diff options
Diffstat (limited to 'md')
-rw-r--r-- | md/writeup.md | 3 | ||||
-rw-r--r-- | md/writeup/using_cgroups.md | 197 |
2 files changed, 200 insertions, 0 deletions
diff --git a/md/writeup.md b/md/writeup.md index 9282cca..ef4390e 100644 --- a/md/writeup.md +++ b/md/writeup.md @@ -24,6 +24,9 @@ title: Writeup page [WebAssembly SDL example](writeup/web_assembly_sdl_example.md) [SystemC:Hello World](writeup/systemc_hello_world.md) [WebUSB example](writeup/webusb_example.md) +[Using cgroups](writeup/using_cgroups.md) + + ## Projects diff --git a/md/writeup/using_cgroups.md b/md/writeup/using_cgroups.md new file mode 100644 index 0000000..28a4404 --- /dev/null +++ b/md/writeup/using_cgroups.md @@ -0,0 +1,197 @@ +title:Using cgroups +keywords:linux,security,cgroups + +# Using cgroups +## Requirements + +Download package for your distro there is one for. archlinux [cgmanager](https://www.archlinux.org/packages/?name=cgmanager). + +So cgroups allows to configure how specific process resources going to be treated. As our days there is alot of bloatware around then its nice to +limit some of the processes at least dont use too much memory or cpu. That +also prevents some processes to hang. + +Quite common that chrome freezes whole system when it eats up all cpu and memory especially when opening some optimized pages like YouTube. Out of +fustration about that this notes are created. + +Also there is no enought guides how to configure some parts of cgroups, +so spent some time on research. + +Cgroups allows to configure this resources: + +| Resource | Description | +| --- | --- | +| blkio | this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, or USB) | +| cpu | this subsystem uses the scheduler to provide cgroup tasks access to the CPU | +| cpuacct | this subsystem generates automatic reports on CPU resources used by tasks in a cgroup | +| cpuset | this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup | +| devices | this subsystem allows or denies access to devices by tasks in a cgroup | +| freezer | this subsystem suspends or resumes tasks in a cgroup | +| memory | this subsystem sets limits on memory use by tasks in a cgroup and generates automatic reports on memory resources used by those task | +| net_cls | this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task | +| net_prio | this subsystem provides a way to dynamically set the priority of network traffic per network interface | +| ns | the namespace subsystem | +| perf_event | this subsystem identifies cgroup membership of tasks and can be used for performance analysis | + +## Configure example + +As requirement was stop chrome stall system then memory and cpu will be limited +rules are located in _/etc/cgrules.conf_ +Set permisions to whome applies +``` +perm { + admin { + uid = youruser; + gid = youruser; + } + task { + uid = youruser; + gid = youruser; + } +} + +``` +Limit cpus where process is going to run, run process on 0-1 CPU's +``` +cpuset { + cpuset.mems="0"; + cpuset.cpus="0-1"; +} +``` +Limit cpus load, set CPU usage max to 90% +``` +cpu { + cpu.shares = 900; +} + +``` +Limit process max memory to 4G +``` +memory { + memory.limit_in_bytes = "4000000000"; +} + +``` + +Final config looks like +``` +group chrome { + perm { + admin { + uid = fam; + gid = fam; + } + task { + uid = fam; + gid = fam; + } + } + + cpuset { + cpuset.mems="0"; + cpuset.cpus="0-1"; + } + + memory { + memory.limit_in_bytes = "4000000000"; + } + + cpu { + cpu.shares = 900; + } + + + net_cls { + net_cls.classid = 11; + } +} +``` + +Update and run rulles. rulles applied to cgroups and set on launched process +with memory,cpuset,cpu cgroup rulles. +``` +cgconfigparser -l /etc/cgconfig.conf +cgexec -g memory,cpuset,cpu:chrome /usr/bin/chromium +``` + +Now we are safe to run some videos on internet and no system stalling is happening. + +## Configuring process to use specific interface + +### Set cgroup classid + +``` +net_cls { + net_cls.classid = 0x10001; +} +``` + +### Iptables filtering + +``` +iptables -N CHROME_OUT +iptables -N CHROME_IN + +iptables -t filter -A OUTPUT -j CHROME_OUT -m cgroup --cgroup 0x10001 +iptables -A CHROME_OUT -j DROP +iptables -A CHROME_OUT -o tun0 -j ACCEPT + +iptables -t filter -A INPUT -j CHROME_IN -m cgroup --cgroup 0x10001 +iptables -A CHROME_IN -j DROP +iptables -A CHROME_OUT -i tun0 -j ACCEPT +``` + +So now single/secure interface is avaliable for cgroupe chrome, if secure interface down +then no network connection + +### Run +``` +cgexec -g memory,cpuset,cpu,net_cls:chrome /usr/bin/chromium +``` + +## Exploring other configuration options + +Cgroups is configured trought sysfs + +``` +ls /sys/fs/cgroup +blkio cpuacct devices memory net_prio rdma +cgmanager cpu,cpuacct freezer net_cls perf_event systemd +cpu cpuset hugetlb net_cls,net_prio pids unified +``` + +If we have applied rules from previouse section then we are able to find them in + +``` +cat /sys/fs/cgroup/cpu/chrome/cpu.shares +900 +cat /sys/fs/cgroup/memory/chrome/memory.limit_in_bytes +3999997952 +cat /sys/fs/cgroup/cpuset/chrome/cpuset.mems +0 +cat /sys/fs/cgroup/cpuset/chrome/cpuset.cpus +0-1 +``` + +More options on each of subsystems can be found with: +``` +ls /sys/fs/cgroup/*/ +``` + +Here some extra options for cpu +``` +ls /sys/fs/cgroup/cpu/ +cgroup.clone_children cpuacct.usage_percpu cpu.shares +cgroup.procs cpuacct.usage_percpu_sys cpu.stat +cgroup.sane_behavior cpuacct.usage_percpu_user notify_on_release +chrome cpuacct.usage_sys release_agent +cpuacct.stat cpuacct.usage_user tasks +cpuacct.usage cpu.cfs_period_us +cpuacct.usage_all cpu.cfs_quota_us +``` + +## Links +[1] [https://wiki.archlinux.org/index.php/Cgroups](https://wiki.archlinux.org/index.php/Cgroups) +[2] [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01) +[3] [https://blog.michael.kuron-germany.de/tag/iptables/](https://blog.michael.kuron-germany.de/tag/iptables/) + + |