528 lines
23 KiB
Plaintext
528 lines
23 KiB
Plaintext
|
|
Cgroup unified hierarchy
|
|
|
|
April, 2014 Tejun Heo <tj@kernel.org>
|
|
|
|
This document describes the changes made by unified hierarchy and
|
|
their rationales. It will eventually be merged into the main cgroup
|
|
documentation.
|
|
|
|
CONTENTS
|
|
|
|
1. Background
|
|
2. Basic Operation
|
|
2-1. Mounting
|
|
2-2. cgroup.subtree_control
|
|
2-3. cgroup.controllers
|
|
3. Structural Constraints
|
|
3-1. Top-down
|
|
3-2. No internal tasks
|
|
4. Delegation
|
|
4-1. Model of delegation
|
|
4-2. Common ancestor rule
|
|
5. Other Changes
|
|
5-1. [Un]populated Notification
|
|
5-2. Other Core Changes
|
|
5-3. Per-Controller Changes
|
|
5-3-1. blkio
|
|
5-3-2. cpuset
|
|
5-3-3. memory
|
|
6. Planned Changes
|
|
6-1. CAP for resource control
|
|
|
|
|
|
1. Background
|
|
|
|
cgroup allows an arbitrary number of hierarchies and each hierarchy
|
|
can host any number of controllers. While this seems to provide a
|
|
high level of flexibility, it isn't quite useful in practice.
|
|
|
|
For example, as there is only one instance of each controller, utility
|
|
type controllers such as freezer which can be useful in all
|
|
hierarchies can only be used in one. The issue is exacerbated by the
|
|
fact that controllers can't be moved around once hierarchies are
|
|
populated. Another issue is that all controllers bound to a hierarchy
|
|
are forced to have exactly the same view of the hierarchy. It isn't
|
|
possible to vary the granularity depending on the specific controller.
|
|
|
|
In practice, these issues heavily limit which controllers can be put
|
|
on the same hierarchy and most configurations resort to putting each
|
|
controller on its own hierarchy. Only closely related ones, such as
|
|
the cpu and cpuacct controllers, make sense to put on the same
|
|
hierarchy. This often means that userland ends up managing multiple
|
|
similar hierarchies repeating the same steps on each hierarchy
|
|
whenever a hierarchy management operation is necessary.
|
|
|
|
Unfortunately, support for multiple hierarchies comes at a steep cost.
|
|
Internal implementation in cgroup core proper is dazzlingly
|
|
complicated but more importantly the support for multiple hierarchies
|
|
restricts how cgroup is used in general and what controllers can do.
|
|
|
|
There's no limit on how many hierarchies there may be, which means
|
|
that a task's cgroup membership can't be described in finite length.
|
|
The key may contain any varying number of entries and is unlimited in
|
|
length, which makes it highly awkward to handle and leads to addition
|
|
of controllers which exist only to identify membership, which in turn
|
|
exacerbates the original problem.
|
|
|
|
Also, as a controller can't have any expectation regarding what shape
|
|
of hierarchies other controllers would be on, each controller has to
|
|
assume that all other controllers are operating on completely
|
|
orthogonal hierarchies. This makes it impossible, or at least very
|
|
cumbersome, for controllers to cooperate with each other.
|
|
|
|
In most use cases, putting controllers on hierarchies which are
|
|
completely orthogonal to each other isn't necessary. What usually is
|
|
called for is the ability to have differing levels of granularity
|
|
depending on the specific controller. In other words, hierarchy may
|
|
be collapsed from leaf towards root when viewed from specific
|
|
controllers. For example, a given configuration might not care about
|
|
how memory is distributed beyond a certain level while still wanting
|
|
to control how CPU cycles are distributed.
|
|
|
|
Unified hierarchy is the next version of cgroup interface. It aims to
|
|
address the aforementioned issues by having more structure while
|
|
retaining enough flexibility for most use cases. Various other
|
|
general and controller-specific interface issues are also addressed in
|
|
the process.
|
|
|
|
|
|
2. Basic Operation
|
|
|
|
2-1. Mounting
|
|
|
|
Currently, unified hierarchy can be mounted with the following mount
|
|
command. Note that this is still under development and scheduled to
|
|
change soon.
