Cgroups of docker Technology Foundation


brief introduction

As we all know, docker containers have good isolation. We can run many docker containers on one server.
Although a server can run many docker containers, these containers share the CPU and memory resources of a server. If the containers are allowed to use resources at will, it is likely that some containers occupy too many resources and other containers cannot operate normally.
Based on this consideration, docker provides the function of controlling container resources, which is realized by using cgroups of Linux.
Next, let’s learn about and experiment with cgroups in Linux.

Cggroup introduction

Cggroups, the abbreviation of control groups, is used to limit, control and separate the resources of a process group, such as CPU, memory, disk, network IO, etc. it is a Linux kernel function for grouping and managing any process.
The main purpose is to provide a unified interface for resource management at different user levels.

Functions and subsystems


Cggroups provides four functions:

  • Resource limit: cggroups can limit the total amount of resources required by a task. For example, set the maximum memory used by the task when running. Once it is exceeded, send oom.
  • Priority allocation: the number of CPU time slices and disk IO bandwidth allocated are actually equivalent to controlling the priority of task operation.
  • Resource statistics: cggroups can count the resource usage of the system, such as CPU usage, memory usage, etc.
  • Task control: cgroups can suspend and resume tasks.

    A task represents a process or thread of the operating system.


Subsystem, in English, is the resource scheduling controller (also known as controllers) in cgroups.
We execute it under the Linux consolecat /proc/cgroupsYou can view the subsystems supported by the current system,

Cgroups of docker Technology Foundation

  • Cpuset: allocate independent CPU (in multi-core system) and memory nodes for tasks in cgroups.
  • CPU: limit the allocation of CPU time slices, which are mounted in the same directory as cpuacct.
  • Cpuacct: generates a report on CPU resources occupied by tasks in cgroups, which is mounted in the same directory as the CPU.
  • Blkio: limit the IO of block devices.
  • Memory: limits the available memory of tasks in cgroups and automatically generates a resource usage report.
  • Devices: allow or prohibit tasks in cgroups from accessing devices.
  • Freezer: pause / resume tasks in cgroups.
  • net_ CLS: network packets are marked with a class ID, which allows the Linux traffic controller (TC instruction) to recognize packets from specific cgroups tasks and restrict the network.
  • perf_event:
  • net_ Prio: allows setting the priority of network traffic based on cgroups.
  • Hugetlb: limit the number of memory pages used.
  • PIDs: limit the number of tasks.

usage method

The operation interface exposed by cgroups to users is the file system, that is, it is organized in the form of files and directories/sys/fs/cgroup/Directory. We execute it under the Linux consolemount -t cgroupCan view.

Cgroups of docker Technology Foundation
As you can see, each subsystem is/sys/fs/cgroup/There are corresponding directories under the directory.
Let’s take a look at the CPU subsystem and execute it on the consolels /sys/fs/cgroup/cpu/
Cgroups of docker Technology Foundation
Where, CPU cfs_ period_ Us and CPU cfs_ quota_ Us these two parameters should be used in combination and can be used to limit the length of the process to CPU cfs_ period_ Us can only be allocated to a total of CPU cfs_ quota_ CPU time of us.

Next, let’s experiment.

1. Execute on the consolemkdir -p /sys/fs/cgroup/cpu/container, view the container directory

Cgroups of docker Technology Foundation
You can see that the system automatically creates a CPU in the container cfs_ period_ Us and CPU cfs_ quota_ Us, etc.

2. Execute on the consolephp loop.php &,loop. The code in PHP is as follows


while (true) {

Generally, this dead loop will occupy 100% of the CPU. Let’s execute the top instruction and have a look
Cgroups of docker Technology Foundation
You can see that the CPU utilization has reached 100%.

3. Limit the CPU used by the process

Let’s check the CPU in the container directory cfs_ quota_ Us and CPU cfs_ period_ us,
Cgroups of docker Technology Foundation
As you can see, the output values are – 1 and 100000 (100ms) respectively, indicating that there are no restrictions on the CPU in the container control group.
Next, the CPU cfs_ quota_ Write 20000 US files (20ms) and 27667 tasks at the same time
Cgroups of docker Technology Foundation
Combined with CPU cfs_ period_ The value of us indicates that the process limited by the control group can only use 20ms CPU every 100ms, that is, the CPU occupancy rate is 20%.
Cgroups of docker Technology Foundation


In this article, we briefly introduce

  • What are cgroups
  • Usage scenarios of cggroups
  • Functions and subsystems of cggroups
  • A small experiment of cgroups

reference resources

  1. wikipedia cgroups
  2. Introduction to Linux cgroups

This work adoptsCC agreement, reprint must indicate the author and the link to this article