From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id AE69B7128F for ; Mon, 28 Jun 2021 13:44:34 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9A8B02A897 for ; Mon, 28 Jun 2021 13:44:04 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D6DFB2A88B for ; Mon, 28 Jun 2021 13:44:02 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A501744476 for ; Mon, 28 Jun 2021 13:44:02 +0200 (CEST) From: Wolfgang Bumiller To: pve-devel@lists.proxmox.com Date: Mon, 28 Jun 2021 13:44:01 +0200 Message-Id: <20210628114401.169065-1-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.703 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH v2 docs] pct: add short cgroup section X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2021 11:44:34 -0000 Signed-off-by: Wolfgang Bumiller Reviewed-By: Stoiko Ivanov --- Changes to v1. * Some paragraphs are rephrazed, same overall structure otherwise. * Typo fixes Rb tag included after a short off-list read-through pct.adoc | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/pct.adoc b/pct.adoc index 0c90106..b03b6ba 100644 --- a/pct.adoc +++ b/pct.adoc @@ -484,7 +484,54 @@ lxc.apparmor.profile = unconfined WARNING: Please note that this is not recommended for production use. -// TODO: describe cgroups + seccomp a bit more. +[[pct_cgroup]] +Control Groups ('cgroup') +~~~~~~~~~~~~~~~~~~~~~~~~~ + +'cgroup' is a kernel +mechanism used to hierarchically organize processes and distribute system +resources. + +The main resources controlled via 'cgroups' are CPU time, memory and swap +limits, and access to device nodes. 'cgroups' are also used to "freeze" a +container before taking snapshots. + +There are 2 versions of 'cgroups' currently available, +https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v1/index.html[legacy] +and +https://www.kernel.org/doc/html/v5.11/admin-guide/cgroup-v2.html['cgroupv2']. + +Since {pve} 7.0, the default is a pure 'cgroupv2' environment. Previously a +"hybrid" setup was used, where resource control was mainly done in 'cgroupv1' +with an additional 'cgroupv2' controller which could take over some subsystems +via the 'cgroup_no_v1' kernel command line parameter. (See the +https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html[kernel +parameter documentation] for details.) + +The main difference between pure 'cgroupv2' and the old hybrid environments +regarding {pve} is that with 'cgroupv2' memory and swap are now controlled +independently. The memory and swap settings for containers can map directly to +these values, whereas previously only the memory limit and the limit of the +*sum* of memory and swap could be limited. + +Another important difference is that the 'devices' controller is configured in a +completely different way. Because of this, file system quotas are currently not +supported in a pure 'cgroupv2' environment. + +If file system quotas are not required and the containers are new enough to +understand 'cgroupv2', it is recommended to stick to the new default. + +To switch back to the previous version the following kernel command line +parameter can be used: + +---- +systemd.unified_cgroup_hierarchy=0 +---- + +See xref:sysboot_edit_kernel_cmdline[this section] on editing the kernel boot +command line on where to add the parameter. + +// TODO: seccomp a bit more. // TODO: pve-lxc-syscalld @@ -603,6 +650,8 @@ Using Quotas Inside Containers Quotas allow to set limits inside a container for the amount of disk space that each user can use. +NOTE: This currently requires the use of legacy 'cgroups'. + NOTE: This only works on ext4 image based storage types and currently only works with privileged containers. -- 2.30.2