|
|
|
|
mount -t cgroup -o __DEVEL__sane_behavior cgroup $MOUNT_POINT
|
|
|
|
All controllers which support the unified hierarchy and are not bound
|
|
to other hierarchies are automatically bound to unified hierarchy and
|
|
show up at the root of it. Controllers which are enabled only in the
|
|
root of unified hierarchy can be bound to other hierarchies. This
|
|
allows mixing unified hierarchy with the traditional multiple
|
|
hierarchies in a fully backward compatible way.
|
|
|
|
For development purposes, the following boot parameter makes all
|
|
controllers to appear on the unified hierarchy whether supported or
|
|
not.
|
|
|
|
cgroup__DEVEL__legacy_files_on_dfl
|
|
|
|
A controller can be moved across hierarchies only after the controller
|
|
is no longer referenced in its current hierarchy. Because per-cgroup
|
|
controller states are destroyed asynchronously and controllers may
|
|
have lingering references, a controller may not show up immediately on
|
|
the unified hierarchy after the final umount of the previous
|
|
hierarchy. Similarly, a controller should be fully disabled to be
|
|
moved out of the unified hierarchy and it may take some time for the
|
|
disabled controller to become available for other hierarchies;
|
|
furthermore, due to dependencies among controllers, other controllers
|
|
may need to be disabled too.
|
|
|
|
While useful for development and manual configurations, dynamically
|
|
moving controllers between the unified and other hierarchies is
|
|
strongly discouraged for production use. It is recommended to decide
|
|
the hierarchies and controller associations before starting using the
|
|
controllers.
|
|
|
|
|
|
2-2. cgroup.subtree_control
|
|
|
|
All cgroups on unified hierarchy have a "cgroup.subtree_control" file
|
|
which governs which controllers are enabled on the children of the
|
|
cgroup. Let's assume a hierarchy like the following.
|
|
|
|
root - A - B - C
|
|
\ D
|
|
|
|
root's "cgroup.subtree_control" file determines which controllers are
|
|
enabled on A. A's on B. B's on C and D. This coincides with the
|
|
fact that controllers on the immediate sub-level are used to
|
|
distribute the resources of the parent. In fact, it's natural to
|
|
assume that resource control knobs of a child belong to its parent.
|
|
Enabling a controller in a "cgroup.subtree_control" file declares that
|
|
distribution of the respective resources of the cgroup will be
|
|
controlled. Note that this means that controller enable states are
|
|
shared among siblings.
|
|
|
|
When read, the file contains a space-separated list of currently
|
|
enabled controllers. A write to the file should contain a
|
|
space-separated list of controllers with '+' or '-' prefixed (without
|
|
the quotes). Controllers prefixed with '+' are enabled and '-'
|
|
disabled. If a controller is listed multiple times, the last entry
|
|
wins. The specific operations are executed atomically - either all
|
|
succeed or fail.
|
|
|
|
|
|
2-3. cgroup.controllers
|
|
|
|
Read-only "cgroup.controllers" file contains a space-separated list of
|
|
controllers which can be enabled in the cgroup's
|
|
"cgroup.subtree_control" file.
|
|
|
|
In the root cgroup, this lists controllers which are not bound to
|
|
other hierarchies and the content changes as controllers are bound to
|
|
and unbound from other hierarchies.
|
|
|
|
In non-root cgroups, the content of this file equals that of the
|
|
parent's "cgroup.subtree_control" file as only controllers enabled
|
|
from the parent can be used in its children.
|
|
|
|
|
|
3. Structural Constraints
|
|
|
|
3-1. Top-down
|
|
|
|
As it doesn't make sense to nest control of an uncontrolled resource,
|
|
all non-root "cgroup.subtree_control" files can only contain
|
|
controllers which are enabled in the parent's "cgroup.subtree_control"
|
|
file. A controller can be enabled only if the parent has the
|
|
controller enabled and a controller can't be disabled if one or more
|
|
children have it enabled.
