cgroups (abbreviated from control groups) is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
Cgroups was originally written by Paul Menage et al. and mainlined into the Linux kernel in 2007. Afterwards this is called cgroups version 1.
This rewrite is now called version 2, the documentation of cgroups-v2 first appeared in Linux kernel 4.5 released on March 14, 2016.
- The PID namespace provides isolation for the allocation of process identifiers (PIDs), lists of processes and their details. While the new namespace is isolated from other siblings, processes in its “parent” namespace still see all processes in child namespaces—albeit with different PID numbers.
- Network namespace isolates the network interface controllers (physical or virtual), iptables firewall rules, routing tables etc. Network namespaces can be connected with each other using the “veth” virtual Ethernet device.
- “UTS” namespace allows changing the hostname.
- Mount namespace allows creating a different file system layout, or making certain mount points read-only.
- IPC namespace isolates the System V inter-process communication between namespaces.
- User namespace isolates the user IDs between namespaces.
The kmemcg controller can limit the amount of memory that the kernel can utilize to manage its own internal processes.
provide a unified interface to many different use cases, from controlling single processes (by using nice, for example) to whole operating system-level virtualization (as provided by OpenVZ, Linux-VServer or LXC, for example).
- Resource limiting – groups can be set to not exceed a configured memory limit, which also includes the file system cache
- Prioritization – some groups may get a larger share of CPU utilization or disk I/O throughput
- Accounting – measures a group’s resource usage, which may be used, for example, for billing purposes
- Control – freezing groups of processes, their checkpointing and restarting