[pve-devel] [PATCH docs] pct: add short cgroup section

[pve-devel] [PATCH docs] pct: add short cgroup section

[Wolfgang Bumiller]

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 pct.adoc | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/pct.adoc b/pct.adoc
index 0c90106..28bde7f 100644
--- a/pct.adoc
+++ b/pct.adoc
@@ -484,7 +484,52 @@ lxc.apparmor.profile = unconfined
 WARNING: Please note that this is not recommended for production use.
 
 
-// TODO: describe cgroups + seccomp a bit more.
+[[pct_cgroup]]
+Control Groups ('cgroup')
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+'cgroup' is a kernel
+mechanism used to hierarchically organize processes and distribute system
+resources.
+
+The main resources controlled via 'cgroups' are CPU time, memory and swap
+limits, and access to device nodes. They are also used to "freeze" a container
+before taking snapshots.
+
+There are 2 versions if 'cgroups' currently available,
+https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v1/index.html[legacy]
+and
+https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v2.html['cgroupv2'].
+
+Since {pve} 7.0, the default will be a pure 'cgroupv2' environment. Previously a
+"hybrid" setup was used, where resource control was mainly done in 'cgroupv1'
+with an additional 'cgroupv2' controller which could take over some subsystems
+via the 'cgroup_no_v1' kernel command line parameter. (See the
+https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html[kernel
+parameter documentation] for details.)
+
+The main difference with a pure 'cgroupv2' system regarding {pve} is that memory
+and swap are no controlled independently, making these options in the container
+configuration feel more natural.
+
+Another important difference is the way the 'devices' controller works, which is
+completely differenty, and for now, file system quotas cannot be supported in a
+pure 'cgroupv2' environment.
+
+If file system quotas are not required and the containers are new enough to
+understand 'cgroupv2', it is recommended to stick to the new default.
+
+To switch back to the previous version the following kernel command line
+parameter can be used:
+
+----
+systemd.unified_cgroup_hierarchy=0
+----
+
+See xref:sysboot_edit_kernel_cmdline[this section] on editing the kernel boot
+command line on where to add the parameter.
+
+// TODO: seccomp a bit more.
 // TODO: pve-lxc-syscalld
 
 
@@ -603,6 +648,8 @@ Using Quotas Inside Containers
 Quotas allow to set limits inside a container for the amount of disk space that
 each user can use.
 
+NOTE: This currently requires the use of legacy 'cgroups'.
+
 NOTE: This only works on ext4 image based storage types and currently only
 works with privileged containers.
 
-- 
2.30.2

Re: [pve-devel] [PATCH docs] pct: add short cgroup section

[Stoiko Ivanov]

Thanks for the patch!

some minor nits inline (feel free to take or leave them):

On Mon, 28 Jun 2021 12:09:59 +0200
Wolfgang Bumiller <w.bumiller@proxmox.com> wrote:

> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> ---
>  pct.adoc | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 48 insertions(+), 1 deletion(-)
> 
> diff --git a/pct.adoc b/pct.adoc
> index 0c90106..28bde7f 100644
> --- a/pct.adoc
> +++ b/pct.adoc
> @@ -484,7 +484,52 @@ lxc.apparmor.profile = unconfined
>  WARNING: Please note that this is not recommended for production use.
>  
>  
> -// TODO: describe cgroups + seccomp a bit more.
> +[[pct_cgroup]]
> +Control Groups ('cgroup')
> +~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +'cgroup' is a kernel
> +mechanism used to hierarchically organize processes and distribute system
> +resources.
> +
> +The main resources controlled via 'cgroups' are CPU time, memory and swap
> +limits, and access to device nodes. They are also used to "freeze" a container
> +before taking snapshots.
stumbled while reading - was not sure what 'They' referred to (resources
or cgroups). - maybe:
Additionally cgroups provide the interface to "freeze"...

> +
> +There are 2 versions if 'cgroups' currently available,
s/if/of/

> +https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v1/index.html[legacy]
> +and
> +https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v2.html['cgroupv2'].
> +
> +Since {pve} 7.0, the default will be a pure 'cgroupv2' environment. Previously a
Since ... _is_ a 
> +"hybrid" setup was used, where resource control was mainly done in 'cgroupv1'
> +with an additional 'cgroupv2' controller which could take over some subsystems
> +via the 'cgroup_no_v1' kernel command line parameter. (See the
> +https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html[kernel
> +parameter documentation] for details.)
> +
> +The main difference with a pure 'cgroupv2' system regarding {pve} is that memory
s/with/to/
> +and swap are no controlled independently, making these options in the container
s/no/not/
> +configuration feel more natural.
In what way more natural?

> +
> +Another important difference is the way the 'devices' controller works, which is
> +completely differenty, and for now, file system quotas cannot be supported in a
s/differenty/different/
s/cannot/are/

> +pure 'cgroupv2' environment.
> +
> +If file system quotas are not required and the containers are new enough to
> +understand 'cgroupv2', it is recommended to stick to the new default.
> +
> +To switch back to the previous version the following kernel command line
> +parameter can be used:
> +
> +----
> +systemd.unified_cgroup_hierarchy=0
> +----
> +
> +See xref:sysboot_edit_kernel_cmdline[this section] on editing the kernel boot
> +command line on where to add the parameter.
> +
> +// TODO: seccomp a bit more.
>  // TODO: pve-lxc-syscalld
>  
>  
> @@ -603,6 +648,8 @@ Using Quotas Inside Containers
>  Quotas allow to set limits inside a container for the amount of disk space that
>  each user can use.
>  
> +NOTE: This currently requires the use of legacy 'cgroups'.
> +
>  NOTE: This only works on ext4 image based storage types and currently only
>  works with privileged containers.
>  



Apart from the small typos:
Reviewed-By: Stoiko Ivanov <s.ivanov@proxmox.com>