some controllers are present in | |
0735069b | 909 | .IR dlgt_grp/cgroup.subtree_control , |
4242dfbe | 910 | or the ownership of that file was passed to the delegatee, |
f7286edc | 911 | the delegatee can also control the further redistribution |
4242dfbe | 912 | of the corresponding resources into the delegated subtree. |
27b086e9 | 913 | .\" |
ed3f4f34 MK |
914 | .SS Cgroups v2 delegation: nsdelegate and cgroup namespaces |
915 | .\" | |
916 | .\" To test this, it can be useful to boot the kernel with the options: | |
917 | .\" | |
918 | .\" cgroup_no_v1=all systemd.legacy_systemd_cgroup_controller | |
919 | .\" | |
920 | .\" The effect of the latter option is to prevent systemd from employing | |
921 | .\" its "hybrid" cgroup mode, where it tries to make use of cgroups v2. | |
922 | .\" | |
923 | Starting with Linux 4.13, | |
924 | .\" commit 5136f6365ce3eace5a926e10f16ed2a233db5ba9 | |
925 | there is a second way to perform cgroup delegation. | |
926 | This is done by mounting the cgroup v2 filesystem with the | |
927 | .I nsdelegate | |
928 | mount option: | |
929 | .PP | |
930 | .in +4n | |
931 | .EX | |
932 | $ mount -t cgroup2 -o nsdelegate none /sys/fs/cgroup/unified | |
933 | .EE | |
934 | .in | |
935 | .PP | |
936 | The effect of this option is to cause cgroup namespaces | |
937 | to automatically become delegation boundaries. | |
938 | More specifically, | |
939 | the following restrictions apply for processes inside the cgroup namespace: | |
940 | .IP * 3 | |
941 | Writes to controller interface files in the root directory | |
942 | will fail with the error | |
943 | .BR EPERM . | |
944 | Processes inside the cgroup namespace can still write to delegatable | |
945 | files such as | |
946 | .IR cgroup.procs | |
947 | and | |
948 | .IR cgroup.subtree_control , | |
949 | and can create subhierarchy underneath the root directory of | |
950 | the cgroup namespace. | |
951 | .IP * | |
952 | Attempts to migrate processes across the namespace boundary are denied | |
953 | (with the error | |
954 | .BR ENOENT ). | |
955 | Processes inside the cgroup namespace can still | |
956 | (subject to the containment rules described below) | |
957 | move processes between cgroups | |
958 | .I within | |
959 | the subhierarchy under the namespace root. | |
960 | .PP | |
961 | The ability to define cgroup namespaces as delegation boundaries | |
962 | makes cgroup namespaces more useful. | |
963 | To understand why, suppose that we already have one cgroup hierarchy | |
964 | that has been delegated to a nonprivileged user, | |
965 | .IR cecilia , | |
966 | using the older delegation technique described above. | |
967 | Suppose further that | |
968 | .I cecilia | |
969 | wanted to further delegate a subhierarchy | |
970 | under the existing delegated hierarchy. | |
971 | (For example, the delegated hierarchy might be associated with | |
972 | an unprivileged container run by | |
973 | .IR cecilia .) | |
974 | Even if a cgroup namespace was employed, | |
975 | because both hierarchies are owned by the unprivileged user | |
976 | .IR cecilia , | |
977 | the following illegitimate actions could be performed: | |
978 | .IP * 3 | |
979 | A process in the inferior hierarchy could change the | |
980 | resource controller settings in the root directory of the that hierarchy. | |
981 | (These resource controller settings are intended to allow control to | |
982 | be exercised from the | |
983 | .I parent | |
984 | cgroup; | |
985 | a process inside the child cgroup should not be allowed to modify them.) | |
986 | .IP * | |
987 | A process inside the inferior hierarchy could move processes | |
988 | into and out of the inferior hierarchy if the cgroups in the | |
989 | superior hierarchy were somehow visible. | |
