Re: [pve-devel] [PATCH docs] pct: add short cgroup section

[Stoiko Ivanov <s.ivanov@proxmox.com>]

Thanks for the patch!

some minor nits inline (feel free to take or leave them):

On Mon, 28 Jun 2021 12:09:59 +0200
Wolfgang Bumiller <w.bumiller@proxmox.com> wrote:

> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> ---
>  pct.adoc | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 48 insertions(+), 1 deletion(-)
> 
> diff --git a/pct.adoc b/pct.adoc
> index 0c90106..28bde7f 100644
> --- a/pct.adoc
> +++ b/pct.adoc
> @@ -484,7 +484,52 @@ lxc.apparmor.profile = unconfined
>  WARNING: Please note that this is not recommended for production use.
>  
>  
> -// TODO: describe cgroups + seccomp a bit more.
> +[[pct_cgroup]]
> +Control Groups ('cgroup')
> +~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +'cgroup' is a kernel
> +mechanism used to hierarchically organize processes and distribute system
> +resources.
> +
> +The main resources controlled via 'cgroups' are CPU time, memory and swap
> +limits, and access to device nodes. They are also used to "freeze" a container
> +before taking snapshots.
stumbled while reading - was not sure what 'They' referred to (resources
or cgroups). - maybe:
Additionally cgroups provide the interface to "freeze"...

> +
> +There are 2 versions if 'cgroups' currently available,
s/if/of/

> +https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v1/index.html[legacy]
> +and
> +https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v2.html['cgroupv2'].
> +
> +Since {pve} 7.0, the default will be a pure 'cgroupv2' environment. Previously a
Since ... _is_ a 
> +"hybrid" setup was used, where resource control was mainly done in 'cgroupv1'
> +with an additional 'cgroupv2' controller which could take over some subsystems
> +via the 'cgroup_no_v1' kernel command line parameter. (See the
> +https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html[kernel
> +parameter documentation] for details.)
> +
> +The main difference with a pure 'cgroupv2' system regarding {pve} is that memory
s/with/to/
> +and swap are no controlled independently, making these options in the container
s/no/not/
> +configuration feel more natural.
In what way more natural?

> +
> +Another important difference is the way the 'devices' controller works, which is
> +completely differenty, and for now, file system quotas cannot be supported in a
s/differenty/different/
s/cannot/are/

> +pure 'cgroupv2' environment.
> +
> +If file system quotas are not required and the containers are new enough to
> +understand 'cgroupv2', it is recommended to stick to the new default.
> +
> +To switch back to the previous version the following kernel command line
> +parameter can be used:
> +
> +----
> +systemd.unified_cgroup_hierarchy=0
> +----
> +
> +See xref:sysboot_edit_kernel_cmdline[this section] on editing the kernel boot
> +command line on where to add the parameter.
> +
> +// TODO: seccomp a bit more.
>  // TODO: pve-lxc-syscalld
>  
>  
> @@ -603,6 +648,8 @@ Using Quotas Inside Containers
>  Quotas allow to set limits inside a container for the amount of disk space that
>  each user can use.
>  
> +NOTE: This currently requires the use of legacy 'cgroups'.
> +
>  NOTE: This only works on ext4 image based storage types and currently only
>  works with privileged containers.
>  



Apart from the small typos:
Reviewed-By: Stoiko Ivanov <s.ivanov@proxmox.com>