Hey there 👋

I spent a few weeks deep diving into cgroup v2, and I'm happy to share my findings with you!

Everyone knows that Docker and Kubernetes use cgroups to limit the resources of containers and Pods. But did you know that it's very easy to run an arbitrary Linux process in a cgroup using much more basic tools?

The only kernel's interface for cgroups is the virtual filesystem called cgroupfs typically mounted at /sys/fs/cgroup. Creating folders there and writing to files in them is technically all you need to get the job done.

While entertaining when performed once or twice, very few of us would want to regularly tune cgroups by writing to some obscure fs locations. Luckily there are higher-level helpers available. For instance, here is how you can run an app limiting its memory usage to 1000 MiB:

cgcreate -g memory:/new-cgroup

cgset -r memory.max="1000M" new-cgroup

gexec -g memory:new-cgroup ~/app

The above libcgroup tools are definitely handier than mkdir and echo, but my favorite finding is systemd-run! Not only can you demonize with it any long-running tasks, making them survive SSH disconnects and getting logs and status checks out of the box, but you can also limit their CPU and Memory usage with just two simple flags. And under the hood, systemd will configure a transient cgroup for you:

If you find the above tips useful, you can read more about practical ways of using cgroups in my most recent tutorial:

​Controlling Process Resources with Linux Control Groups​

And, of course, the best way to internalize the new knowledge is by solving a few hands-on problems:

• Have you ever wanted to put a resource-hungry Docker Compose app in a cage without specifying the resource limits of the individual containers? In this challenge, you'll need to do exactly this.
• Did you know that Docker and Kubernetes behave differently when a multi-process container runs out of memory? Docker kills just one of the processes, letting the container live (for better or worse), while Kubernetes terminates the entire Pod (but only since Kubernetes 1.28 and only if cgroup v2 is used).
• The difference between Docker's and Kubernetes' behavior puzzles you? Check out this challenge to learn about the cgroup machinery behind it (and this GitHub comment to see what people do to make Kubernetes behave like Docker 🤯).

​

Hope you will find cgroup as fun as I do now. Good luck!

Ivan