990 | .PP | |
991 | Employing the | |
992 | .I nsdelegate | |
993 | mount option prevents both of these possibilities. | |
994 | .PP | |
995 | The | |
996 | .I nsdelegate | |
997 | mount option only has an effect when performed in | |
998 | the initial mount namespace; | |
999 | in other mount namespaces, the option is silently ignored. | |
1000 | .\" | |
27b086e9 | 1001 | .SS Cgroup v2 delegation containment rules |
4242dfbe MK |
1002 | Some delegation |
1003 | .IR "containment rules" | |
1004 | ensure that the delegatee can move processes between cgroups within the | |
1005 | delegated subtree, | |
1006 | but can't move processes from outside the delegated subtree into | |
1007 | the subtree or vice versa. | |
1008 | A nonprivileged process (i.e., the delegatee) can write the PID of | |
1009 | a "target" process into a | |
1010 | .IR cgroup.procs | |
1011 | file only if all of the following are true: | |
1012 | .IP * 3 | |
4242dfbe MK |
1013 | The writer has write permission on the |
1014 | .I cgroup.procs | |
1015 | file in the destination cgroup. | |
1016 | .IP * | |
1017 | The writer has write permission on the | |
1018 | .I cgroup.procs | |
1019 | file in the common ancestor of the source and destination cgroups. | |
1020 | (In some cases, | |
1021 | the common ancestor may be the source or destination cgroup itself.) | |
28f612ea | 1022 | .IP * |
ed3f4f34 MK |
1023 | If the cgroup v2 filesystem was mounted with the |
1024 | .I nsdelegate | |
1025 | option, the writer must be able to see the source and destination cgroup | |
1026 | from its cgroup namespace. | |
1027 | .IP * | |
28f612ea MK |
1028 | Before Linux 4.11: |
1029 | .\" commit 576dd464505fc53d501bb94569db76f220104d28 | |
1030 | the effective UID of the writer (i.e., the delegatee) matches the | |
1031 | real user ID or the saved set-user-ID of the target process. | |
1032 | (This was a historical requirement inherited from cgroups v1 | |
1033 | that was later deemed unnecessary, | |
1034 | since the other rules suffice for containment in cgroups v2.) | |
4242dfbe MK |
1035 | .PP |
1036 | .IR Note : | |
1037 | one consequence of these delegation containment rules is that the | |
0735069b MK |
1038 | unprivileged delegatee can't place the first process into |
1039 | the delegated subtree; | |
1040 | instead, the delegater must place the first process | |
1041 | (a process owned by the delegatee) into the delegated subtree. | |
4242dfbe | 1042 | .\" |
75e83bc2 | 1043 | .SH CGROUPS VERSION 2 THREAD MODE |
c8902e25 MK |
1044 | Among the restrictions imposed by cgroups v2 that were not present |
1045 | in cgroups v1 are the following: | |
1046 | .IP * 3 | |
1047 | .IR "No thread-granularity control" : | |
1048 | all of the threads of a process must be in the same cgroup. | |
1049 | .IP * | |
1050 | .IR "No internal processes" : | |
1051 | a cgroup can't both have member processes and | |
1052 | exercise controllers on child cgroups. | |
1053 | .PP | |
1054 | Both of these restrictions were added because | |
1055 | the lack of these restrictions had caused problems | |
1056 | in cgroups v1. | |
1057 | In particular, the cgroups v1 ability to allow thread-level granularity | |
1058 | for cgroup membership made no sense for some controllers. | |
1059 | (A notable example was the | |
1060 | .I memory | |
1061 | controller: since threads share an address space, | |
1062 | it made no sense to split threads across different | |
1063 | .I memory | |
1064 | cgroups.) | |
1065 | .PP | |
1066 | Notwithstanding the initial design decision in cgroups v2, | |
1067 | there were use cases for certain controllers, notably the | |
1068 | .IR cpu | |
1069 | controller, | |
1070 | for which thread-level granularity of control was meaningful and useful. | |
