Arrow Left
profile

Ivan Velichko

Playing with cgroups for Fun and Profit

Published about 2 months ago • 1 min read

Hey there 👋

I spent a few weeks deep diving into cgroup v2, and I'm happy to share my findings with you!

Everyone knows that Docker and Kubernetes use cgroups to limit the resources of containers and Pods. But did you know that it's very easy to run an arbitrary Linux process in a cgroup using much more basic tools?

The only kernel's interface for cgroups is the virtual filesystem called cgroupfs typically mounted at /sys/fs/cgroup. Creating folders there and writing to files in them is technically all you need to get the job done.

While entertaining when performed once or twice, very few of us would want to regularly tune cgroups by writing to some obscure fs locations. Luckily there are higher-level helpers available. For instance, here is how you can run an app limiting its memory usage to 1000 MiB:

cgcreate -g memory:/new-cgroup

cgset -r memory.max="1000M" new-cgroup

gexec -g memory:new-cgroup ~/app

The above libcgroup tools are definitely handier than mkdir and echo, but my favorite finding is systemd-run! Not only can you demonize with it any long-running tasks, making them survive SSH disconnects and getting logs and status checks out of the box, but you can also limit their CPU and Memory usage with just two simple flags. And under the hood, systemd will configure a transient cgroup for you:

If you find the above tips useful, you can read more about practical ways of using cgroups in my most recent tutorial:

​Controlling Process Resources with Linux Control Groups​

And, of course, the best way to internalize the new knowledge is by solving a few hands-on problems:

​

Hope you will find cgroup as fun as I do now. Good luck!

Ivan

Get more powerful playgrounds, unlimited egress traffic, and full content access with iximiuz Labs Premium. Does your company have a learning and development budget? Then this expense most likely can be reimbursed.

Ivan Velichko

Software Engineer at day. Tech Storyteller at night.

Building labs.iximiuz.com - a place to help you learn Containers and Kubernetes the fun way 🚀

Read more from Ivan Velichko

Hello friends! Ivan's here with another monthly roundup of all things Linux, Containers, Kubernetes, and Server Side 🧙 The issue's main topic is iximiuz Labs' largest-ever upgrade: Fresher and more streamlined look of the frontend UI 💙 A new 5.10 Linux kernel built with nftables support (finally, we can try out kube-proxy's nftables mode). New default playground user - laborant (yep, rootless containers learning for). New playgrounds: Ubuntu 24.04, Debian Trixie, Fedora, and Incus (yay! more...

9 days ago • 4 min read

Hello friends! Ivan's here with a slightly delayed July roundup of all things Linux, Containers, Kubernetes, and Server Side 🧙 What I was working on This month, I got nerd-sniped by cgroups. It all started when I ran into a pretty significant difference in how Docker and Kubernetes handle the OOM events. When you limit the memory usage of a multi-process Docker container, the OOM killer often terminates only one of the processes if the container runs out of memory. If this process is not the...

about 1 month ago • 5 min read

Hello friends! Ivan's here with the June roundup of all things Linux, Containers, Kubernetes, and Server-Side craft 🧙 What I was working on The first two lessons (and a few challenges) of my "Alternative Introduction to Dagger" course have not sparked much interest among my students, so I had to put this work on pause. With a heavy heart, though, because I do like Dagger, and I was enjoying working on the content about it. But no interest means fewer iximiuz Labs Premium subscribers, and I...

2 months ago • 3 min read