SlideShare a Scribd company logo

Linux cgroups and namespaces

Locaweb
Locaweb

Luiz Viana e André Ferraz (Cazé) mostram uma visão geral das tecnologias nativas para isolamento de recursos em ambiente Linux.

Technology
1 of 31
Download to read offline
Introduction toLinux Control Groups and NamespacesAndre Ferraz @deferrazLuiz Viana @luizxxDelivery Engineering Team
What is it? • Basically, a kernel feature that allows you to allocate resources among groups of tasks running on a system. • Provides a way to hierarchically group and label processes, and to apply resource limits them.
Resource allocation• CPU time and scheduling• System memory / swap area• Network bandwidth and namespaces• Block devices bandwidth and IOPS• Device access and isolation
HierarchyCopyright Red Hat Inc.
RelationshipCopyright Red Hat Inc.
Implications• Because a task can belong to only single cgroup, there is one way that be limited or affected by any single subsystem. This is logical: a feature, not limitation. • You can group several subsystems together so that they affect all tasks in a single hierarchy. Because cgroups in that hierarchy have different parameters set, those tasks will be affected differently. • Conversely, if the need for splitting subsystems among separate hierarchies is reduced, you can remove a hierarchy and attach its subsystems to an existing one. • The design allows for simple cgroup usage, such as setting a few parameters specific tasks in single hierarchy, such as one with just the cpu and memorysubsystems attached. • The design also allows for highly specific configuration: each task (process) on a system could be a member of each hierarchy, which has single attached subsystem. Such configuration would give the system administrator absolute control over all parameters for every single task. • If you are limiting resources from a user, he will have more processes waiting for and due to this, load average on your server will have higher values constantly.
Using control groups: hard way
Using control groups: command line
Using control groups: cgconfig• The cgconfig service installed with the libcgroup package provides a convenient way to create hierarchies, attach subsystems to and manage cgroups within those hierarchies. • It is recommended that you use cgconfig to manage hierarchies and cgroups on your system. • The default /etc/cgconfig.conf file installed with the libcgroup package creates and mounts an individual hierarchy for each subsystem, and attaches the subsystems to these hierarchies. The cgconfig service also allows to create configuration files in the /etc/cgconfig.d/ directory and invoke them from /etc/cgconfig.conf. • If you stop the cgconfig service (with stopcommand), it unmounts all the hierarchies that it mounted.
Configuration example
Using control groups: cgred• Cgred (cgrulesengd daemon) is a service that moves tasks into cgroups according to parameters set in the /etc/cgrules.conf file. • Entries in the /etc/cgrules.conffile can take one of the two forms: user subsystems control_groupuser:command subsystems control_group• Group names can be specified prefixing the "@" character. • More than one subsystem can be specified in a comma-separated list• Commands are identified by the process name or full command path of a process.
Configuration example
Using control groups: reaper• Reaper allows you to manage groups dynamically on shared multi-user environments. • Can be extended to work on any environment by creating a function validate users. • Entirely written in Python and easy to modify. • Limit exceptions can be created using the command line interface. • Does not depend on external agents. • Use of standard items from libcgroups available in most Linux distributions. Available on Github, https://github.com/lviana/reaper
Obtaining cgroups information• Listing controllers• # lssubsys -m controllers• # cat /proc/cgroups• Finding control groups• # lscgroup• # lscgroup cpuset:adminusers• Display parameters• # cgget -r parameter list_of_cgroups• # cgget -g cpuset /
Future... Actually, not so future anymore!
Systemd• System service manager for Linux that provides parallelization capabilities, keeps track of processes using Linux control groups, offers on-demand starting of daemons and implements an elaborated transactional dependency-based service control logic. • A cgroup is bound to a system unit configurable with file and manageable with systemd's command-line utilities. • Cgroups in systemd can be transient or persistent.
Transient cgroups• Using transient cgroups, you can set limits on resources consumed by the service during its runtime. • Applications can create transient cgroups dynamically by using API calls to systemd. • Commands are started directly from the systemd-runprocess and thus inherit the execution environment of caller. • Commands are run in scope units synchronous execution.
Persistent cgroups• You can assign apersistent cgroup to a systemd service, editting its unit configuration file. • It can be used to manage services that are started automatically. • Unit configuration files are available on /usr/lib/systemd/system/ directory. • Temporary changes can be set using systemctl command.
Where the f*ck do I use it? • Prioritizing database io• Limit resources available to end users• Optimizing processor usage• Control network access• Isolate process from devices• Optimize available physical resources• Set network traffic priority
Projects using it• Linux Containers / LXC (https://linuxcontainers.org/) • Docker (http://docker.io) • Apache Mesos (http://mesos.apache.org) • Openstack (http://www.openstack.org) • Locaweb (http://github.com/locaweb)
Namespaces!
Namespaces,what is it? • Lightweight process isolation• Processes can have different views of the system than other processes• Old Concept: 1992 on plan9 (http://www.cs.bell- labs.com/sys/doc/names.html) • No hypervisor• setns() syscall
Namespaces, types• mountpoints / fs (MNT) [First created on 2002 by Al Viro] • processes (PID) • network (NET) • System V IPC• Hostname (UTS) • User (UIDS)
Namespaces,flags• CLONE_NEWNS 2.4.19 CAP_SYS_ADMIN• CLONE_NEWUTS 2.6.19 CAP_SYS_ADMIN• CLONE_NEWIPC 2.6.19 CAP_SYS_ADMIN• CLONE_NEWPID 2.6.24 CAP_SYS_ADMIN• CLONE_NEWNET 2.6.29 CAP_SYS_ADMIN• CLONE_NEWUSER 3.8 No cap Required
Namespaces, syscallsclone () -create new process and namespaceunshare() -create new namespace and attaches current processsetns() -join an existing namespace
Namespaces, network ns example# ip netns add newnet# ip link add veth0 type veth peer name veth1# ip link set veth1 netns newnet# ip netns exec newnet link list# ip netns exec newnet bash
Namespaces, securityCVE 2013-1858http://lwn.net/Articles/543273/
Namespaces, application server support• uWSGI got full namespaces support in 1.9/2.0• Additional isolated filesystems• You can detach single components to increase isolationMore information on: http://uwsgi-docs.readthedocs.org/en/latest/Namespaces.html
Reference• https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt• http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.tree/Documentation/cgroups/ • https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/7/ • https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/6/ • http://uwsgi-docs.readthedocs.org/en/latest/Namespaces.html
Questions? Thank you!

