Key Knowledge Areas:

  • Understand and configure ulimits
  • Understand cgroups, including classes, limits and accounting
  • Manage cgroups and process cgroup association
  • Understand systemd slices, scopes and services
  • Use systemd units to limit the system resources processes can consume
  • Awareness of cgmanager and libcgroup utilities

Partial list of the used files, terms and utilities:

  • ulimit
  • /etc/security/limits.conf
  • pam_limits.so
  • /sys/fs/cgroup/
  • /proc/cgroups
  • systemd-cgls
  • systemd-cgtop

Files

/etc/security/limits.conf

configuration file for the pam_limits module

/sys/fs/cgroup/

mountpoint for cgroupfs virtual file system

/proc/cgroups

overview of cgroups (v1)

Utilities

ulimit

Provides control over the resources available to the shell and to processes started by it, on systems that allow such control. The -H and -S options specify that the hard or soft limit is set for the given resource. A hard limit cannot be increased by a non-root user once it is set; a soft limit may be increased up to the value of the hard limit. If neither is specified, both the soft and hard limits are set.

pam_limits.so

The pam_limits.so module applies ulimit limits, nice priority and number of simultaneous login sessions limit to user login sessions.

systemd-cgls

recursively show control group contents

systemd-cgtop

show top control groups by their resource usage

Notes

systemd

slice

A slice unit is a concept for hierarchically managing resources of a group of processes. This management is performed by creating a node in the Linux Control Group (cgroup) tree. Units that manage processes (primarily scope and service units) may be assigned to a specific slice. For each slice, certain resource limits may be set that apply to all processes of all units contained in that slice.

scope

The main purpose of scope units is grouping worker processes of a system service for organization and for managing resources.

Scope units are not configured via unit configuration files, but are only created programmatically using the bus interfaces of systemd. They are named similar to filenames.

service

A unit configuration file whose name ends in “.service” encodes information about a process controlled and supervised by systemd.

cgmanager

CGManager is a central privileged daemon that manages all your cgroups for you through a simple D-Bus API. It’s designed to work with nested LXC containers as well as accepting unprivileged requests including resolving user namespaces UIDs/GIDs.

It has now been deprecated in favor of the CGroup namespace in recent Linux kernels. On older kernels, LXCFS still offers a cgroupfs emulation that can be used instead of CGManager and is more widely compatible with existing userspace.

libcgroup

library to interface with cgroups