Using cgroups
Requirements
Download package for your distro there is one for. archlinux cgmanager.
So cgroups allows to configure how specific process resources going to be treated. As our days there is alot of bloatware around then its nice to limit some of the processes at least dont use too much memory or cpu. That also prevents some processes to hang.
Quite common that chrome freezes whole system when it eats up all cpu and memory especially when opening some optimized pages like YouTube. Out of fustration about that this notes are created.
Also there is no enought guides how to configure some parts of cgroups, so spent some time on research.
Cgroups allows to configure this resources:
Resource | Description |
---|---|
blkio | this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, or USB) |
cpu | this subsystem uses the scheduler to provide cgroup tasks access to the CPU |
cpuacct | this subsystem generates automatic reports on CPU resources used by tasks in a cgroup |
cpuset | this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup |
devices | this subsystem allows or denies access to devices by tasks in a cgroup |
freezer | this subsystem suspends or resumes tasks in a cgroup |
memory | this subsystem sets limits on memory use by tasks in a cgroup and generates automatic reports on memory resources used by those task |
net_cls | this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task |
net_prio | this subsystem provides a way to dynamically set the priority of network traffic per network interface |
ns | the namespace subsystem |
perf_event | this subsystem identifies cgroup membership of tasks and can be used for performance analysis |
Configure example
As requirement was stop chrome stall system then memory and cpu will be limited rules are located in /etc/cgrules.conf Set permisions to whome applies
perm {
admin {
uid = youruser;
gid = youruser;
}
task {
uid = youruser;
gid = youruser;
}
}
Limit cpus where process is going to run, run process on 0-1 CPU's
cpuset {
cpuset.mems="0";
cpuset.cpus="0-1";
}
Limit cpus load, set CPU usage max to 90%
cpu {
cpu.shares = 900;
}
Limit process max memory to 4G
memory {
memory.limit_in_bytes = "4000000000";
}
Final config looks like
group chrome {
perm {
admin {
uid = fam;
gid = fam;
}
task {
uid = fam;
gid = fam;
}
}
cpuset {
cpuset.mems="0";
cpuset.cpus="0-1";
}
memory {
memory.limit_in_bytes = "4000000000";
}
cpu {
cpu.shares = 900;
}
net_cls {
net_cls.classid = 11;
}
}
Update and run rulles. rulles applied to cgroups and set on launched process with memory,cpuset,cpu cgroup rulles.
cgconfigparser -l /etc/cgconfig.conf
cgexec -g memory,cpuset,cpu:chrome /usr/bin/chromium
Now we are safe to run some videos on internet and no system stalling is happening.
Configuring process to use specific interface
Set cgroup classid
net_cls {
net_cls.classid = 0x10001;
}
Iptables filtering
iptables -N CHROME_OUT
iptables -N CHROME_IN
iptables -t filter -A OUTPUT -j CHROME_OUT -m cgroup --cgroup 0x10001
iptables -A CHROME_OUT -j DROP
iptables -A CHROME_OUT -o tun0 -j ACCEPT
iptables -t filter -A INPUT -j CHROME_IN -m cgroup --cgroup 0x10001
iptables -A CHROME_IN -j DROP
iptables -A CHROME_OUT -i tun0 -j ACCEPT
So now single/secure interface is avaliable for cgroupe chrome, if secure interface down then no network connection
Run
cgexec -g memory,cpuset,cpu,net_cls:chrome /usr/bin/chromium
Exploring other configuration options
Cgroups is configured trought sysfs
ls /sys/fs/cgroup
blkio cpuacct devices memory net_prio rdma
cgmanager cpu,cpuacct freezer net_cls perf_event systemd
cpu cpuset hugetlb net_cls,net_prio pids unified
If we have applied rules from previouse section then we are able to find them in
cat /sys/fs/cgroup/cpu/chrome/cpu.shares
900
cat /sys/fs/cgroup/memory/chrome/memory.limit_in_bytes
3999997952
cat /sys/fs/cgroup/cpuset/chrome/cpuset.mems
0
cat /sys/fs/cgroup/cpuset/chrome/cpuset.cpus
0-1
More options on each of subsystems can be found with:
ls /sys/fs/cgroup/*/
Here some extra options for cpu
ls /sys/fs/cgroup/cpu/
cgroup.clone_children cpuacct.usage_percpu cpu.shares
cgroup.procs cpuacct.usage_percpu_sys cpu.stat
cgroup.sane_behavior cpuacct.usage_percpu_user notify_on_release
chrome cpuacct.usage_sys release_agent
cpuacct.stat cpuacct.usage_user tasks
cpuacct.usage cpu.cfs_period_us
cpuacct.usage_all cpu.cfs_quota_us
Links
[1] https://wiki.archlinux.org/index.php/Cgroups
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01
[3] https://blog.michael.kuron-germany.de/tag/iptables/
[4] http://main.lv/writeup/using_iptables.md