Recommended

Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
National Cheng Kung University
 
eBPF Perf Tools 2019
eBPF Perf Tools 2019eBPF Perf Tools 2019
eBPF Perf Tools 2019
Brendan Gregg
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
An Overview of [Linux] Kernel Lock Improvements -- Linuxcon NA 2014
An Overview of [Linux] Kernel Lock Improvements -- Linuxcon NA 2014An Overview of [Linux] Kernel Lock Improvements -- Linuxcon NA 2014
An Overview of [Linux] Kernel Lock Improvements -- Linuxcon NA 2014
Davidlohr Bueso
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
Hao-Ran Liu
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroups
Kernel TLV
 
Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
Brendan Gregg
 
Extreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and TuningExtreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and Tuning
Milind Koyande
 

Recommended

Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
National Cheng Kung University
 
eBPF Perf Tools 2019
eBPF Perf Tools 2019eBPF Perf Tools 2019
eBPF Perf Tools 2019
Brendan Gregg
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
An Overview of [Linux] Kernel Lock Improvements -- Linuxcon NA 2014
An Overview of [Linux] Kernel Lock Improvements -- Linuxcon NA 2014An Overview of [Linux] Kernel Lock Improvements -- Linuxcon NA 2014
An Overview of [Linux] Kernel Lock Improvements -- Linuxcon NA 2014
Davidlohr Bueso
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
Hao-Ran Liu
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroups
Kernel TLV
 
Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
Brendan Gregg
 
Extreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and TuningExtreme Linux Performance Monitoring and Tuning
Extreme Linux Performance Monitoring and Tuning
Milind Koyande
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
Kernel TLV
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
Linux kernel architecture
Linux kernel architectureLinux kernel architecture
Linux kernel architecture
Teja Bheemanapally
 
Running Scylla on Kubernetes with Scylla Operator
Running Scylla on Kubernetes with Scylla OperatorRunning Scylla on Kubernetes with Scylla Operator
Running Scylla on Kubernetes with Scylla Operator
ScyllaDB
 
Linux presentation
Linux presentationLinux presentation
Linux presentation
Nikhil Jain
 
Linux File System
Linux File SystemLinux File System
Linux File System
Anil Kumar Pugalia
 
DPDK Acceleration with Arkville
DPDK Acceleration with ArkvilleDPDK Acceleration with Arkville
DPDK Acceleration with Arkville
Shepard Siegel
 
리눅스 커널 디버거 KGDB/KDB
리눅스 커널 디버거 KGDB/KDB리눅스 커널 디버거 KGDB/KDB
리눅스 커널 디버거 KGDB/KDB
Manjong Han
 
Linux LVM Logical Volume Management
Linux LVM Logical Volume ManagementLinux LVM Logical Volume Management
Linux LVM Logical Volume Management
Manolis Kartsonakis
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
Brendan Gregg
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance Analysis
Brendan Gregg
 
Linux kernel
Linux kernelLinux kernel
Linux kernel
Goutam Sahoo
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
Kernel TLV
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016
Brendan Gregg
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
hugo lu
 
Linux Interrupts
Linux InterruptsLinux Interrupts
Linux Interrupts
Kernel TLV
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
Kevin OBrien
 
Unix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell ScriptUnix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell Script
sbmguys
 
GTPing, How To
GTPing, How ToGTPing, How To
GTPing, How To
Kentaro Ebisawa
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
Brendan Gregg
 
Namespace
NamespaceNamespace
Namespace
abhay singh
 
Containers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelContainers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux Kernel
OpenVZ
 

More Related Content

What's hot

Running Scylla on Kubernetes with Scylla Operator
Running Scylla on Kubernetes with Scylla OperatorRunning Scylla on Kubernetes with Scylla Operator
Running Scylla on Kubernetes with Scylla Operator
ScyllaDB
 
Linux presentation
Linux presentationLinux presentation
Linux presentation
Nikhil Jain
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016
Brendan Gregg
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
hugo lu
 

What's hot (20)

Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Linux kernel architecture
Linux kernel architectureLinux kernel architecture
Linux kernel architecture
 
Running Scylla on Kubernetes with Scylla Operator
Running Scylla on Kubernetes with Scylla OperatorRunning Scylla on Kubernetes with Scylla Operator
Running Scylla on Kubernetes with Scylla Operator
 
Linux presentation
Linux presentationLinux presentation
Linux presentation
 
Linux File System
Linux File SystemLinux File System
Linux File System
 
DPDK Acceleration with Arkville
DPDK Acceleration with ArkvilleDPDK Acceleration with Arkville
DPDK Acceleration with Arkville
 
리눅스 커널 디버거 KGDB/KDB
리눅스 커널 디버거 KGDB/KDB리눅스 커널 디버거 KGDB/KDB
리눅스 커널 디버거 KGDB/KDB
 
Linux LVM Logical Volume Management
Linux LVM Logical Volume ManagementLinux LVM Logical Volume Management
Linux LVM Logical Volume Management
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance Analysis
 
Linux kernel
Linux kernelLinux kernel
Linux kernel
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
Linux Interrupts
Linux InterruptsLinux Interrupts
Linux Interrupts
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
 
