[pve-devel] [PATCH docs] pct: add short cgroup section

[Wolfgang Bumiller <w.bumiller@proxmox.com>]

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 pct.adoc | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/pct.adoc b/pct.adoc
index 0c90106..28bde7f 100644
--- a/pct.adoc
+++ b/pct.adoc
@@ -484,7 +484,52 @@ lxc.apparmor.profile = unconfined
 WARNING: Please note that this is not recommended for production use.
 
 
-// TODO: describe cgroups + seccomp a bit more.
+[[pct_cgroup]]
+Control Groups ('cgroup')
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+'cgroup' is a kernel
+mechanism used to hierarchically organize processes and distribute system
+resources.
+
+The main resources controlled via 'cgroups' are CPU time, memory and swap
+limits, and access to device nodes. They are also used to "freeze" a container
+before taking snapshots.
+
+There are 2 versions if 'cgroups' currently available,
+https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v1/index.html[legacy]
+and
+https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v2.html['cgroupv2'].
+
+Since {pve} 7.0, the default will be a pure 'cgroupv2' environment. Previously a
+"hybrid" setup was used, where resource control was mainly done in 'cgroupv1'
+with an additional 'cgroupv2' controller which could take over some subsystems
+via the 'cgroup_no_v1' kernel command line parameter. (See the
+https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html[kernel
+parameter documentation] for details.)
+
+The main difference with a pure 'cgroupv2' system regarding {pve} is that memory
+and swap are no controlled independently, making these options in the container
+configuration feel more natural.
+
+Another important difference is the way the 'devices' controller works, which is
+completely differenty, and for now, file system quotas cannot be supported in a
+pure 'cgroupv2' environment.
+
+If file system quotas are not required and the containers are new enough to
+understand 'cgroupv2', it is recommended to stick to the new default.
+
+To switch back to the previous version the following kernel command line
+parameter can be used:
+
+----
+systemd.unified_cgroup_hierarchy=0
+----
+
+See xref:sysboot_edit_kernel_cmdline[this section] on editing the kernel boot
+command line on where to add the parameter.
+
+// TODO: seccomp a bit more.
 // TODO: pve-lxc-syscalld
 
 
@@ -603,6 +648,8 @@ Using Quotas Inside Containers
 Quotas allow to set limits inside a container for the amount of disk space that
 each user can use.
 
+NOTE: This currently requires the use of legacy 'cgroups'.
+
 NOTE: This only works on ext4 image based storage types and currently only
 works with privileged containers.
 
-- 
2.30.2