1071 | To accommodate such use cases, Linux 4.14 added | |
1072 | .I "thread mode" | |
1073 | for cgroups v2. | |
1074 | .PP | |
1075 | Thread mode allows the following: | |
1076 | .IP * 3 | |
1077 | The creation of | |
1078 | .IR "threaded subtrees" | |
1079 | in which the threads of a process may | |
1080 | be spread across cgroups inside the tree. | |
1081 | (A threaded subtree may contain multiple multithreaded processes.) | |
1082 | .IP * | |
1083 | The concept of | |
1084 | .IR "threaded controllers", | |
1085 | which can distribute resources across the cgroups in a threaded subtree. | |
1086 | .IP * | |
1087 | A relaxation of the "no internal processes rule", | |
1088 | so that, within a threaded subtree, | |
1089 | a cgroup can both contain member threads and | |
1090 | exercise resource control over child cgroups. | |
1091 | .PP | |
1092 | With the addition of thread mode, | |
1093 | each nonroot cgroup now contains a new file, | |
1094 | .IR cgroup.type , | |
1095 | that exposes, and in some circumstances can be used to change, | |
1096 | the "type" of a cgroup. | |
1097 | This file contains one of the following type values: | |
1098 | .TP | |
1099 | .I "domain" | |
1100 | This is a normal v2 cgroup that provides process-granularity control. | |
1101 | If a process is a member of this cgroup, | |
1102 | then all threads of the process are (by definition) in the same cgroup. | |
1103 | This is the default cgroup type, | |
1104 | and provides the same behavior that was provided for | |
1105 | cgroups in the initial cgroups v2 implementation. | |
1106 | .TP | |
1107 | .I "threaded" | |
1108 | This cgroup is a member of a threaded subtree. | |
1109 | Threads can be added to this cgroup, | |
1110 | and controllers can be enabled for the cgroup. | |
1111 | .TP | |
1112 | .I "domain threaded" | |
1113 | This is a domain cgroup that serves as the root of a threaded subtree. | |
1114 | This cgroup type is also known as "threaded root". | |
1115 | .TP | |
1116 | .I "domain invalid" | |
1117 | This is a cgroup inside a threaded subtree | |
1118 | that is in an "invalid" state. | |
1119 | Processes can't be added to the cgroup, | |
1120 | and controllers can't be enabled for the cgroup. | |
1121 | The only thing that can be done with this cgroup (other than deleting it) | |
1122 | is to convert it to a | |
1123 | .IR threaded | |
1124 | cgroup by writing the string | |
1125 | .IR """threaded""" | |
1126 | to the | |
1127 | .I cgroup.type | |
1128 | file. | |
1129 | .\" | |
1130 | .SS Threaded versus domain controllers | |
1131 | With the addition of threads mode, | |
1132 | cgroups v2 now distinguishes two types of resource controllers: | |
1133 | .IP * 3 | |
1134 | .I Threaded | |
1135 | controllers: these controllers support thread-granularity for | |
1136 | resource control and can be enabled inside threaded subtrees, | |
1137 | with the result that the corresponding controller-interface files | |
1138 | appear inside the cgroups in the threaded subtree. | |
1139 | As at Linux 4.15, the following controllers are threaded: | |
1140 | .IR cpu , | |
1141 | .IR perf_event , | |
1142 | and | |
1143 | .IR pids . | |
1144 | .IP * | |
1145 | .I Domain | |
1146 | controllers: these controllers support only process granularity | |
1147 | for resource control. | |
1148 | From the perspective of a domain controller, | |
1149 | all threads of a process are always in the same cgroup. | |
1150 | Domain controllers can't be enabled inside a threaded subtree. | |
1151 | .\" | |
1152 | .SS Creating a threaded subtree | |
1153 | There are two pathways that lead to the creation of a threaded subtree. | |
1154 | The first pathway proceeds as follows: | |
1155 | .IP 1. 3 | |
1156 | We write the string | |