|
|
|
|
|
|
3-2. No internal tasks
|
|
|
|
One long-standing issue that cgroup faces is the competition between
|
|
tasks belonging to the parent cgroup and its children cgroups. This
|
|
is inherently nasty as two different types of entities compete and
|
|
there is no agreed-upon obvious way to handle it. Different
|
|
controllers are doing different things.
|
|
|
|
The cpu controller considers tasks and cgroups as equivalents and maps
|
|
nice levels to cgroup weights. This works for some cases but falls
|
|
flat when children should be allocated specific ratios of CPU cycles
|
|
and the number of internal tasks fluctuates - the ratios constantly
|
|
change as the number of competing entities fluctuates. There also are
|
|
other issues. The mapping from nice level to weight isn't obvious or
|
|
universal, and there are various other knobs which simply aren't
|
|
available for tasks.
|
|
|
|
The blkio controller implicitly creates a hidden leaf node for each
|
|
cgroup to host the tasks. The hidden leaf has its own copies of all
|
|
the knobs with "leaf_" prefixed. While this allows equivalent control
|
|
over internal tasks, it's with serious drawbacks. It always adds an
|
|
extra layer of nesting which may not be necessary, makes the interface
|
|
messy and significantly complicates the implementation.
|
|
|
|
The memory controller currently doesn't have a way to control what
|
|
happens between internal tasks and child cgroups and the behavior is
|
|
not clearly defined. There have been attempts to add ad-hoc behaviors
|
|
and knobs to tailor the behavior to specific workloads. Continuing
|
|
this direction will lead to problems which will be extremely difficult
|
|
to resolve in the long term.
|
|
|
|
Multiple controllers struggle with internal tasks and came up with
|
|
different ways to deal with it; unfortunately, all the approaches in
|
|
use now are severely flawed and, furthermore, the widely different
|
|
behaviors make cgroup as whole highly inconsistent.
|
|
|
|
It is clear that this is something which needs to be addressed from
|
|
cgroup core proper in a uniform way so that controllers don't need to
|
|
worry about it and cgroup as a whole shows a consistent and logical
|
|
behavior. To achieve that, unified hierarchy enforces the following
|
|
structural constraint:
|
|
|
|
Except for the root, only cgroups which don't contain any task may
|
|
have controllers enabled in their "cgroup.subtree_control" files.
|
|
|
|
Combined with other properties, this guarantees that, when a
|
|
controller is looking at the part of the hierarchy which has it
|
|
enabled, tasks are always only on the leaves. This rules out
|
|
situations where child cgroups compete against internal tasks of the
|
|
parent.
|
|
|
|
There are two things to note. Firstly, the root cgroup is exempt from
|
|
the restriction. Root contains tasks and anonymous resource
|
|
consumption which can't be associated with any other cgroup and
|
|
requires special treatment from most controllers. How resource
|
|
consumption in the root cgroup is governed is up to each controller.
|
|
|
|
Secondly, the restriction doesn't take effect if there is no enabled
|
|
controller in the cgroup's "cgroup.subtree_control" file. This is
|
|
important as otherwise it wouldn't be possible to create children of a
|
|
populated cgroup. To control resource distribution of a cgroup, the
|
|
cgroup must create children and transfer all its tasks to the children
|
|
before enabling controllers in its "cgroup.subtree_control" file.
|
|
|
|
|
|
4. Delegation
|
|
|
|
4-1. Model of delegation
|
|
|
|
A cgroup can be delegated to a less privileged user by granting write
|
|
access of the directory and its "cgroup.procs" file to the user. Note
|
|
that the resource control knobs in a given directory concern the
|
|
resources of the parent and thus must not be delegated along with the
|
|
directory.
|
|
|
|
Once delegated, the user can build sub-hierarchy under the directory,
|
|
organize processes as it sees fit and further distribute the resources
|
|
it got from the parent. The limits and other settings of all resource
|
|
controllers are hierarchical and regardless of what happens in the
|
|
delegated sub-hierarchy, nothing can escape the resource restrictions
|
|
imposed by the parent.
|
|
|
|
Currently, cgroup doesn't impose any restrictions on the number of
|
|
cgroups in or nesting depth of a delegated sub-hierarchy; however,
|
|
this may in the future be limited explicitly.
