summaryrefslogtreecommitdiff
path: root/md
diff options
context:
space:
mode:
Diffstat (limited to 'md')
-rw-r--r--md/writeup.md3
-rw-r--r--md/writeup/using_cgroups.md197
2 files changed, 200 insertions, 0 deletions
diff --git a/md/writeup.md b/md/writeup.md
index 9282cca..ef4390e 100644
--- a/md/writeup.md
+++ b/md/writeup.md
@@ -24,6 +24,9 @@ title: Writeup page
[WebAssembly SDL example](writeup/web_assembly_sdl_example.md)
[SystemC:Hello World](writeup/systemc_hello_world.md)
[WebUSB example](writeup/webusb_example.md)
+[Using cgroups](writeup/using_cgroups.md)
+
+
## Projects
diff --git a/md/writeup/using_cgroups.md b/md/writeup/using_cgroups.md
new file mode 100644
index 0000000..28a4404
--- /dev/null
+++ b/md/writeup/using_cgroups.md
@@ -0,0 +1,197 @@
+title:Using cgroups
+keywords:linux,security,cgroups
+
+# Using cgroups
+## Requirements
+
+Download package for your distro there is one for. archlinux [cgmanager](https://www.archlinux.org/packages/?name=cgmanager).
+
+So cgroups allows to configure how specific process resources going to be treated. As our days there is alot of bloatware around then its nice to
+limit some of the processes at least dont use too much memory or cpu. That
+also prevents some processes to hang.
+
+Quite common that chrome freezes whole system when it eats up all cpu and memory especially when opening some optimized pages like YouTube. Out of
+fustration about that this notes are created.
+
+Also there is no enought guides how to configure some parts of cgroups,
+so spent some time on research.
+
+Cgroups allows to configure this resources:
+
+| Resource | Description |
+| --- | --- |
+| blkio | this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, or USB) |
+| cpu | this subsystem uses the scheduler to provide cgroup tasks access to the CPU |
+| cpuacct | this subsystem generates automatic reports on CPU resources used by tasks in a cgroup |
+| cpuset | this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup |
+| devices | this subsystem allows or denies access to devices by tasks in a cgroup |
+| freezer | this subsystem suspends or resumes tasks in a cgroup |
+| memory | this subsystem sets limits on memory use by tasks in a cgroup and generates automatic reports on memory resources used by those task |
+| net_cls | this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task |
+| net_prio | this subsystem provides a way to dynamically set the priority of network traffic per network interface |
+| ns | the namespace subsystem |
+| perf_event | this subsystem identifies cgroup membership of tasks and can be used for performance analysis |
+
+## Configure example
+
+As requirement was stop chrome stall system then memory and cpu will be limited
+rules are located in _/etc/cgrules.conf_
+Set permisions to whome applies
+```
+perm {
+ admin {
+ uid = youruser;
+ gid = youruser;
+ }
+ task {
+ uid = youruser;
+ gid = youruser;
+ }
+}
+
+```
+Limit cpus where process is going to run, run process on 0-1 CPU's
+```
+cpuset {
+ cpuset.mems="0";
+ cpuset.cpus="0-1";
+}
+```
+Limit cpus load, set CPU usage max to 90%
+```
+cpu {
+ cpu.shares = 900;
+}
+
+```
+Limit process max memory to 4G
+```
+memory {
+ memory.limit_in_bytes = "4000000000";
+}
+
+```
+
+Final config looks like
+```
+group chrome {
+ perm {
+ admin {
+ uid = fam;
+ gid = fam;
+ }
+ task {
+ uid = fam;
+ gid = fam;
+ }
+ }
+
+ cpuset {
+ cpuset.mems="0";
+ cpuset.cpus="0-1";
+ }
+
+ memory {
+ memory.limit_in_bytes = "4000000000";
+ }
+
+ cpu {
+ cpu.shares = 900;
+ }
+
+
+ net_cls {
+ net_cls.classid = 11;
+ }
+}
+```
+
+Update and run rulles. rulles applied to cgroups and set on launched process
+with memory,cpuset,cpu cgroup rulles.
+```
+cgconfigparser -l /etc/cgconfig.conf
+cgexec -g memory,cpuset,cpu:chrome /usr/bin/chromium
+```
+
+Now we are safe to run some videos on internet and no system stalling is happening.
+
+## Configuring process to use specific interface
+
+### Set cgroup classid
+
+```
+net_cls {
+ net_cls.classid = 0x10001;
+}
+```
+
+### Iptables filtering
+
+```
+iptables -N CHROME_OUT
+iptables -N CHROME_IN
+
+iptables -t filter -A OUTPUT -j CHROME_OUT -m cgroup --cgroup 0x10001
+iptables -A CHROME_OUT -j DROP
+iptables -A CHROME_OUT -o tun0 -j ACCEPT
+
+iptables -t filter -A INPUT -j CHROME_IN -m cgroup --cgroup 0x10001
+iptables -A CHROME_IN -j DROP
+iptables -A CHROME_OUT -i tun0 -j ACCEPT
+```
+
+So now single/secure interface is avaliable for cgroupe chrome, if secure interface down
+then no network connection
+
+### Run
+```
+cgexec -g memory,cpuset,cpu,net_cls:chrome /usr/bin/chromium
+```
+
+## Exploring other configuration options
+
+Cgroups is configured trought sysfs
+
+```
+ls /sys/fs/cgroup
+blkio cpuacct devices memory net_prio rdma
+cgmanager cpu,cpuacct freezer net_cls perf_event systemd
+cpu cpuset hugetlb net_cls,net_prio pids unified
+```
+
+If we have applied rules from previouse section then we are able to find them in
+
+```
+cat /sys/fs/cgroup/cpu/chrome/cpu.shares
+900
+cat /sys/fs/cgroup/memory/chrome/memory.limit_in_bytes
+3999997952
+cat /sys/fs/cgroup/cpuset/chrome/cpuset.mems
+0
+cat /sys/fs/cgroup/cpuset/chrome/cpuset.cpus
+0-1
+```
+
+More options on each of subsystems can be found with:
+```
+ls /sys/fs/cgroup/*/
+```
+
+Here some extra options for cpu
+```
+ls /sys/fs/cgroup/cpu/
+cgroup.clone_children cpuacct.usage_percpu cpu.shares
+cgroup.procs cpuacct.usage_percpu_sys cpu.stat
+cgroup.sane_behavior cpuacct.usage_percpu_user notify_on_release
+chrome cpuacct.usage_sys release_agent
+cpuacct.stat cpuacct.usage_user tasks
+cpuacct.usage cpu.cfs_period_us
+cpuacct.usage_all cpu.cfs_quota_us
+```
+
+## Links
+[1] [https://wiki.archlinux.org/index.php/Cgroups](https://wiki.archlinux.org/index.php/Cgroups)
+[2] [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01)
+[3] [https://blog.michael.kuron-germany.de/tag/iptables/](https://blog.michael.kuron-germany.de/tag/iptables/)
+
+