Unix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell ScriptUnix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell Script
 
GTPing, How To
GTPing, How ToGTPing, How To
GTPing, How To
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
 

Viewers also liked

Recent advances in the Linux kernel resource management
Recent advances in the Linux kernel resource managementRecent advances in the Linux kernel resource management
Recent advances in the Linux kernel resource management
OpenVZ
 
ENERGY EFFICIENCY OF ARM ARCHITECTURES FOR CLOUD COMPUTING APPLICATIONS
ENERGY EFFICIENCY OF ARM ARCHITECTURES FOR CLOUD COMPUTING APPLICATIONSENERGY EFFICIENCY OF ARM ARCHITECTURES FOR CLOUD COMPUTING APPLICATIONS
ENERGY EFFICIENCY OF ARM ARCHITECTURES FOR CLOUD COMPUTING APPLICATIONS
Stephan Cadene
 
Achieving Performance Isolation with Lightweight Co-Kernels
Achieving Performance Isolation with Lightweight Co-KernelsAchieving Performance Isolation with Lightweight Co-Kernels
Achieving Performance Isolation with Lightweight Co-Kernels
Jiannan Ouyang, PhD
 
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUsShoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
Jiannan Ouyang, PhD
 

Viewers also liked (20)

Namespace
NamespaceNamespace
Namespace
 
Containers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelContainers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux Kernel
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)
 
Linux Namespace
Linux NamespaceLinux Namespace
Linux Namespace
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
 
Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)
 
Docker & JVM: A Perfect Match
Docker & JVM: A Perfect MatchDocker & JVM: A Perfect Match
Docker & JVM: A Perfect Match
 
Resource Management of Docker
Resource Management of DockerResource Management of Docker
Resource Management of Docker
 
Using cgroups in docker container
Using cgroups in docker containerUsing cgroups in docker container
Using cgroups in docker container
 
Recent advances in the Linux kernel resource management
Recent advances in the Linux kernel resource managementRecent advances in the Linux kernel resource management
Recent advances in the Linux kernel resource management
 
Linux network namespaces
Linux network namespacesLinux network namespaces
Linux network namespaces
 
LSA2 - 02 Namespaces
LSA2 - 02 NamespacesLSA2 - 02 Namespaces
LSA2 - 02 Namespaces
 
What's missing from upstream kernel containers? - Kir Kolyshkin, Sergey Bronn...
What's missing from upstream kernel containers? - Kir Kolyshkin, Sergey Bronn...What's missing from upstream kernel containers? - Kir Kolyshkin, Sergey Bronn...
What's missing from upstream kernel containers? - Kir Kolyshkin, Sergey Bronn...
 
First steps on CentOs7
First steps on CentOs7First steps on CentOs7
First steps on CentOs7
 
Linux Namespaces
Linux NamespacesLinux Namespaces
Linux Namespaces
 
Understand and optimize Linux I/O
Understand and optimize Linux I/OUnderstand and optimize Linux I/O
Understand and optimize Linux I/O
 
ENERGY EFFICIENCY OF ARM ARCHITECTURES FOR CLOUD COMPUTING APPLICATIONS
ENERGY EFFICIENCY OF ARM ARCHITECTURES FOR CLOUD COMPUTING APPLICATIONSENERGY EFFICIENCY OF ARM ARCHITECTURES FOR CLOUD COMPUTING APPLICATIONS
ENERGY EFFICIENCY OF ARM ARCHITECTURES FOR CLOUD COMPUTING APPLICATIONS
 
Achieving Performance Isolation with Lightweight Co-Kernels
Achieving Performance Isolation with Lightweight Co-KernelsAchieving Performance Isolation with Lightweight Co-Kernels
Achieving Performance Isolation with Lightweight Co-Kernels
 
