What does cgroups provider over ulimit

cgroupsulimit

Why were cgroups created when the setrlimit and getrlimit system calls already existed?

I thought it might be that rlimit only applies to a single process, but the man page states:

Limits on the consumption of system resources by the current process and
each process it creates may be obtained with the getrlimit() call, and
set with the setrlimit() call.

It seems to me that if we wanted to control the resource usage of a group of processes, we could just set the limits in a parent process (possibly a shell) and those limits would be enforced in all child processes.

Clearly I'm missing some crucial difference between the two mechanisms, but I couldn't find the answer I was looking for.

Best Answer

This specific wording seems to be mostly used in the *BSD version of setrlimit.

Other versions of setrlimit (2) state

NOTES

A child process created via fork(2) inherits its parent's resource limits. Resource limits are preserved across execve(2).

Resource limits are per-process attributes that are shared by all of the threads in a process.

I think this more clearly shows, that a limit of 2 GiB main memory applies to a single process (and its threads). And a child process of this process inherits also a limit of 2 GiB main memory, but this is 2 GiB for its own usage.

In other words, each process would have a limit of 2 GiB, and together they could consume up to 4 GiB of main memory.

On the other side, the man page for cgroups - Linux control groups says

Various subsystems have been implemented, making it possible to do things such as limiting the amount of CPU time and memory available to a cgroup, accounting for the CPU time used by a cgroup, and freezing and resuming execution of the processes in a cgroup.

So, control groups allow to limit resources over a group of processes.

Limiting the main memory to 2 GiB for a group containing 3 processes, means the main memory used by all 3 processes together may not exceed 2 GiB.

Related Solutions

Simplest possible secure sandboxing (limited resources needed)

Yes, you can use cgroups and SELinux/AppArmor exclusively to monitor and control the arbitrary code that you will execute.

With cgroups, you can do the following:

Limit CPU core usage to 1 CPU with the cpuset subsystem
Set memory usage limits with the memory subsystem, tracking even the forks. See https://github.com/gsauthof/cgmemtime for an example.
Prevent network access to anything that isn't on lo with net_prio subsystem.

And with SELinux/AppArmor, you can limit the process's read/write access.

Note: I am unfamiliar with AppArmor, but it is a Mandatory Access Control (MAC) system, meaning that guarding writing and reading is it's job.

Using these systems is a matter of the writing the proper configurations. Of course, all this is much easier said than done. So here are a few reference links to get you started:

Good Luck!

Linux – Why can’t I crash the system with a fork bomb

You probably have a Linux distro that uses systemd.

Systemd creates a cgroup for each user, and all processes of a user belong to the same cgroup.

Cgroups is a Linux mechanism to set limits on system resources like max number of processes, CPU cycles, RAM usage, etc. This is a different, more modern, layer of resource limiting than ulimit (which uses the getrlimit() syscall).

If you run systemctl status user-<uid>.slice (which represents the user's cgroup), you can see the current and maximum number of tasks (processes and threads) that is allowed within that cgroup.

$ systemctl status user-$UID.slice
● user-22001.slice - User Slice of UID 22001
   Loaded: loaded
  Drop-In: /usr/lib/systemd/system/user-.slice.d
           └─10-defaults.conf
   Active: active since Mon 2018-09-10 17:36:35 EEST; 1 weeks 3 days ago
    Tasks: 17 (limit: 10267)
   Memory: 616.7M

By default, the maximum number of tasks that systemd will allow for each user is 33% of the "system-wide maximum" (sysctl kernel.threads-max); this usually amounts to ~10,000 tasks. If you want to change this limit:

In systemd v239 and later, the user default is set via TasksMax= in:
```
/usr/lib/systemd/system/user-.slice.d/10-defaults.conf
```
To adjust the limit for a specific user (which will be applied immediately as well as stored in /etc/systemd/system.control), run:
```
systemctl [--runtime] set-property user-<uid>.slice TasksMax=<value>
```
The usual mechanisms of overriding a unit's settings (such as systemctl edit) can be used here as well, but they will require a reboot. For example, if you want to change the limit for every user, you could create /etc/systemd/system/user-.slice.d/15-limits.conf.
In systemd v238 and earlier, the user default is set via UserTasksMax= in /etc/systemd/logind.conf. Changing the value generally requires a reboot.

More info about this:

man 5 systemd.resource-control
man 5 systemd.slice
man 5 logind.conf
http://0pointer.de/blog/projects/systemd.html (search this page for cgroups)
man 7 cgroups and https://www.kernel.org/doc/Documentation/cgroup-v1/pids.txt
https://en.wikipedia.org/wiki/Cgroups

Best Answer

Related Solutions

Simplest possible secure sandboxing (limited resources needed)

Linux – Why can’t I crash the system with a fork bomb

Related Question