|
|
|
|
|
|
4-2. Common ancestor rule
|
|
|
|
On the unified hierarchy, to write to a "cgroup.procs" file, in
|
|
addition to the usual write permission to the file and uid match, the
|
|
writer must also have write access to the "cgroup.procs" file of the
|
|
common ancestor of the source and destination cgroups. This prevents
|
|
delegatees from smuggling processes across disjoint sub-hierarchies.
|
|
|
|
Let's say cgroups C0 and C1 have been delegated to user U0 who created
|
|
C00, C01 under C0 and C10 under C1 as follows.
|
|
|
|
~~~~~~~~~~~~~ - C0 - C00
|
|
~ cgroup ~ \ C01
|
|
~ hierarchy ~
|
|
~~~~~~~~~~~~~ - C1 - C10
|
|
|
|
C0 and C1 are separate entities in terms of resource distribution
|
|
regardless of their relative positions in the hierarchy. The
|
|
resources the processes under C0 are entitled to are controlled by
|
|
C0's ancestors and may be completely different from C1. It's clear
|
|
that the intention of delegating C0 to U0 is allowing U0 to organize
|
|
the processes under C0 and further control the distribution of C0's
|
|
resources.
|
|
|
|
On traditional hierarchies, if a task has write access to "tasks" or
|
|
"cgroup.procs" file of a cgroup and its uid agrees with the target, it
|
|
can move the target to the cgroup. In the above example, U0 will not
|
|
only be able to move processes in each sub-hierarchy but also across
|
|
the two sub-hierarchies, effectively allowing it to violate the
|
|
organizational and resource restrictions implied by the hierarchical
|
|
structure above C0 and C1.
|
|
|
|
On the unified hierarchy, let's say U0 wants to write the pid of a
|
|
process which has a matching uid and is currently in C10 into
|
|
"C00/cgroup.procs". U0 obviously has write access to the file and
|
|
migration permission on the process; however, the common ancestor of
|
|
the source cgroup C10 and the destination cgroup C00 is above the
|
|
points of delegation and U0 would not have write access to its
|
|
"cgroup.procs" and thus be denied with -EACCES.
|
|
|
|
|
|
5. Other Changes
|
|
|
|
5-1. [Un]populated Notification
|
|
|
|
cgroup users often need a way to determine when a cgroup's
|
|
subhierarchy becomes empty so that it can be cleaned up. cgroup
|
|
currently provides release_agent for it; unfortunately, this mechanism
|
|
is riddled with issues.
|
|
|
|
- It delivers events by forking and execing a userland binary
|
|
specified as the release_agent. This is a long deprecated method of
|
|
notification delivery. It's extremely heavy, slow and cumbersome to
|
|
integrate with larger infrastructure.
|
|
|
|
- There is single monitoring point at the root. There's no way to
|
|
delegate management of a subtree.
|
|
|
|
- The event isn't recursive. It triggers when a cgroup doesn't have
|
|
any tasks or child cgroups. Events for internal nodes trigger only
|
|
after all children are removed. This again makes it impossible to
|
|
delegate management of a subtree.
|
|
|
|
- Events are filtered from the kernel side. A "notify_on_release"
|
|
file is used to subscribe to or suppress release events. This is
|
|
unnecessarily complicated and probably done this way because event
|
|
delivery itself was expensive.
|
|
|
|
Unified hierarchy implements an interface file "cgroup.populated"
|
|
which can be used to monitor whether the cgroup's subhierarchy has
|
|
tasks in it or not. Its value is 0 if there is no task in the cgroup
|
|
and its descendants; otherwise, 1. poll and [id]notify events are
|
|
triggered when the value changes.
|
|
|
|
This is significantly lighter and simpler and trivially allows
|
|
delegating management of subhierarchy - subhierarchy monitoring can
|
|
block further propagation simply by putting itself or another process
|
|
in the subhierarchy and monitor events that it's interested in from
|
|
there without interfering with monitoring higher in the tree.
|
|
|
|
In unified hierarchy, the release_agent mechanism is no longer
|
|
supported and the interface files "release_agent" and
|
|
"notify_on_release" do not exist.
