From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 499F9711E3 for ; Mon, 28 Jun 2021 12:10:32 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 36B1529B26 for ; Mon, 28 Jun 2021 12:10:02 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 480E529B1C for ; Mon, 28 Jun 2021 12:10:01 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 12F874448C for ; Mon, 28 Jun 2021 12:10:01 +0200 (CEST) From: Wolfgang Bumiller To: pve-devel@lists.proxmox.com Date: Mon, 28 Jun 2021 12:09:59 +0200 Message-Id: <20210628100959.132195-1-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.708 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH docs] pct: add short cgroup section X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2021 10:10:32 -0000 Signed-off-by: Wolfgang Bumiller --- pct.adoc | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/pct.adoc b/pct.adoc index 0c90106..28bde7f 100644 --- a/pct.adoc +++ b/pct.adoc @@ -484,7 +484,52 @@ lxc.apparmor.profile = unconfined WARNING: Please note that this is not recommended for production use. -// TODO: describe cgroups + seccomp a bit more. +[[pct_cgroup]] +Control Groups ('cgroup') +~~~~~~~~~~~~~~~~~~~~~~~~~ + +'cgroup' is a kernel +mechanism used to hierarchically organize processes and distribute system +resources. + +The main resources controlled via 'cgroups' are CPU time, memory and swap +limits, and access to device nodes. They are also used to "freeze" a container +before taking snapshots. + +There are 2 versions if 'cgroups' currently available, +https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v1/index.html[legacy] +and +https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v2.html['cgroupv2']. + +Since {pve} 7.0, the default will be a pure 'cgroupv2' environment. Previously a +"hybrid" setup was used, where resource control was mainly done in 'cgroupv1' +with an additional 'cgroupv2' controller which could take over some subsystems +via the 'cgroup_no_v1' kernel command line parameter. (See the +https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html[kernel +parameter documentation] for details.) + +The main difference with a pure 'cgroupv2' system regarding {pve} is that memory +and swap are no controlled independently, making these options in the container +configuration feel more natural. + +Another important difference is the way the 'devices' controller works, which is +completely differenty, and for now, file system quotas cannot be supported in a +pure 'cgroupv2' environment. + +If file system quotas are not required and the containers are new enough to +understand 'cgroupv2', it is recommended to stick to the new default. + +To switch back to the previous version the following kernel command line +parameter can be used: + +---- +systemd.unified_cgroup_hierarchy=0 +---- + +See xref:sysboot_edit_kernel_cmdline[this section] on editing the kernel boot +command line on where to add the parameter. + +// TODO: seccomp a bit more. // TODO: pve-lxc-syscalld @@ -603,6 +648,8 @@ Using Quotas Inside Containers Quotas allow to set limits inside a container for the amount of disk space that each user can use. +NOTE: This currently requires the use of legacy 'cgroups'. + NOTE: This only works on ext4 image based storage types and currently only works with privileged containers. -- 2.30.2