Cgroups

Overview

Control Groups (cgroups) limit, isolate, and account for resource usage of processes. Containers rely on cgroups to enforce CPU, memory, I/O, and PID limits.

cgroup v1 vs v2

v1 uses multiple hierarchies (one per controller). v2 uses a unified hierarchy with consistent semantics. Modern distros default to v2; systemd exposes it under /sys/fs/cgroup.

Common Controllers

CPU: shares, quotas, and scheduling controls. Memory: hard/soft limits, OOM behavior. IO: block I/O throttling and weight. PIDs: cap number of processes.

How It Works

Each process belongs to a cgroup in the hierarchy. Limits are enforced by the kernel; accounting stats are exposed via cgroup files. Container runtimes create per-container cgroups and attach processes.

Example (v2)

$ sudo mkdir -p /sys/fs/cgroup/demo
$ echo 200000 > /sys/fs/cgroup/demo/cpu.max
$ echo 512M > /sys/fs/cgroup/demo/memory.max
$ echo $$ > /sys/fs/cgroup/demo/cgroup.procs

Notes for Containers

Over-committing CPU is normal; memory limits are hard. PID limits prevent fork bombs inside a container. Use cgroups with Linux/Containerization/Namespaces to build isolated containers.

Related

• Linux/Containerization
• Linux/Kernel