Using cgroups

Requirements

Download package for your distro there is one for. archlinux cgmanager.

So cgroups allows to configure how specific process resources going to be treated. As our days there is alot of bloatware around then its nice to limit some of the processes at least dont use too much memory or cpu. That also prevents some processes to hang.

Quite common that chrome freezes whole system when it eats up all cpu and memory especially when opening some optimized pages like YouTube. Out of fustration about that this notes are created.

Also there is no enought guides how to configure some parts of cgroups, so spent some time on research.

Cgroups allows to configure this resources:

Resource Description
blkio this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, or USB)
cpu this subsystem uses the scheduler to provide cgroup tasks access to the CPU
cpuacct this subsystem generates automatic reports on CPU resources used by tasks in a cgroup
cpuset this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup
devices this subsystem allows or denies access to devices by tasks in a cgroup
freezer this subsystem suspends or resumes tasks in a cgroup
memory this subsystem sets limits on memory use by tasks in a cgroup and generates automatic reports on memory resources used by those task
net_cls this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task
net_prio this subsystem provides a way to dynamically set the priority of network traffic per network interface
ns the namespace subsystem
perf_event this subsystem identifies cgroup membership of tasks and can be used for performance analysis

Configure example

As requirement was stop chrome stall system then memory and cpu will be limited rules are located in /etc/cgrules.conf Set permisions to whome applies

perm {
    admin {
        uid = youruser;
        gid = youruser; 
    }
    task {
        uid = youruser;
        gid = youruser;
    }
}

Limit cpus where process is going to run, run process on 0-1 CPU's

cpuset {
    cpuset.mems="0";
    cpuset.cpus="0-1";
}

Limit cpus load, set CPU usage max to 90%

cpu {
    cpu.shares = 900;
}

Limit process max memory to 4G

memory {
    memory.limit_in_bytes = "4000000000";
}

Final config looks like

group chrome {
        perm {
                admin {
                        uid = fam;
                        gid = fam; 
               }
                task {
                        uid = fam;
                        gid = fam;
                }
        }

        cpuset {
                cpuset.mems="0";
                cpuset.cpus="0-1";
        }

        memory {
                memory.limit_in_bytes = "4000000000";
        }

        cpu {
                cpu.shares = 900;
        }


        net_cls {
                net_cls.classid = 11;
        }
}

Update and run rulles. rulles applied to cgroups and set on launched process with memory,cpuset,cpu cgroup rulles.

cgconfigparser -l /etc/cgconfig.conf
cgexec -g memory,cpuset,cpu:chrome /usr/bin/chromium

Now we are safe to run some videos on internet and no system stalling is happening.

Configuring process to use specific interface

Set cgroup classid

net_cls {
    net_cls.classid = 0x10001;
}

Iptables filtering

iptables -N CHROME_OUT
iptables -N CHROME_IN

iptables -t filter -A OUTPUT -j CHROME_OUT -m cgroup --cgroup 0x10001
iptables -A CHROME_OUT -j DROP
iptables -A CHROME_OUT -o tun0 -j ACCEPT

iptables -t filter -A INPUT -j CHROME_IN -m cgroup --cgroup 0x10001
iptables -A CHROME_IN -j DROP
iptables -A CHROME_OUT -i tun0 -j ACCEPT

So now single/secure interface is avaliable for cgroupe chrome, if secure interface down then no network connection

Run

cgexec -g memory,cpuset,cpu,net_cls:chrome /usr/bin/chromium

Exploring other configuration options

Cgroups is configured trought sysfs

ls /sys/fs/cgroup
blkio      cpuacct      devices  memory            net_prio    rdma
cgmanager  cpu,cpuacct  freezer  net_cls           perf_event  systemd
cpu        cpuset       hugetlb  net_cls,net_prio  pids        unified

If we have applied rules from previouse section then we are able to find them in

cat /sys/fs/cgroup/cpu/chrome/cpu.shares 
900
cat /sys/fs/cgroup/memory/chrome/memory.limit_in_bytes 
3999997952
cat /sys/fs/cgroup/cpuset/chrome/cpuset.mems
0
cat /sys/fs/cgroup/cpuset/chrome/cpuset.cpus
0-1

More options on each of subsystems can be found with:

ls /sys/fs/cgroup/*/

Here some extra options for cpu

ls /sys/fs/cgroup/cpu/
cgroup.clone_children  cpuacct.usage_percpu       cpu.shares
cgroup.procs           cpuacct.usage_percpu_sys   cpu.stat
cgroup.sane_behavior   cpuacct.usage_percpu_user  notify_on_release
chrome                 cpuacct.usage_sys          release_agent
cpuacct.stat           cpuacct.usage_user         tasks
cpuacct.usage          cpu.cfs_period_us
cpuacct.usage_all      cpu.cfs_quota_us

Links

[1] https://wiki.archlinux.org/index.php/Cgroups
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01
[3] https://blog.michael.kuron-germany.de/tag/iptables/
[4] http://main.lv/writeup/using_iptables.md