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUsShoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
Shoot4U: Using VMM Assists to Optimize TLB Operations on Preempted vCPUs
 
Docker by demo
Docker by demoDocker by demo
Docker by demo
 

Similar to Linux cgroups and namespaces

2.1 Red_Hat_Cluster1.ppt
2.1 Red_Hat_Cluster1.ppt2.1 Red_Hat_Cluster1.ppt
2.1 Red_Hat_Cluster1.ppt
Manoj603126
 
Cgroup resource mgmt_v1
Cgroup resource mgmt_v1Cgroup resource mgmt_v1
Cgroup resource mgmt_v1
sprdd
 
Cgroup resource mgmt_v1
Cgroup resource mgmt_v1Cgroup resource mgmt_v1
Cgroup resource mgmt_v1
sprdd
 
Grabbing the PostgreSQL Elephant by the Trunk
Grabbing the PostgreSQL Elephant by the TrunkGrabbing the PostgreSQL Elephant by the Trunk
Grabbing the PostgreSQL Elephant by the Trunk
Harold Giménez
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 

Similar to Linux cgroups and namespaces (20)

Java in containers
Java in containersJava in containers
Java in containers
 
2.1 Red_Hat_Cluster1.ppt
2.1 Red_Hat_Cluster1.ppt2.1 Red_Hat_Cluster1.ppt
2.1 Red_Hat_Cluster1.ppt
 
Sanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticiansSanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticians
 
Flexible compute
Flexible computeFlexible compute
Flexible compute
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetes
 
HPC and cloud distributed computing, as a journey
HPC and cloud distributed computing, as a journeyHPC and cloud distributed computing, as a journey
HPC and cloud distributed computing, as a journey
 
Understand how docker works
Understand how docker worksUnderstand how docker works
Understand how docker works
 
Understand how docker works
Understand how docker worksUnderstand how docker works
Understand how docker works
 
Cgroup resource mgmt_v1
Cgroup resource mgmt_v1Cgroup resource mgmt_v1
Cgroup resource mgmt_v1
 
Cgroup resource mgmt_v1
Cgroup resource mgmt_v1Cgroup resource mgmt_v1
Cgroup resource mgmt_v1
 
Build cloud native solution using open source
Build cloud native solution using open source Build cloud native solution using open source
Build cloud native solution using open source
 
Deployment of WebObjects applications on CentOS Linux
Deployment of WebObjects applications on CentOS LinuxDeployment of WebObjects applications on CentOS Linux
Deployment of WebObjects applications on CentOS Linux
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introduction
 
Postgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPostgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh Shah
 
Grabbing the PostgreSQL Elephant by the Trunk
Grabbing the PostgreSQL Elephant by the TrunkGrabbing the PostgreSQL Elephant by the Trunk
Grabbing the PostgreSQL Elephant by the Trunk
 
PostgreSQL and Linux Containers
PostgreSQL and Linux ContainersPostgreSQL and Linux Containers
PostgreSQL and Linux Containers
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Kubernetes Internals
Kubernetes InternalsKubernetes Internals
Kubernetes Internals
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paas
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 

More from Locaweb

API Do Email Marketing Locaweb
API Do Email Marketing LocawebAPI Do Email Marketing Locaweb
API Do Email Marketing Locaweb
Locaweb
 

More from Locaweb (16)

Random testing
Random testingRandom testing
Random testing
 
Princípios de Concorrência em Ruby e Além
Princípios de Concorrência em Ruby e AlémPrincípios de Concorrência em Ruby e Além
Princípios de Concorrência em Ruby e Além
 
AngularJS
AngularJSAngularJS
AngularJS
 
Celery for SysAdmins
Celery for SysAdminsCelery for SysAdmins
Celery for SysAdmins
 
Testes utilizando cucumber + PhantomJs
Testes utilizando cucumber + PhantomJsTestes utilizando cucumber + PhantomJs
Testes utilizando cucumber + PhantomJs
 
