LLMpediaThe first transparent, open encyclopedia generated by LLMs

cgroups

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Docker Hub Hop 4
Expansion Funnel Raw 50 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted50
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
cgroups
Namecgroups
DeveloperLinux kernel organization
Initial release2007
Programming languageC (programming language)
Operating systemLinux
LicenseGPL
WebsiteKernel.org

cgroups are a kernel feature that enables hierarchical grouping and resource control for processes on modern Linux systems. They provide mechanisms to allocate, account for, and isolate CPU, memory, I/O, and other resources among sets of tasks, enabling containerization, performance isolation, and system management. cgroups are widely used by orchestration systems, virtualization stacks, and cloud platforms to implement resource limits and quality-of-service guarantees.

Overview

cgroups implement resource management primitives in the Linux kernel to organize processes into hierarchical groups for accounting and control. Major users include Docker (software), Kubernetes, systemd, and LXC (Linux Containers), which rely on cgroups to enforce quotas, priorities, and isolation. Administrators use cgroups together with namespaces to build containers for platforms such as OpenStack, Amazon Web Services, and Google Cloud Platform. The design enables fine-grained policies for services like Apache HTTP Server, MySQL, or PostgreSQL when deployed in multi-tenant environments.

History and Development

Work on process grouping and resource control began in the mid-2000s within the Linux kernel organization and related projects such as LXC (Linux Containers). Initial contributions came from engineers at companies including Google, IBM, Red Hat, and Canonical (company), motivated by needs in large-scale systems like Google Search and hosting services. The feature appeared as "cpuset" and "cgroups" patches around 2007 and was merged through kernel releases maintained by lead developers including Linus Torvalds and subsystem maintainers. Over time, integration with init systems such as systemd and container runtimes such as runc led to standardized interfaces and the split between "cgroups v1" and "cgroups v2" designs, reflecting work tracked on Kernel.org and discussed in conferences like LinuxCon.

Architecture and Concepts

cgroups are structured as a hierarchical filesystem where each mount point reflects a set of controllers bound to the hierarchy. Core concepts include hierarchies, controllers (also called subsystems), cgroup tasks, and configuration files exposed via the pseudo-filesystem. The implementation interacts with kernel components like the scheduler and the memory management unit to enforce limits. Each cgroup can be associated with resource limits (e.g., CPU shares, memory.max), accounting metrics (e.g., cpuacct.stat), and notification interfaces for events. Interaction patterns draw on interfaces standardized in kernel documentation and tooling used by projects such as systemd, Docker (software), and orchestration frameworks like Mesos.

Controllers (Subsystems)

Controllers implement resource-specific policies. Common controllers include the CPU controller (scheduling and shares), the Memory controller (limits and OOM handling), and the Block I/O controller (throttling and weights). Specific controllers used by major platforms include cpu, cpuacct, memory, blkio, freezer, cpuset, and pids. Each controller integrates with kernel subsystems: the CPU controller with the Completely Fair Scheduler, the memory controller with the Linux Virtual Memory Manager, and the blkio controller with the block layer. Cloud and container projects rely on controllers to enforce tenant isolation in environments managed by Kubernetes controllers, Nomad (HashiCorp), or vendor offerings like Azure.

Usage and Administration

Administrators create and manage cgroups using the cgroup filesystem, utilities like cgcreate and cgset from the libcgroup project, and higher-level tools such as systemctl from systemd. Container runtimes such as Docker (software) and containerd programmatically create hierarchies and set controllers for containers. Monitoring integrates with telemetry systems like Prometheus, Grafana, and logging stacks including ELK Stack to expose metrics and alerts. Best practices borrow from operations frameworks used by companies like Facebook and Netflix for capacity planning and resource quotas in microservices architectures.

Implementation and Integration

Two major generations exist: the original multi-hierarchy design ("v1") and the unified hierarchy ("v2"). cgroups v2 simplifies semantics by exposing a single hierarchy and provides improved consistency for controllers and delegation used by systemd and modern container runtimes. Kernel subsystems coordinate with cgroups through well-defined hooks; patches and design discussions are tracked on Kernel.org and reviewed by maintainers such as those in the Linux Foundation community. Integrations with orchestration and runtime ecosystems—Kubernetes, CRI-O, runc, and containerd—use machine-readable configuration and APIs such as the Container Runtime Interface to control cgroup state.

Security and Limitations

While cgroups provide isolation useful for multi-tenant deployments, they are not a security boundary equivalent to virtualization technologies like Xen or KVM. Privilege escalation risks can arise from misconfiguration, interaction with namespaces, or kernel vulnerabilities disclosed in advisories by teams such as Red Hat Product Security and Ubuntu Security. Limitations include complexity in v1 with multiple hierarchies, race conditions during delegation, and constrained enforcement granularity for resources like network bandwidth, which often relies on separate mechanisms such as tc from the iproute2 suite. Ongoing kernel development and security audits by organizations including Google, Red Hat, and the Linux Foundation continue to refine capabilities and harden interfaces.

Category:Linux kernel features