systemd-cgls
2. How to use cgroups? The user can access and manage cgroups directly and indirectly (with LXC, libvirt or Docker). Install the necessary packages: $ sudo apt-get install libcgroup1 cgroup-tools Now, the enabled cgroups can be seen via proc filesystem or sysfs: $ cat /proc/cgroups #subsys_name hierarchy num_cgroups enabled cpuset 9 2 1 cpu 4 134 1 cpuacct 4 134 1 blkio 7 134 1 memory 5 163 1 devices 11 134 1 freezer 2 2 1 net_cls 3 2 1 perf_event 10 2 1 net_prio 3 2 1 hugetlb 8 2 1 pids 6 136 1 $ ls -l /sys/fs/cgroup/ total 0 dr-xr-xr-x 6 root root 0 Nov 13 00:55 blkio drwxr-xr-x 2 root root 60 Nov 13 01:00 cgmanager lrwxrwxrwx 1 root root 11 Nov 13 00:55 cpu -> cpu,cpuacct lrwxrwxrwx 1 root root 11 Nov 13 00:55 cpuacct -> cpu,cpuacct dr-xr-xr-x 6 root root 0 Nov 13 00:55 cpu,cpuacct dr-xr-xr-x 3 root root 0 Nov 13 00:55 cpuset dr-xr-xr-x 6 root root 0 Nov 13 00:55 devices dr-xr-xr-x 3 root root 0 Nov 13 00:55 freezer dr-xr-xr-x 3 root root 0 Nov 13 00:55 hugetlb dr-xr-xr-x 6 root root 0 Nov 13 00:55 memory lrwxrwxrwx 1 root root 16 Nov 13 00:55 net_cls -> net_cls,net_prio dr-xr-xr-x 3 root root 0 Nov 13 00:55 net_cls,net_prio lrwxrwxrwx 1 root root 16 Nov 13 00:55 net_prio -> net_cls,net_prio dr-xr-xr-x 3 root root 0 Nov 13 00:55 perf_event dr-xr-xr-x 6 root root 0 Nov 13 00:55 pids dr-xr-xr-x 6 root root 0 Nov 13 00:55 systemd cgroups can be configured directly via the sysfs. For example, let’s create a small bash script named test_cgroups.sh for demonstration: #!/bin/bash while : do echo "Print line" > /dev/tty sleep 5 done Run above script: $ chmod +x test_cgroups.sh $ ./test_cgroups.sh Print line Print line Print line ... ... Change directory to /sys/fs/cgroup/devices where devices represents kind of resources that allows or denies access to devices by tasks in a cgroup: $ cd sys/fs/cgroup/devices Then, create a directory cgroups_test_group: # mkdir cgroups_test_group After creation of the cgroups_test_group directory, the following files will be generated: $ ls -l /sys/fs/cgroup/devices/cgroups_test_group total 0 -rw-r--r-- 1 root root 0 Nov 16 02:05 cgroup.clone_children -rw-r--r-- 1 root root 0 Nov 16 02:05 cgroup.procs --w------- 1 root root 0 Nov 16 02:05 devices.allow --w------- 1 root root 0 Nov 16 02:05 devices.deny -r--r--r-- 1 root root 0 Nov 16 02:05 devices.list -rw-r--r-- 1 root root 0 Nov 16 02:05 notify_on_release -rw-r--r-- 1 root root 0 Nov 16 02:05 tasks The tasks file contains PIDs (Process ID) of processes which will be attached to the cgroups_test_group, the devices.deny file contains list of denied devices. By default, a newly created group has no any limits for devices access. In order to forbid a device (in this case, it’s /dev/tty), the devices.deny file should be modified: # echo "c 5:0 w" > devices.deny In the above command, the c indicates that /dev/tty is a character device, 5:0 is major and minor numbers of the device. The last w is write permission, so the above command forbids tasks to write to the /dev/tty. $ ls -l /dev/tty crw-rw-rw- 1 root tty 5, 0 Nov 18 17:02 /dev/tty After that, re-run the script test_cgroups.sh: $ ./test_cgroups.sh Print line Print line Print line ... ... then add the PID of this process to the tasks file: # echo $(pidof -x test_cgroups.sh) > /sys/fs/cgroup/devices/cgroups_test_group/tasks The result will be as expected: $ ./test_cgroups.sh Print line Print line Print line ./test_cgroups.sh: line 5: /dev/tty: Operation not permitted ./test_cgroups.sh: line 5: /dev/tty: Operation not permitted ... ... An other example when running docker container $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS 98225055fa39 ubuntu "/bin/bash" 47 seconds ago Up 30 seconds $ cat /sys/fs/cgroup/device/docker/98225055fa394b388e988b067b77dda61e53027ee944e4e0fd7887e19cdcf341/tasks 13556 During starting up of a docker container, docker creates a cgroup for processes in this container: $ docker run -it ubuntu $ top PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1 root 20 0 18508 1848 1444 S 0.0 0.0 0:00.01 bash 12 root 20 0 36628 1924 1420 R 0.0 0.0 0:00.01 top Now, the cgroup of above process will be seen on host machine: $ systemd-cgls Control group /: -.slice ├─1429 /sbin/cgmanager -m name=systemd ├─docker │ └─98225055fa394b388e988b067b77dda61e53027ee944e4e0fd7887e19cdcf341 │ └─13556 /bin/bash
type type can have one of the following three values: a — applies to all devices, both character devices and block devices b — specifies a block device c — specifies a character device
在/devices/cgroup 目录下创建目录 first,并设置禁止设备读: root@ubuntu:/sys/fs/cgroup/devices# mkdir first root@ubuntu:/sys/fs/cgroup/devices/first# echo "a 1:5 r" > devices.deny 在另外一个终端中设置: root@ubuntu:~# cgexec -g devices:first dd if=/dev/zero of=zero bs=1M count=128 & 可见提示如下: [1] 8973
root@ubuntu:/sys/fs/cgroup/devices# mkdir first root@ubuntu:/sys/fs/cgroup/devices# ls -al total 0 dr-xr-xr-x 10 root root 0 Sep 24 18:06 . drwxr-xr-x 15 root root 380 Sep 24 18:06 .. -rw-r--r-- 1 root root 0 Sep 25 06:25 cgroup.clone_children -rw-r--r-- 1 root root 0 Sep 25 06:25 cgroup.procs -r--r--r-- 1 root root 0 Sep 25 06:25 cgroup.sane_behavior drwxr-xr-x 2 root root 0 Oct 16 10:07 default --w------- 1 root root 0 Sep 25 06:25 devices.allow --w------- 1 root root 0 Sep 25 06:25 devices.deny -r--r--r-- 1 root root 0 Sep 25 06:25 devices.list drwxr-xr-x 3 root root 0 Oct 9 15:45 docker drwxr-xr-x 2 root root 0 Nov 17 19:47 first drwxr-xr-x 4 root root 0 Oct 13 18:45 kubepods drwxr-xr-x 4 root root 0 Oct 13 22:56 kubepods.slice -rw-r--r-- 1 root root 0 Sep 25 06:25 notify_on_release -rw-r--r-- 1 root root 0 Sep 25 06:25 release_agent drwxr-xr-x 66 root root 0 Sep 24 18:06 system.slice -rw-r--r-- 1 root root 0 Sep 25 06:25 tasks drwxr-xr-x 2 root root 0 Oct 31 11:10 test.slice drwxr-xr-x 2 root root 0 Sep 24 18:06 user.slice root@ubuntu:/sys/fs/cgroup/devices# ls first/ cgroup.clone_children cgroup.procs devices.allow devices.deny devices.list notify_on_release tasks root@ubuntu:/sys/fs/cgroup/devices#