Isolamento e mvcc
Isolamento e mvccIsolamento e mvcc
Isolamento e mvcc
 
Overview Sobre Varnish
Overview Sobre VarnishOverview Sobre Varnish
Overview Sobre Varnish
 
Freenas
FreenasFreenas
Freenas
 
Tech talkrubocop
Tech talkrubocopTech talkrubocop
Tech talkrubocop
 
Ambient Light Events- Wylkon Queiroz
Ambient Light Events- Wylkon QueirozAmbient Light Events- Wylkon Queiroz
Ambient Light Events- Wylkon Queiroz
 
Lua tech talk
Lua tech talkLua tech talk
Lua tech talk
 
Uso de estatísticas pelo postgre sql
Uso de estatísticas pelo postgre sqlUso de estatísticas pelo postgre sql
Uso de estatísticas pelo postgre sql
 
Sistemas Distribuidos
Sistemas DistribuidosSistemas Distribuidos
Sistemas Distribuidos
 
Soluções para sua empresa vender na Internet
Soluções para sua empresa vender na InternetSoluções para sua empresa vender na Internet
Soluções para sua empresa vender na Internet
 
Comercio eletronico - Dicas práticas
Comercio eletronico - Dicas práticasComercio eletronico - Dicas práticas
Comercio eletronico - Dicas práticas
 
API Do Email Marketing Locaweb
API Do Email Marketing LocawebAPI Do Email Marketing Locaweb
API Do Email Marketing Locaweb
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Linux cgroups and namespaces

