KB Journal

Linux namespace 与 cgroups

A close-up shot of a hand holding a penguin sticker against a blurred outdoor background.

Linux namespace 起源于 2002年的 2.4 内核,灵感来自 Bell Labs 的 Plan9 操纵系统。初始版本开发了 mount namespace kind。2006 陆续开始添加其他类型。3.8 版本引入 User namespace 特性,从而实现对容器的充分支持。

Namespace kinds

  • 1. mount
  • 2. pid
  • 3. network
  • 4. IPC
  • 5. UTS(Unix Time-Sharing)
  • 6. user
  • 7. cgroup
  • 8. time
$ ls -al /proc/<pid>/ns

Linux syscall

  • clone
    lags to specify which new namespace the new process should be migrated to.
  • unshare
    allows a process (or thread) to disassociate parts of its execution context that are currently being shared with other processes (or threads)
  • setns
    enters the namespace specified by a file descriptor.

cgroups(control groups)

来自谷歌工程师的贡献。cgoups v1 合并入 2.6(2007) 内核主线。v2 合并到 4.5(2016) 内核中。主要解决限制、核算、隔离一组进程的资源使用(CPU/memory/disk I/O)

Features

  • Resource limiting
    CPU quota and set/memory/file system cache/I/O bandwidth/maximum open files
  • Prioritization
    some groups may get a larger share of CPU utilization[16] or disk I/O throughput
  • Accounting
    measures a group’s resource usage, which may be used, for example, for billing purposes
  • Control
    freezing groups of processes, their checkpointing and restarting

Usage

  • By accessing the cgroup virtual file system manually.
  • By creating and managing groups on the fly using tools like cgcreate, cgexec, and cgclassify (from libcgroup).
  • Through the “rules engine daemon” that can automatically move processes of certain users, groups, or commands to cgroups as specified in its configuration.
$ ls -al /sys/fs/cgroup

Hierarchy and Subsystem

  • Hierarchy(层级): 由 cgroup 构成的树形结构
  • Subsystem(子系统):是内核负责特定资源管理的模块,包括:cpu/cpuset/cpuacct/memory/blkio/devices/freezer/net_cls/net_prio/perf_event/hugetlb/pids

一个子系统只能附加在一个层级,而一个层级可以附加多个子系统,即对单个层级实现多种资源的联合控制。

查看系统所支持的 subsystems

$ cat /proc/cgroups

Hierarchy 操作

mount -t cgroup <subsystems> <name> /cgroup/<name>
umount </path/to/your/hierarchy>

创建 cgroup

查看 cgroup vfs 挂载(默认挂在 /sys/fs/cgroup)

$ mount | grep cgroup

如果没有,则手动挂在

$ sudo mount -t cgroup2 none /sys/fs/cgroup

创建 mygrp

$ mkdir mygrp
$ sudo mount -t cgroup -o none,name=mygrp mygrp ./mygrp
$ ls -al mygrp/

创建子 cgroup,则直接到相应 Hierarchy 创建子目录即可

在 mygrp 控制组中加入进程

$ cd mygrp
$ sudo echo $$ >> tasks
$ cat /proc/$$/cgroup

限制资源

$ mkdir /sys/fs/cgroup/cpu/mygrp
$ echo <pid> /sys/fs/cgroup/cpu/mygrp/tasks
$ echo 20000 > /sys/fs/cgroup/cpu/mygrp/cpu.cfs_quota_us

References

cgroups(7) Linux manual page

资源管理指南 | Red Hat Documentation

Control groups series by Neil Brown

Linux资源管理之cgroups简介

Categories: ,
Tags: , ,

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注