1157 | .IR """threaded""" | |
1158 | to the | |
1159 | .I cgroup.type | |
1160 | file of a cgroup | |
1161 | .IR y/z | |
1162 | that currently has the type | |
1163 | .IR domain . | |
1164 | This has the following effects: | |
1165 | .RS | |
1166 | .IP * 3 | |
1167 | The type of the cgroup | |
1168 | .IR y/z | |
1169 | becomes | |
1170 | .IR threaded . | |
1171 | .IP * | |
1172 | The type of the parent cgroup, | |
1173 | .IR y , | |
1174 | becomes | |
1175 | .IR "domain threaded" . | |
1176 | The parent cgroup is the root of a threaded subtree | |
1177 | (also known as the "threaded root"). | |
1178 | .IP * | |
1179 | All other cgroups under | |
1180 | .IR y | |
1181 | that were not already of type | |
1182 | .IR threaded | |
1183 | (because they were inside already existing threaded subtrees | |
1184 | under the new threaded root) | |
1185 | are converted to type | |
1186 | .IR "domain invalid" . | |
1187 | Any subsequently created cgroups under | |
1188 | .I y | |
1189 | will also have the type | |
1190 | .IR "domain invalid" . | |
1191 | .RE | |
1192 | .IP 2. | |
1193 | We write the string | |
1194 | .IR """threaded""" | |
1195 | to each of the | |
1196 | .IR "domain invalid" | |
1197 | cgroups under | |
1198 | .IR y , | |
1199 | in order to convert them to the type | |
1200 | .IR threaded . | |
1201 | As a consequence of this step, all threads under the threaded root | |
1202 | now have the type | |
1203 | .IR threaded | |
1204 | and the threaded subtree is now fully usable. | |
1205 | The requirement to write | |
1206 | .IR """threaded""" | |
1207 | to each of these cgroups is somewhat cumbersome, | |
1208 | but allows for possible future extensions to the thread-mode model. | |
1209 | .PP | |
1210 | The second way of creating a threaded subtree is as follows: | |
1211 | .IP 1. 3 | |
1212 | In an existing cgroup, | |
1213 | .IR z , | |
1214 | that currently has the type | |
1215 | .IR domain , | |
1216 | we (1) enable one or more threaded controllers and | |
1217 | (2) make a process a member of | |
1218 | .IR z . | |
1219 | (These two steps can be done in either order.) | |
1220 | This has the following consequences: | |
1221 | .RS | |
1222 | .IP * 3 | |
1223 | The type of | |
1224 | .I z | |
1225 | becomes | |
1226 | .IR "domain threaded" . | |
1227 | .IP * | |
1228 | All of the descendant cgroups of | |
1229 | .I x | |
1230 | that are were not already of type | |
1231 | .IR threaded | |
1232 | are converted to type | |
1233 | .IR "domain invalid" . | |
1234 | .RE | |
1235 | .IP 2. | |
1236 | As before, we make the threaded subtree usable by writing the string | |
1237 | .IR """threaded""" | |
1238 | to each of the | |
1239 | .IR "domain invalid" | |
1240 | cgroups under | |
1241 | .IR y , | |
1242 | in order to convert them to the type | |
1243 | .IR threaded . | |
1244 | .PP | |
1245 | One of the consequences of the above pathways to creating a threaded subtree | |
1246 | is that the threaded root cgroup can be a parent only to | |
1247 | .I threaded | |
1248 | (and | |
1249 | .IR "domain invalid" ) | |
1250 | cgroups. | |
1251 | The threaded root cgroup can't be a parent of a | |
1252 | .I domain | |
1253 | cgroups, and a | |
1254 | .I threaded | |
1255 | cgroup | |
1256 | can't have a sibling that is a | |
1257 | .I domain | |
1258 | cgroup. | |
1259 | .\" | |
1260 | .SS Using a threaded subtree | |
1261 | Within a threaded subtree, threaded controllers can be enabled | |
1262 | in each subgroup whose type has been changed to | |
1263 | .IR threaded ; | |
1264 | upon doing so, the corresponding controller interface files | |
1265 | appear in the children of that cgroup. | |
1266 | .PP | |
1267 | A process can be moved into a threaded subtree by writing its PID to the | |
1268 | .I cgroup.procs | |
