TLDR Understanding the new cgroups v2 API by Rami Rosen

Cgroups v2 is a new API designed to make it more suitable for container resource limitation.

pavel trukhanov


There are currently 12 cgroup controllers in cgroups v1.

Reason to redesign is inconsistencies in API and behavior:

…number of inconsistencies and a lot of chaos. For example, when creating subgroups (cgroups within cgroups), several cgroup controllers propagate parameters to their immediate subgroups, while other controllers do not.

Current state:

Cgroups v2 declared non-experimental since kernel 4.5 (March 2016!)

v1 was not removed from the kernel, so, both cgroups v1 and cgroups v2 are enabled by default. You can use a mixture of both of them.

Hint — DON’T!

Systemd uses cgroups for service management, not resource management, many years now — each systemd service is mapped to a separate control group, grouped into three “slices”: system.slice — default place for all system services, the user.slice for all user sessions, and the machine.slice for virtual machines and Linux containers. Each system service resides within it’s own slice inside the system one. Like, `/system.slice/httpd.service`, for example, for Apache.

In cgroups v1, you could assign threads of the same process to different cgroups

Crazy, right?

but this is not possible in cgroups v2.

Thank God!

Not all 12 controllers avail in v2: /sys/fs/cgroup2/cgroup.controllers shows the supported controllers.

The main difference (imho)

  1. In inroups v2, you can only create subgroups in a single hierarchy.
  2. In cgroups v2 you can attach processes only to leaves of the hierarchy. You cannot attach a process to an internal subgroup if it has any controller enabled. The reason behind this rule is that processes in a given subgroup competing for resources with threads attached to its parent group create significant implementation difficulties.
  3. In cgroups v1, a process can belong to many subgroups, if those subgroups are in different hierarchies with different controllers attached. But, because belonging to more than one subgroup made it difficult to disambiguate subgroup membership, in cgroups v2, a process can belong only to a single subgroup.
Just some picture :)

Tldr: an attempt to make it more straight forward, but still awaiting adoption.