path: root/md/writeup/using_cgroups.md

title:Using cgroups
keywords:linux,security,cgroups

# Using cgroups
## Requirements

Download package for your distro there is one for. archlinux [cgmanager](https://www.archlinux.org/packages/?name=cgmanager).

So cgroups allows to configure how specific process resources going to be treated. As our days there is alot of bloatware around then its nice to
limit some of the processes at least dont use too much memory or cpu. That
also prevents some processes to hang. 

Quite common that chrome freezes whole system when it eats up all cpu and memory especially when opening some optimized pages like YouTube. Out of
fustration about that this notes are created. 

Also there is no enought guides how to configure some parts of cgroups,
so spent some time on research.

Cgroups allows to configure this resources:

| Resource | Description |
| --- | --- |
| blkio | this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, or USB) |
| cpu | this subsystem uses the scheduler to provide cgroup tasks access to the CPU |
| cpuacct | this subsystem generates automatic reports on CPU resources used by tasks in a cgroup |
| cpuset |  this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup |
| devices | this subsystem allows or denies access to devices by tasks in a cgroup |
| freezer | this subsystem suspends or resumes tasks in a cgroup |
| memory | this subsystem sets limits on memory use by tasks in a cgroup and generates automatic reports on memory resources used by those task |
| net_cls | this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task |
| net_prio | this subsystem provides a way to dynamically set the priority of network traffic per network interface |
| ns | the namespace subsystem |
| perf_event | this subsystem identifies cgroup membership of tasks and can be used for performance analysis |

## Configure example

As requirement was stop chrome stall system then memory and cpu will be limited
rules are located in _/etc/cgrules.conf_
Set permisions to whome applies 
```
perm {
    admin {
        uid = youruser;
        gid = youruser; 
    }
    task {
        uid = youruser;
        gid = youruser;
    }
}

```
Limit cpus where process is going to run, run process on 0-1 CPU's
```
cpuset {
	cpuset.mems="0";
	cpuset.cpus="0-1";
}
```
Limit cpus load, set CPU usage max to 90%
```
cpu {
	cpu.shares = 900;
}

```
Limit process max memory to 4G
```
memory {
	memory.limit_in_bytes = "4000000000";
}

```

Final config looks like
```
group chrome {
        perm {
                admin {
                        uid = fam;
                        gid = fam; 
               }
                task {
                        uid = fam;
                        gid = fam;
                }
        }

        cpuset {
                cpuset.mems="0";
                cpuset.cpus="0-1";
        }

        memory {
                memory.limit_in_bytes = "4000000000";
        }

        cpu {
                cpu.shares = 900;
        }


        net_cls {
                net_cls.classid = 11;
        }
}
```

Update and run rulles. rulles applied to cgroups and set on launched process
with memory,cpuset,cpu cgroup rulles. 
```
cgconfigparser -l /etc/cgconfig.conf
cgexec -g memory,cpuset,cpu:chrome /usr/bin/chromium
```

Now we are safe to run some videos on internet and no system stalling is happening.

## Configuring process to use specific interface

### Set cgroup classid

```
net_cls {
    net_cls.classid = 0x10001;
}
```

### Iptables filtering

```
iptables -N CHROME_OUT
iptables -N CHROME_IN

iptables -t filter -A OUTPUT -j CHROME_OUT -m cgroup --cgroup 0x10001
iptables -A CHROME_OUT -j DROP
iptables -A CHROME_OUT -o tun0 -j ACCEPT

iptables -t filter -A INPUT -j CHROME_IN -m cgroup --cgroup 0x10001
iptables -A CHROME_IN -j DROP
iptables -A CHROME_OUT -i tun0 -j ACCEPT
```

So now single/secure interface is avaliable for cgroupe chrome, if secure interface down
then no network connection

### Run
```
cgexec -g memory,cpuset,cpu,net_cls:chrome /usr/bin/chromium
```

## Exploring other configuration options

Cgroups is configured trought sysfs

```
ls /sys/fs/cgroup
blkio      cpuacct      devices  memory            net_prio    rdma
cgmanager  cpu,cpuacct  freezer  net_cls           perf_event  systemd
cpu        cpuset       hugetlb  net_cls,net_prio  pids        unified
```

If we have applied rules from previouse section then we are able to find them in

```
cat /sys/fs/cgroup/cpu/chrome/cpu.shares 
900
cat /sys/fs/cgroup/memory/chrome/memory.limit_in_bytes 
3999997952
cat /sys/fs/cgroup/cpuset/chrome/cpuset.mems
0
cat /sys/fs/cgroup/cpuset/chrome/cpuset.cpus
0-1
```

More options on each of subsystems can be found with:
```
ls /sys/fs/cgroup/*/
```

Here some extra options for cpu
```
ls /sys/fs/cgroup/cpu/
cgroup.clone_children  cpuacct.usage_percpu       cpu.shares
cgroup.procs           cpuacct.usage_percpu_sys   cpu.stat
cgroup.sane_behavior   cpuacct.usage_percpu_user  notify_on_release
chrome                 cpuacct.usage_sys          release_agent
cpuacct.stat           cpuacct.usage_user         tasks
cpuacct.usage          cpu.cfs_period_us
cpuacct.usage_all      cpu.cfs_quota_us
```

## Links
[1] [https://wiki.archlinux.org/index.php/Cgroups](https://wiki.archlinux.org/index.php/Cgroups)  
[2] [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01)  
[3] [https://blog.michael.kuron-germany.de/tag/iptables/](https://blog.michael.kuron-germany.de/tag/iptables/)  
[4] [http://main.lv/writeup/using_iptables.md](http://main.lv/writeup/using_iptables.md)