1269 | file in one of the cgroups inside the tree. | |
1270 | This has the effect of making all of the threads | |
1271 | in the process members of the corresponding cgroup | |
1272 | and makes the process a member of the threaded subtree. | |
1273 | The threads of the process can then be spread across | |
1274 | the threaded subtree by writing their thread IDs (see | |
1275 | .BR gettid (2)) | |
1276 | to the | |
1277 | cgroup.threads | |
1278 | files in different cgroups inside the subtree. | |
1279 | The threads of a process must all reside in the same threaded subtree. | |
1280 | .PP | |
1281 | The | |
1282 | cgroup.threads | |
1283 | file is present in each cgroup (including | |
1284 | .I domain | |
1285 | cgroups) and can be read in order to discover the set of threads | |
1286 | that is present in the cgroup. | |
1287 | The set of thread IDs obtained when reading this file | |
1288 | is not guaranteed to be ordered or free of duplicates. | |
1289 | .PP | |
1290 | The | |
1291 | .I cgroup.procs | |
1292 | file in the threaded root shows the PIDs of all processes | |
1293 | that are members of the threaded subtree. | |
1294 | The | |
1295 | .I cgroup.procs | |
1296 | files in the other cgroups in the subtree are not readable. | |
1297 | .PP | |
1298 | Domain controllers can't be enabled in a threaded subtree; | |
1299 | no controller-interface files appear inside the cgroups underneath the | |
1300 | threaded root. | |
1301 | From the point of view of a domain controller, | |
1302 | threaded subtrees are invisible: | |
1303 | a multithreaded process inside a threaded subtree appears to a domain | |
1304 | controller as a process that resides in the threaded root cgroup. | |
1305 | .PP | |
1306 | Within a threaded subtree, the "no internal processes" rule does not apply: | |
1307 | a cgroup can both contain member processes (or thread) | |
1308 | and exercise controllers on child cgroups. | |
1309 | .\" | |
1310 | .SS Rules for writing to cgroup.type and creating threaded subtrees | |
1311 | A number of rules apply when writing to the | |
1312 | .I cgroup.type | |
1313 | file: | |
1314 | .IP * 3 | |
1315 | Only the string | |
1316 | .IR """threaded""" | |
1317 | may be written. | |
1318 | In other words, the only explicit transition that is possible is to convert a | |
1319 | .I domain | |
1320 | cgroup to type | |
1321 | .IR threaded . | |
1322 | .IP * | |
1323 | The string | |
1324 | .IR """threaded""" | |
1325 | can be written only if the current value in | |
1326 | .IR cgroup.type | |
1327 | is one of the following | |
1328 | .RS | |
1329 | .IP \(bu 3 | |
1330 | .IR domain , | |
1331 | to start the creation of a threaded subtree via | |
1332 | the first of the pathways described above; | |
1333 | .IP \(bu | |
1334 | .IR "domain\ invalid" , | |
1335 | to convert one of the cgroups in a threaded subtree into a usable (i.e., | |
1336 | .IR threaded ) | |
1337 | state; | |
1338 | .IP \(bu | |
1339 | .IR threaded , | |
1340 | which has no effect (a "no-op"). | |
1341 | .RE | |
1342 | .IP * | |
1343 | We can't write to a | |
1344 | .I cgroup.type | |
1345 | file if the parent's type is | |
1346 | .IR "domain invalid" . | |
1347 | In other words, the cgroups of a threaded subtree must be converted to the | |
1348 | .I threaded | |
1349 | state in a top-down manner. | |
1350 | .PP | |
00c27092 | 1351 | There are also some constraints that must be satisfied |
c8902e25 MK |
1352 | in order to create a threaded subtree rooted at the cgroup |
1353 | .IR x : | |
1354 | .IP * 3 | |
1355 | There can be no member processes in the descendant cgroups of | |
1356 | .IR x . | |
1357 | (The cgroup | |
1358 | .I x | |
1359 | can itself have member processes.) | |
1360 | .IP * | |
1361 | No domain controllers may be enabled in | |
