1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
|
.TH CGCONFIG.CONF 5
.\"***********************************
.SH NAME
cgconfig.conf \- libcgroup configuration file
.\"***********************************
.SH DESCRIPTION
.B "cgconfig.conf"
is the configuration file used by
.B libcgroup
to define control groups, their parameters and also mount points.
The file consists of
.I mount
and
.I group
sections.
These sections can be in arbitrary order.
Any line starting with '#' is considered as comment line and is
ignored.
.LP
.I mount
section has the form:
.RS
.nf
.ft B
.sp
mount {
.RS
.ft B
<controller> = <path>;
.I "..."
.RE
.ft B
}
.ft R
.fi
.RE
.TP
.B controller
Name of kernel subsystem. List of subsystems supported by kernel
can be found in
.I /proc/cgroups
file.
.B Libcgroup
merges all subsystems mounted to the same directory (see
Example 1) and the directory is mounted only once.
.TP
.B path
The directory path, where group hierarchy associated to given
controller, shall be mounted. The directory is created
automatically on cgconfig service startup if it does not exist and
is deleted on service shutdown.
.LP
.I group
section has the form:
.RS
.nf
.ft B
.sp
group <name> {
.RS
.ft B
[permissions]
<controller> {
.RS
.ft B
<param name> = <param value>;
.I "..."
.RE
.ft B
}
.I "..."
.RE
.ft B
}
.ft R
.fi
.RE
.TP
.B name
Name of the control group. It can contain only characters, which are
allowed for directory names.
The groups form a tree, i.e. a control group can contain zero or more
subgroups. Subgroups can be specified using '/' delimiter.
The root control group is always created automatically in all hierarchies
and it is the base of the group hierarchy. It can be explicitly specified in
.B cgconfig.conf
file by using '.' as group name. This can be used e.g. to set its permissions,
as shown in Example 5.
When the parent control group of a subgroup is not specified,
then it is created automatically.
.TP
.B permissions
Permissions of the given control group on mounted filesystem.
.I root
has always permission to do anything with the control group.
Permissions have the following syntax:
.RS 17
.ft B
.nf
perm {
.RS
.ft B
task {
.RS
.ft B
uid = <task user>;
gid = <task group>;
.RE
}
admin {
.RS
uid = <admin name>;
gid = <admin group>;
.RE
}
.RE
}
.fi
.RE
.ft R
.RS
.TP 17
.B "task user/group"
Name of the user and the group, which owns
.I tasks
file of the control group. I.e. this user and members of this
group has write access to the file.
.TP 17
.B "admin user/group"
Name of the user and the group, which owns the rest of control group's
files. These users are allowed to set subsystem
parameters and create subgroups.
.LP
Permissions are related only to enclosing control group and are not
inherited by subgroups. If there is no
.B perm
section in control group definition,
.I root:root
is owner of all files.
.RE
.TP
.B controller
Name of the kernel subsystem.
The section can be
empty, default kernel parameters will be used in this case. By
specifying
.B controller
the control group and all its parents are controlled by the specific
subsystem. One control group can be controlled by multiple subsystems,
even if the subsystems are mounted to different directories. Each
control group must be controlled by at least one subsystem, so
.B libcgroup
knows, in which hierarchies the control group should be created.
The parameters of given controller can be modified in following section
enclosed in brackets.
.RS
.TP
.B param name
Name of the file to set. Each controller can have zero or more
parameters.
.TP
.B param value
Value, which should be written to the file when the control group is
created.
.RE
.\"********************************************"
.SH EXAMPLES
.LP
.SS Example 1
.LP
The configuration file:
.LP
.RS
.nf
mount {
.RS
cpu = /mnt/cgroups/cpu;
cpuacct = /mnt/cgroups/cpu;
.RE
}
.fi
.RE
creates the hierarchy controlled by two subsystems, with no groups
inside. It corresponds to following operations:
.LP
.RS
.nf
mkdir /mnt/cgroups/cpu
mount -t cgroup -o cpu,cpuacct cpu /mnt/cgroups/cpu
.fi
.RE
.SS Example 2
.LP
The configuration file:
.LP
.RS
.nf
mount {
.RS
cpu = /mnt/cgroups/cpu;
cpuacct = /mnt/cgroups/cpu;
.RE
}
group daemons/www {
.RS
perm {
.RS
task {
.RS
uid = root;
gid = webmaster;
.RE
}
admin {
.RS
uid = root;
gid = root;
.RE
}
.RE
}
cpu {
.RS
cpu.shares = 1000;
.RE
}
.RE
}
group daemons/ftp {
.RS
perm {
.RS
task {
.RS
uid = root;
gid = ftpmaster;
.RE
}
admin {
.RS
uid = root;
gid = root;
.RE
}
.RE
}
cpu {
.RS
cpu.shares = 500;
.RE
}
.RE
}
.RE
.fi
creates the hierarchy controlled by two subsystems with one group and
two subgroups inside, setting one parameter.
It corresponds to following operations:
.LP
.RS
.nf
mkdir /mnt/cgroups/cpu
mount -t cgroup -o cpu,cpuacct cpu /mnt/cgroups/cpu
mkdir /mnt/cgroups/cpu/daemons
mkdir /mnt/cgroups/cpu/daemons/www
chown root:root /mnt/cgroups/cpu/daemons/www/*
chown root:webmaster /mnt/cgroups/cpu/daemons/www/tasks
echo 1000 > /mnt/cgroups/cpu/daemons/www/cpu.shares
mkdir /mnt/cgroups/cpu/daemons/ftp
chown root:root /mnt/cgroups/cpu/daemons/ftp/*
chown root:ftpmaster /mnt/cgroups/cpu/daemons/ftp/tasks
echo 500 > /mnt/cgroups/cpu/daemons/ftp/cpu.shares
.fi
.RE
The
.I daemons
group is created automatically when its first subgroup is
created. All its parameters have the default value and only root can
access group's files.
