Many of us program in object-oriented languages. This experience familiarizes us with the concepts of encapsulation and abstraction. These characteristics are often helpful to think about with respect to processes as well. On linux, a group of processes can be organized so that it is unaware of processes (and users and files and resources) outside of its group.

We saw in the last section that a process can be limited with respect to certain resources. This limit, however, has a large upper bound, and all processes draw from the same pool. This allows a few processes to eat many system resources. Although you can control resources and priority on a proces-by-process basis, this is insufficient in the many cases where a task consists of many processes. In these cases you need to control the resources of the entire group together together.

You can accomplish this group control by grouping the processes together into a control group using the cgcreate command. The resources and prioritization of a control group can be controlled together as can their overall control - stopping them, restarting them, killing them. This allows the system to be broken into groups of processes dedicated to different tasks, each getting a specified slice of the resource pie, and each getting a base priority.

Control groups are heirarchical - if a process is in a control group and it spawns a second process, that second process is also in the control group. Further, if a subgroup of processes in control group A is grouped into a new control group B, group A is the parent group of group B and group A's resource limits still apply.

Extensions to the basic control group features can isolate the control group from the rest of the system as well, so that processes in the control group exist in separate namespaces. This can give them the illusion of isolation - with their own set of mounted filesystems, pool of process IDs, users, etc, effectively protecting the rest of the system from them. This can be enhanced by special SELinux contexts.

Control groups are used in virtualization, to isolate a virtual machine from the rest of the system. They are also used in linux containers. Of particular importance, systemd uses control groups heavily - in fact, every process on the system is a member of at least one control group set up by systemd. This ensures systemd control over every process on the system.

For an introduction to control groups, see the Wikipedia article on cgroups. Also check out the man pages for control groups:

man -k cg | grep '^cg'

Copyright 2015 Greg Boyd - All Rights Reserved.