1362 | .IR x 's | |
1363 | .IR cgroup.subtree_control | |
1364 | file. | |
c8902e25 MK |
1365 | .PP |
1366 | If any of the above constraints is violated, then an attempt to write | |
1367 | .IR """threaded""" | |
1368 | to a | |
1369 | .IR cgroup.type | |
1370 | file fails with the error | |
1371 | .BR ENOTSUP . | |
1372 | .\" | |
1373 | .SS The """domain threaded""" cgroup type | |
1374 | According to the pathways described above, | |
1375 | the type of a cgroup can change to | |
1376 | .IR "domain threaded" | |
1377 | in either of the following cases: | |
1378 | .IP * 3 | |
1379 | The string | |
1380 | .IR """threaded""" | |
1381 | is written to a child cgroup. | |
1382 | .IP * | |
1383 | A threaded controller is enabled inside the cgroup and | |
1384 | a process is made a member of the cgroup. | |
1385 | .PP | |
1386 | A | |
1387 | .IR "domain threaded" | |
1388 | cgroup, | |
1389 | .IR x , | |
1390 | can revert to the type | |
1391 | .IR domain | |
1392 | if the above conditions no longer hold true\(emthat is, if all | |
1393 | .I threaded | |
1394 | child cgroups of | |
1395 | .I x | |
1396 | are removed and either | |
1397 | .I x | |
1398 | no longer has threaded controllers enabled or | |
1399 | no longer has member processes. | |
1400 | .PP | |
1401 | When a | |
1402 | .IR "domain threaded" | |
1403 | cgroup | |
1404 | .IR x | |
1405 | reverts to the type | |
1406 | .IR domain : | |
1407 | .IP * 3 | |
1408 | All | |
1409 | .IR "domain invalid" | |
1410 | descendants of | |
1411 | .I x | |
1412 | that are not in lower-level threaded subtrees revert to the type | |
1413 | .IR domain . | |
1414 | .IP * | |
1415 | The root cgroups in any lower-level threaded subtrees revert to the type | |
1416 | .IR "domain threaded" . | |
1417 | .\" | |
1418 | .SS Exceptions for the root cgroup | |
1419 | The root cgroup of the v2 hierarchy is treated exceptionally: | |
1420 | it can be the parent of both | |
1421 | .I domain | |
1422 | and | |
1423 | .I threaded | |
1424 | cgroups. | |
1425 | If the string | |
1426 | .I """threaded""" | |
1427 | is written to the | |
1428 | .I cgroup.type | |
1429 | file of one of the children of the root cgroup, then | |
1430 | .IP * 3 | |
1431 | The type of that cgroup becomes | |
1432 | .IR threaded . | |
1433 | .IP * | |
1434 | The type of any descendants of that cgroup that | |
1435 | are not part of lower-level threaded subtrees changes to | |
1436 | .IR "domain invalid" . | |
1437 | .PP | |
1438 | Note that in this case, there is no cgroup whose type becomes | |
1439 | .IR "domain threaded" . | |
1440 | (Notionally, the root cgroup can be considered as the threaded root | |
1441 | for the cgroup whose type was changed to | |
1442 | .IR threaded .) | |
1443 | .PP | |
1444 | The aim of this exceptional treatment for the root cgroup is to | |
1445 | allow a threaded cgroup that employs the | |
1446 | .I cpu | |
1447 | controller to be placed as high as possible in the hierarchy, | |
1448 | so as to minimize the (small) cost of traversing the cgroup hierarchy. | |
1449 | .\" | |
1450 | .SS The cgroups v2 """cpu""" controller and realtime processes | |
1451 | As at Linux 4.15, the cgroups v2 | |
1452 | .I cpu | |
1453 | controller does not support control of realtime processes, | |
1454 | and the controller can be enabled in the root cgroup only | |
1455 | if all realtime threads are in the root cgroup. | |
1456 | (If there are realtime processes in nonroot cgroups, then a | |
1457 | .BR write (2) | |
1458 | of the string | |
1459 | .IR """+cpu""" | |
1460 | to the | |
1461 | .I cgroup.subtree_control | |
1462 | file fails with the error | |
1463 | .BR EINVAL . | |
1464 | However, on some systems, | |
1465 | .BR systemd (1) | |