|
|
|
|
|
|
5-2. Other Core Changes
|
|
|
|
- None of the mount options is allowed.
|
|
|
|
- remount is disallowed.
|
|
|
|
- rename(2) is disallowed.
|
|
|
|
- The "tasks" file is removed. Everything should at process
|
|
granularity. Use the "cgroup.procs" file instead.
|
|
|
|
- The "cgroup.procs" file is not sorted. pids will be unique unless
|
|
they got recycled in-between reads.
|
|
|
|
- The "cgroup.clone_children" file is removed.
|
|
|
|
|
|
5-3. Per-Controller Changes
|
|
|
|
5-3-1. blkio
|
|
|
|
- blk-throttle becomes properly hierarchical.
|
|
|
|
|
|
5-3-2. cpuset
|
|
|
|
- Tasks are kept in empty cpusets after hotplug and take on the masks
|
|
of the nearest non-empty ancestor, instead of being moved to it.
|
|
|
|
- A task can be moved into an empty cpuset, and again it takes on the
|
|
masks of the nearest non-empty ancestor.
|
|
|
|
|
|
5-3-3. memory
|
|
|
|
- use_hierarchy is on by default and the cgroup file for the flag is
|
|
not created.
|
|
|
|
- The original lower boundary, the soft limit, is defined as a limit
|
|
that is per default unset. As a result, the set of cgroups that
|
|
global reclaim prefers is opt-in, rather than opt-out. The costs
|
|
for optimizing these mostly negative lookups are so high that the
|
|
implementation, despite its enormous size, does not even provide the
|
|
basic desirable behavior. First off, the soft limit has no
|
|
hierarchical meaning. All configured groups are organized in a
|
|
global rbtree and treated like equal peers, regardless where they
|
|
are located in the hierarchy. This makes subtree delegation
|
|
impossible. Second, the soft limit reclaim pass is so aggressive
|
|
that it not just introduces high allocation latencies into the
|
|
system, but also impacts system performance due to overreclaim, to
|
|
the point where the feature becomes self-defeating.
|
|
|
|
The memory.low boundary on the other hand is a top-down allocated
|
|
reserve. A cgroup enjoys reclaim protection when it and all its
|
|
ancestors are below their low boundaries, which makes delegation of
|
|
subtrees possible. Secondly, new cgroups have no reserve per
|
|
default and in the common case most cgroups are eligible for the
|
|
preferred reclaim pass. This allows the new low boundary to be
|
|
efficiently implemented with just a minor addition to the generic
|
|
reclaim code, without the need for out-of-band data structures and
|
|
reclaim passes. Because the generic reclaim code considers all
|
|
cgroups except for the ones running low in the preferred first
|
|
reclaim pass, overreclaim of individual groups is eliminated as
|
|
well, resulting in much better overall workload performance.
|
|
|
|
- The original high boundary, the hard limit, is defined as a strict
|
|
limit that can not budge, even if the OOM killer has to be called.
|
|
But this generally goes against the goal of making the most out of
|
|
the available memory. The memory consumption of workloads varies
|
|
during runtime, and that requires users to overcommit. But doing
|
|
that with a strict upper limit requires either a fairly accurate
|
|
prediction of the working set size or adding slack to the limit.
|
|
Since working set size estimation is hard and error prone, and
|
|
getting it wrong results in OOM kills, most users tend to err on the
|
|
side of a looser limit and end up wasting precious resources.
|
|
|
|
The memory.high boundary on the other hand can be set much more
|
|
conservatively. When hit, it throttles allocations by forcing them
|
|
into direct reclaim to work off the excess, but it never invokes the
|
|
OOM killer. As a result, a high boundary that is chosen too
|
|
aggressively will not terminate the processes, but instead it will
|
|
lead to gradual performance degradation. The user can monitor this
|
|
and make corrections until the minimal memory footprint that still
|
|
gives acceptable performance is found.