  • 1. Introduction toLinux Control Groups and NamespacesAndre Ferraz @deferrazLuiz Viana @luizxxDelivery Engineering Team
  • 2.
  • 3. What is it? • Basically, a kernel feature that allows you to allocate resources among groups of tasks running on a system. • Provides a way to hierarchically group and label processes, and to apply resource limits them.
  • 4. Resource allocation• CPU time and scheduling• System memory / swap area• Network bandwidth and namespaces• Block devices bandwidth and IOPS• Device access and isolation
  • 7. Implications• Because a task can belong to only single cgroup, there is one way that be limited or affected by any single subsystem. This is logical: a feature, not limitation. • You can group several subsystems together so that they affect all tasks in a single hierarchy. Because cgroups in that hierarchy have different parameters set, those tasks will be affected differently. • Conversely, if the need for splitting subsystems among separate hierarchies is reduced, you can remove a hierarchy and attach its subsystems to an existing one. • The design allows for simple cgroup usage, such as setting a few parameters specific tasks in single hierarchy, such as one with just the cpu and memorysubsystems attached. • The design also allows for highly specific configuration: each task (process) on a system could be a member of each hierarchy, which has single attached subsystem. Such configuration would give the system administrator absolute control over all parameters for every single task. • If you are limiting resources from a user, he will have more processes waiting for and due to this, load average on your server will have higher values constantly.
  • 9. Using control groups: command line
  • 10. Using control groups: cgconfig• The cgconfig service installed with the libcgroup package provides a convenient way to create hierarchies, attach subsystems to and manage cgroups within those hierarchies. • It is recommended that you use cgconfig to manage hierarchies and cgroups on your system. • The default /etc/cgconfig.conf file installed with the libcgroup package creates and mounts an individual hierarchy for each subsystem, and attaches the subsystems to these hierarchies. The cgconfig service also allows to create configuration files in the /etc/cgconfig.d/ directory and invoke them from /etc/cgconfig.conf. • If you stop the cgconfig service (with stopcommand), it unmounts all the hierarchies that it mounted.
  • 12. Using control groups: cgred• Cgred (cgrulesengd daemon) is a service that moves tasks into cgroups according to parameters set in the /etc/cgrules.conf file. • Entries in the /etc/cgrules.conffile can take one of the two forms: user subsystems control_groupuser:command subsystems control_group• Group names can be specified prefixing the "@" character. • More than one subsystem can be specified in a comma-separated list• Commands are identified by the process name or full command path of a process.
  • 14. Using control groups: reaper• Reaper allows you to manage groups dynamically on shared multi-user environments. • Can be extended to work on any environment by creating a function validate users. • Entirely written in Python and easy to modify. • Limit exceptions can be created using the command line interface. • Does not depend on external agents. • Use of standard items from libcgroups available in most Linux distributions. Available on Github, https://github.com/lviana/reaper
  • 15. Obtaining cgroups information• Listing controllers• # lssubsys -m controllers• # cat /proc/cgroups• Finding control groups• # lscgroup• # lscgroup cpuset:adminusers• Display parameters• # cgget -r parameter list_of_cgroups• # cgget -g cpuset /
  • 16. Future... Actually, not so future anymore!
  • 17. Systemd• System service manager for Linux that provides parallelization capabilities, keeps track of processes using Linux control groups, offers on-demand starting of daemons and implements an elaborated transactional dependency-based service control logic. • A cgroup is bound to a system unit configurable with file and manageable with systemd's command-line utilities. • Cgroups in systemd can be transient or persistent.
  • 18. Transient cgroups• Using transient cgroups, you can set limits on resources consumed by the service during its runtime. • Applications can create transient cgroups dynamically by using API calls to systemd. • Commands are started directly from the systemd-runprocess and thus inherit the execution environment of caller. • Commands are run in scope units synchronous execution.
  • 19. Persistent cgroups• You can assign apersistent cgroup to a systemd service, editting its unit configuration file. • It can be used to manage services that are started automatically. • Unit configuration files are available on /usr/lib/systemd/system/ directory. • Temporary changes can be set using systemctl command.
  • 20. Where the f*ck do I use it? • Prioritizing database io• Limit resources available to end users• Optimizing processor usage• Control network access• Isolate process from devices• Optimize available physical resources• Set network traffic priority
  • 21. Projects using it• Linux Containers / LXC (https://linuxcontainers.org/) • Docker (http://docker.io) • Apache Mesos (http://mesos.apache.org) • Openstack (http://www.openstack.org) • Locaweb (http://github.com/locaweb)
  • 23. Namespaces,what is it? • Lightweight process isolation• Processes can have different views of the system than other processes• Old Concept: 1992 on plan9 (http://www.cs.bell- labs.com/sys/doc/names.html) • No hypervisor• setns() syscall
  • 24. Namespaces, types• mountpoints / fs (MNT) [First created on 2002 by Al Viro] • processes (PID) • network (NET) • System V IPC• Hostname (UTS) • User (UIDS)
  • 25. Namespaces,flags• CLONE_NEWNS 2.4.19 CAP_SYS_ADMIN• CLONE_NEWUTS 2.6.19 CAP_SYS_ADMIN• CLONE_NEWIPC 2.6.19 CAP_SYS_ADMIN• CLONE_NEWPID 2.6.24 CAP_SYS_ADMIN• CLONE_NEWNET 2.6.29 CAP_SYS_ADMIN• CLONE_NEWUSER 3.8 No cap Required
  • 26. Namespaces, syscallsclone () -create new process and namespaceunshare() -create new namespace and attaches current processsetns() -join an existing namespace
  • 27. Namespaces, network ns example# ip netns add newnet# ip link add veth0 type veth peer name veth1# ip link set veth1 netns newnet# ip netns exec newnet link list# ip netns exec newnet bash
  • 29. Namespaces, application server support• uWSGI got full namespaces support in 1.9/2.0• Additional isolated filesystems• You can detach single components to increase isolationMore information on: http://uwsgi-docs.readthedocs.org/en/latest/Namespaces.html
  • 30. Reference• https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt• http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.tree/Documentation/cgroups/ • https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/7/ • https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/6/ • http://uwsgi-docs.readthedocs.org/en/latest/Namespaces.html