1466 | places certain realtime processes in nonroot cgroups in the v2 hierarchy. | |
1467 | On such systems, | |
1468 | these processes must first be moved to the root cgroup before the | |
1469 | .I cpu | |
1470 | controller can be enabled. | |
1471 | .\" | |
1472 | .SH ERRORS | |
1473 | The following errors can occur for | |
1474 | .BR mount (2): | |
1475 | .TP | |
1476 | .B EBUSY | |
1477 | An attempt to mount a cgroup version 1 filesystem specified neither the | |
1478 | .I name= | |
1479 | option (to mount a named hierarchy) nor a controller name (or | |
1480 | .IR all ). | |
1481 | .SH NOTES | |
1482 | A child process created via | |
1483 | .BR fork (2) | |
1484 | inherits its parent's cgroup memberships. | |
1485 | A process's cgroup memberships are preserved across | |
1486 | .BR execve (2). | |
1487 | .\" | |
5c2181ad MK |
1488 | .SS /proc files |
1489 | .TP | |
34eb3340 | 1490 | .IR /proc/cgroups " (since Linux 2.6.24)" |
92bb6d36 | 1491 | This file contains information about the controllers |
1a4f7d59 | 1492 | that are compiled into the kernel. |
34eb3340 MK |
1493 | An example of the contents of this file (reformatted for readability) |
1494 | is the following: | |
a721e8b2 | 1495 | .IP |
34eb3340 | 1496 | .in +4n |
b8302363 | 1497 | .EX |
4580c2f6 MK |
1498 | #subsys_name hierarchy num_cgroups enabled |
1499 | cpuset 4 1 1 | |
1500 | cpu 8 1 1 | |
1501 | cpuacct 8 1 1 | |
1502 | blkio 6 1 1 | |
1503 | memory 3 1 1 | |
1504 | devices 10 84 1 | |
1505 | freezer 7 1 1 | |
1506 | net_cls 9 1 1 | |
1507 | perf_event 5 1 1 | |
1508 | net_prio 9 1 1 | |
1509 | hugetlb 0 1 0 | |
1510 | pids 2 1 1 | |
b8302363 | 1511 | .EE |
e646a1ba | 1512 | .in |
a721e8b2 | 1513 | .IP |
34eb3340 MK |
1514 | The fields in this file are, from left to right: |
1515 | .RS | |
1516 | .IP 1. 3 | |
1517 | The name of the controller. | |
1518 | .IP 2. | |
92bb6d36 | 1519 | The unique ID of the cgroup hierarchy on which this controller is mounted. |
11c0797f | 1520 | If multiple cgroups v1 controllers are bound to the same hierarchy, |
34eb3340 | 1521 | then each will show the same hierarchy ID in this field. |
92bb6d36 MK |
1522 | The value in this field will be 0 if: |
1523 | .RS 5 | |
1524 | .IP a) 3 | |
1525 | the controller is not mounted on a cgroups v1 hierarchy; | |
1526 | .IP b) | |
1527 | the controller is bound to the cgroups v2 single unified hierarchy; or | |
1528 | .IP c) | |
1529 | the controller is disabled (see below). | |
1530 | .RE | |
34eb3340 MK |
1531 | .IP 3. |
1532 | The number of control groups in this hierarchy using this controller. | |
1533 | .IP 4. | |
1534 | This field contains the value 1 if this controller is enabled, | |
1535 | or 0 if it has been disabled (via the | |
1536 | .IR cgroup_disable | |
1537 | kernel command-line boot parameter). | |
1538 | .RE | |
1539 | .TP | |
5c2181ad | 1540 | .IR /proc/[pid]/cgroup " (since Linux 2.6.24)" |
f5faa016 MK |
1541 | This file describes control groups to which the process |
1542 | with the corresponding PID belongs. | |
5f8a7eb2 | 1543 | The displayed information differs for |
2c4fbe35 | 1544 | cgroups version 1 and version 2 hierarchies. |
a721e8b2 | 1545 | .IP |
5f8a7eb2 | 1546 | For each cgroup hierarchy of which the process is a member, |
2e33b59e | 1547 | there is one entry containing three colon-separated fields: |
a721e8b2 | 1548 | .IP |
4769a778 MK |
1549 | .in +4n |
1550 | .EX | |
1551 | hierarchy-ID:controller-list:cgroup-path | |
1552 | .EE | |
1553 | .in | |
a721e8b2 | 1554 | .IP |
5f8a7eb2 | 1555 | For example: |
c1a022dc MK |
1556 | .IP |
1557 | .in +4n | |
1558 | .EX | |
1559 | 5:cpuacct,cpu,cpuset:/daemons | |
1560 | .EE | |
1561 | .in | |
5c2181ad MK |
1562 | .IP |
1563 | The colon-separated fields are, from left to right: | |
5f8a7eb2 | 1564 | .RS |