|
|
|
|
In extreme cases, with many concurrent allocations and a complete
|
|
breakdown of reclaim progress within the group, the high boundary
|
|
can be exceeded. But even then it's mostly better to satisfy the
|
|
allocation from the slack available in other groups or the rest of
|
|
the system than killing the group. Otherwise, memory.max is there
|
|
to limit this type of spillover and ultimately contain buggy or even
|
|
malicious applications.
|
|
|
|
- The original control file names are unwieldy and inconsistent in
|
|
many different ways. For example, the upper boundary hit count is
|
|
exported in the memory.failcnt file, but an OOM event count has to
|
|
be manually counted by listening to memory.oom_control events, and
|
|
lower boundary / soft limit events have to be counted by first
|
|
setting a threshold for that value and then counting those events.
|
|
Also, usage and limit files encode their units in the filename.
|
|
That makes the filenames very long, even though this is not
|
|
information that a user needs to be reminded of every time they type
|
|
out those names.
|
|
|
|
To address these naming issues, as well as to signal clearly that
|
|
the new interface carries a new configuration model, the naming
|
|
conventions in it necessarily differ from the old interface.
|
|
|
|
- The original limit files indicate the state of an unset limit with a
|
|
Very High Number, and a configured limit can be unset by echoing -1
|
|
into those files. But that very high number is implementation and
|
|
architecture dependent and not very descriptive. And while -1 can
|
|
be understood as an underflow into the highest possible value, -2 or
|
|
-10M etc. do not work, so it's not consistent.
|
|
|
|
memory.low, memory.high, and memory.max will use the string "max" to
|
|
indicate and set the highest possible value.
|
|
|
|
6. Planned Changes
|
|
|
|
6-1. CAP for resource control
|
|
|
|
Unified hierarchy will require one of the capabilities(7), which is
|
|
yet to be decided, for all resource control related knobs. Process
|
|
organization operations - creation of sub-cgroups and migration of
|
|
processes in sub-hierarchies may be delegated by changing the
|
|
ownership and/or permissions on the cgroup directory and
|
|
"cgroup.procs" interface file; however, all operations which affect
|
|
resource control - writes to a "cgroup.subtree_control" file or any
|
|
controller-specific knobs - will require an explicit CAP privilege.
|
|
|
|
This, in part, is to prevent the cgroup interface from being
|
|
inadvertently promoted to programmable API used by non-privileged
|
|
binaries. cgroup exposes various aspects of the system in ways which
|
|
aren't properly abstracted for direct consumption by regular programs.
|
|
This is an administration interface much closer to sysctl knobs than
|
|
system calls. Even the basic access model, being filesystem path
|
|
based, isn't suitable for direct consumption. There's no way to
|
|
access "my cgroup" in a race-free way or make multiple operations
|
|
atomic against migration to another cgroup.
|
|
|
|
Another aspect is that, for better or for worse, the cgroup interface
|
|
goes through far less scrutiny than regular interfaces for
|
|
unprivileged userland. The upside is that cgroup is able to expose
|
|
useful features which may not be suitable for general consumption in a
|
|
reasonable time frame. It provides a relatively short path between
|
|
internal details and userland-visible interface. Of course, this
|
|
shortcut comes with high risk. We go through what we go through for
|
|
general kernel APIs for good reasons. It may end up leaking internal
|
|
details in a way which can exert significant pain by locking the
|
|
kernel into a contract that can't be maintained in a reasonable
|
|
manner.
|
|
|
|
Also, due to the specific nature, cgroup and its controllers don't
|
|
tend to attract attention from a wide scope of developers. cgroup's
|
|
short history is already fraught with severely mis-designed
|
|
interfaces, unnecessary commitments to and exposing of internal
|
|
details, broken and dangerous implementations of various features.
|
|
|
|
Keeping cgroup as an administration interface is both advantageous for
|
|
its role and imperative given its nature. Some of the cgroup features
|
|
may make sense for unprivileged access. If deemed justified, those
|
|
must be further abstracted and implemented as a different interface,
|
|
be it a system call or process-private filesystem, and survive through
|
|
the scrutiny that any interface for general consumption is required to
|
|
go through.
|
|
|
|
Requiring CAP is not a complete solution but should serve as a
|
|
significant deterrent against spraying cgroup usages in non-privileged
|
|
programs.
|