title:Using cgroups keywords:linux,security,cgroups # Using cgroups ## Requirements Download package for your distro there is one for. archlinux [cgmanager](https://www.archlinux.org/packages/?name=cgmanager). So cgroups allows to configure how specific process resources going to be treated. As our days there is alot of bloatware around then its nice to limit some of the processes at least dont use too much memory or cpu. That also prevents some processes to hang. Quite common that chrome freezes whole system when it eats up all cpu and memory especially when opening some optimized pages like YouTube. Out of fustration about that this notes are created. Also there is no enought guides how to configure some parts of cgroups, so spent some time on research. Cgroups allows to configure this resources: | Resource | Description | | --- | --- | | blkio | this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, or USB) | | cpu | this subsystem uses the scheduler to provide cgroup tasks access to the CPU | | cpuacct | this subsystem generates automatic reports on CPU resources used by tasks in a cgroup | | cpuset | this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup | | devices | this subsystem allows or denies access to devices by tasks in a cgroup | | freezer | this subsystem suspends or resumes tasks in a cgroup | | memory | this subsystem sets limits on memory use by tasks in a cgroup and generates automatic reports on memory resources used by those task | | net_cls | this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task | | net_prio | this subsystem provides a way to dynamically set the priority of network traffic per network interface | | ns | the namespace subsystem | | perf_event | this subsystem identifies cgroup membership of tasks and can be used for performance analysis | ## Configure example As requirement was stop chrome stall system then memory and cpu will be limited rules are located in _/etc/cgrules.conf_ Set permisions to whome applies ``` perm { admin { uid = youruser; gid = youruser; } task { uid = youruser; gid = youruser; } } ``` Limit cpus where process is going to run, run process on 0-1 CPU's ``` cpuset { cpuset.mems="0"; cpuset.cpus="0-1"; } ``` Limit cpus load, set CPU usage max to 90% ``` cpu { cpu.shares = 900; } ``` Limit process max memory to 4G ``` memory { memory.limit_in_bytes = "4000000000"; } ``` Final config looks like ``` group chrome { perm { admin { uid = fam; gid = fam; } task { uid = fam; gid = fam; } } cpuset { cpuset.mems="0"; cpuset.cpus="0-1"; } memory { memory.limit_in_bytes = "4000000000"; } cpu { cpu.shares = 900; } net_cls { net_cls.classid = 11; } } ``` Update and run rulles. rulles applied to cgroups and set on launched process with memory,cpuset,cpu cgroup rulles. ``` cgconfigparser -l /etc/cgconfig.conf cgexec -g memory,cpuset,cpu:chrome /usr/bin/chromium ``` Now we are safe to run some videos on internet and no system stalling is happening. ## Configuring process to use specific interface ### Set cgroup classid ``` net_cls { net_cls.classid = 0x10001; } ``` ### Iptables filtering ``` iptables -N CHROME_OUT iptables -N CHROME_IN iptables -t filter -A OUTPUT -j CHROME_OUT -m cgroup --cgroup 0x10001 iptables -A CHROME_OUT -j DROP iptables -A CHROME_OUT -o tun0 -j ACCEPT iptables -t filter -A INPUT -j CHROME_IN -m cgroup --cgroup 0x10001 iptables -A CHROME_IN -j DROP iptables -A CHROME_OUT -i tun0 -j ACCEPT ``` So now single/secure interface is avaliable for cgroupe chrome, if secure interface down then no network connection ### Run ``` cgexec -g memory,cpuset,cpu,net_cls:chrome /usr/bin/chromium ``` ## Exploring other configuration options Cgroups is configured trought sysfs ``` ls /sys/fs/cgroup blkio cpuacct devices memory net_prio rdma cgmanager cpu,cpuacct freezer net_cls perf_event systemd cpu cpuset hugetlb net_cls,net_prio pids unified ``` If we have applied rules from previouse section then we are able to find them in ``` cat /sys/fs/cgroup/cpu/chrome/cpu.shares 900 cat /sys/fs/cgroup/memory/chrome/memory.limit_in_bytes 3999997952 cat /sys/fs/cgroup/cpuset/chrome/cpuset.mems 0 cat /sys/fs/cgroup/cpuset/chrome/cpuset.cpus 0-1 ``` More options on each of subsystems can be found with: ``` ls /sys/fs/cgroup/*/ ``` Here some extra options for cpu ``` ls /sys/fs/cgroup/cpu/ cgroup.clone_children cpuacct.usage_percpu cpu.shares cgroup.procs cpuacct.usage_percpu_sys cpu.stat cgroup.sane_behavior cpuacct.usage_percpu_user notify_on_release chrome cpuacct.usage_sys release_agent cpuacct.stat cpuacct.usage_user tasks cpuacct.usage cpu.cfs_period_us cpuacct.usage_all cpu.cfs_quota_us ``` ## Links [1] [https://wiki.archlinux.org/index.php/Cgroups](https://wiki.archlinux.org/index.php/Cgroups) [2] [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01) [3] [https://blog.michael.kuron-germany.de/tag/iptables/](https://blog.michael.kuron-germany.de/tag/iptables/) [4] [http://main.lv/writeup/using_iptables.md](http://main.lv/writeup/using_iptables.md)