5c2181ad | 1565 | .IP 1. 3 |
5f8a7eb2 MK |
1566 | For cgroups version 1 hierarchies, |
1567 | this field contains a unique hierarchy ID number | |
1568 | that can be matched to a hierarchy ID in | |
1569 | .IR /proc/cgroups . | |
1570 | For the cgroups version 2 hierarchy, this field contains the value 0. | |
5c2181ad | 1571 | .IP 2. |
5f8a7eb2 | 1572 | For cgroups version 1 hierarchies, |
55f52de8 | 1573 | this field contains a comma-separated list of the controllers |
5f8a7eb2 MK |
1574 | bound to the hierarchy. |
1575 | For the cgroups version 2 hierarchy, this field is empty. | |
5c2181ad | 1576 | .IP 3. |
5f8a7eb2 MK |
1577 | This field contains the pathname of the control group in the hierarchy |
1578 | to which the process belongs. | |
1579 | This pathname is relative to the mount point of the hierarchy. | |
5c2181ad | 1580 | .RE |
668ef765 MK |
1581 | .\" |
1582 | .SS /sys/kernel/cgroup files | |
1583 | .TP | |
1584 | .IR /sys/kernel/cgroup/delegate " (since Linux 4.15)" | |
1585 | .\" commit 01ee6cfb1483fe57c9cbd8e73817dfbf9bacffd3 | |
1586 | This file exports a list of the cgroups v2 files | |
1587 | (one per line) that are delegatable | |
1588 | (i.e., whose ownership should be changed to the user ID of the delegatee). | |
1589 | In the future, the set of delegatable files may change or grow, | |
1590 | and this file provides a way for the kernel to inform | |
1591 | user-space applications of which files must be delegated. | |
1592 | As at Linux 4.15, one sees the following when inspecting this file: | |
1593 | .IP | |
1594 | .EX | |
1595 | .in +4n | |
1596 | $ \fBcat /sys/kernel/cgroup/delegate\fP | |
1597 | cgroup.procs | |
1598 | cgroup.subtree_control | |
1599 | .in | |
1600 | .EE | |
6413d784 MK |
1601 | .TP |
1602 | .IR /sys/kernel/cgroup/features " (since Linux 4.15)" | |
1603 | .\" commit 5f2e673405b742be64e7c3604ed4ed3ac14f35ce | |
1604 | Over time, the set of cgroups v2 features that are provided by the | |
1605 | kernel may change or grow, | |
1606 | or some features may not be enabled by default. | |
1607 | This file provides a way for user-space applications to discover what | |
1608 | features the running kernel supports or has enabled. | |
1609 | Features are listed one per line: | |
1610 | .IP | |
1611 | .in +4n | |
1612 | .EX | |
1613 | .EE | |
1614 | $ \fBcat /sys/kernel/cgroup/features\fP | |
1615 | nsdelegate | |
1616 | .in | |
1617 | .IP | |
1618 | The entries that can appear in this file are: | |
1619 | .RS | |
1620 | .TP | |
1621 | .IR nsdelegate " (since Linux 4.15)" | |
1622 | The kernel supports the | |
1623 | .I nsdelegate | |
1624 | mount option. | |
1625 | .RE | |
2e23a9b2 MK |
1626 | .SH ERRORS |
1627 | The following errors can occur for | |
1628 | .BR mount (2): | |
1629 | .TP | |
1630 | .B EBUSY | |
1631 | An attempt to mount a cgroup version 1 filesystem specified neither the | |
1632 | .I name= | |
1633 | option (to mount a named hierarchy) nor a controller name (or | |
28bcfee9 | 1634 | .IR all ). |
15ce4b0c MK |
1635 | .SH NOTES |
1636 | A child process created via | |
1637 | .BR fork (2) | |
1638 | inherits its parent's cgroup memberships. | |
1639 | A process's cgroup memberships are preserved across | |
1640 | .BR execve (2). | |
bbfdf727 | 1641 | .SH SEE ALSO |
ebbc83be | 1642 | .BR prlimit (1), |
f60a5da2 | 1643 | .BR systemd (1), |
edc2a022 MK |
1644 | .BR systemd-cgls (1), |
1645 | .BR systemd-cgtop (1), | |
325b7eb0 | 1646 | .BR clone (2), |
ebbc83be MK |
1647 | .BR ioprio_set (2), |
1648 | .BR perf_event_open (2), | |
1649 | .BR setrlimit (2), | |
cff6de30 | 1650 | .BR cgroup_namespaces (7), |
69c47536 | 1651 | .BR cpuset (7), |
ebbc83be MK |
1652 | .BR namespaces (7), |
1653 | .BR sched (7), | |
1654 | .BR user_namespaces (7) |