.LP
Since both
.I cpuacct
and
.I cpu
subsystems are mounted to the same directory, all
groups are implicitly controlled also by
.I cpuacct
subsystem, even if there is no
.I cpuacct
section in any of the groups.
.RE
.SS Example 3
.LP
The configuration file:
.LP
.RS
.nf
mount {
.RS
cpu = /mnt/cgroups/cpu;
cpuacct = /mnt/cgroups/cpuacct;
.RE
}
group daemons {
.RS
cpuacct{
}
cpu {
}
.RE
}
.fi
.RE
creates two hierarchies and one common group in both of them.
It corresponds to following operations:
.LP
.RS
.nf
mkdir /mnt/cgroups/cpu
mkdir /mnt/cgroups/cpuacct
mount -t cgroup -o cpu cpu /mnt/cgroups/cpu
mount -t cgroup -o cpuacct cpuacct /mnt/cgroups/cpuacct
mkdir /mnt/cgroups/cpu/daemons
mkdir /mnt/cgroups/cpuacct/daemons
.fi
.RE
In fact there are two groups created. One in
.I cpuacct
hierarchy, the second in
.I cpu
hierarchy. These two groups have nothing in common and can
contain different subgroups and different tasks.
.SS Example 4
.LP
The configuration file:
.LP
.RS
.nf
mount {
.RS
cpu = /mnt/cgroups/cpu;
cpuacct = /mnt/cgroups/cpuacct;
.RE
}
group daemons {
.RS
cpuacct{
}
.RE
}
group daemons/www {
.RS
cpu {
.RS
cpu.shares = 1000;
.RE
}
.RE
}
group daemons/ftp {
.RS
cpu {
.RS
cpu.shares = 500;
.RE
}
.RE
}
.fi
.RE
creates two hierarchies with few groups inside. One of groups
is created in both hierarchies.
It corresponds to following operations:
.LP
.RS
.nf
mkdir /mnt/cgroups/cpu
mkdir /mnt/cgroups/cpuacct
mount -t cgroup -o cpu cpu /mnt/cgroups/cpu
mount -t cgroup -o cpuacct cpuacct /mnt/cgroups/cpuacct
mkdir /mnt/cgroups/cpuacct/daemons
mkdir /mnt/cgroups/cpu/daemons
mkdir /mnt/cgroups/cpu/daemons/www
mkdir /mnt/cgroups/cpu/daemons/ftp
.fi
.RE
Group
.I daemons
is created in both hierarchies. In
.I cpuacct
hierarchy the group is explicitly mentioned in the configuration
file. In
.I cpu
hierarchy is the group created implicitly when
.I www
is created there. These two groups have nothing in common, for example
they do not share processes and subgroups. Groups
.I www
and
.I ftp
are created only in
.I cpu
hierarchy and are not controlled by
.I cpuacct
subsystem.
.SS Example 5
.LP
The configuration file:
.LP
.RS
.nf
mount {
.RS
cpu = /mnt/cgroups/cpu;
cpuacct = /mnt/cgroups/cpu;
.RE
}
group . {
.RS
perm {
.RS
task {
.RS
uid = root;
gid = operator;
.RE
}
admin {
.RS
uid = root;
gid = operator;
.RE
}
.RE
}
cpu {
}
.RE
}
group daemons {
.RS
perm {
.RS
task {
.RS
uid = root;
gid = daemonmaster;
.RE
}
admin {
.RS
uid = root;
gid = operator;
.RE
}
.RE
}
cpu {
}
.RE
}
.RE
.fi
creates the hierarchy controlled by two subsystems with one group with some
special permissions.
It corresponds to following operations:
.LP
.RS
.nf
mkdir /mnt/cgroups/cpu
mount -t cgroup -o cpu,cpuacct cpu /mnt/cgroups/cpu
chown root:operator /mnt/cgroups/cpu/*
chown root:operator /mnt/cgroups/cpu/tasks
mkdir /mnt/cgroups/cpu/daemons
chown root:operator /mnt/cgroups/cpu/daemons/*
chown root:daemonmaster /mnt/cgroups/cpu/daemons/tasks
.fi
.RE
Users, which are members of the
.I operator
group are allowed to administer the control groups, i.e. create new control
groups and can move processes between these groups without having root
privileges.
Members of
.I daemonmaster
group can move processes to
.I daemons
control group, but they can not move the process out of the group. Only
.I operator
or root can do that.
.SH RECOMMENDATIONS
.SS Keep hierarchies separated
Having multiple hierarchies is perfectly valid and can be useful
in various scenarios. To keeps things clean, do not
create one group in multiple hierarchies. Examples 3 and 4 shows,
how unreadable and confusing it can be, especially when reading
somebody others configuration file.
.SS Explicit is better than implicit
.B libcgroup
can implicitly create groups which are needed for creation of
configured subgroups. This may be useful and save some typing in
simple scenarios. When it comes to multiple hierarchies, it's
better to explicitly specify all groups and all controllers
related to them.
.SH FILES
.LP
.PD .1v
.TP 20
.B /etc/cgconfig.conf
.TP
default libcgroup configuration file
.PD
.SH SEE ALSO
To be defined...
.SH BUGS
Parameter values can be only single string without spaces.
Parsing of quoted strings is not implemented.
.SH
|
