1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
|
title:Using cgroups
keywords:linux,security,cgroups
# Using cgroups
## Requirements
Download package for your distro there is one for. archlinux [cgmanager](https://www.archlinux.org/packages/?name=cgmanager).
So cgroups allows to configure how specific process resources going to be treated. As our days there is alot of bloatware around then its nice to
limit some of the processes at least dont use too much memory or cpu. That
also prevents some processes to hang.
Quite common that chrome freezes whole system when it eats up all cpu and memory especially when opening some optimized pages like YouTube. Out of
fustration about that this notes are created.
Also there is no enought guides how to configure some parts of cgroups,
so spent some time on research.
Cgroups allows to configure this resources:
| Resource | Description |
| --- | --- |
| blkio | this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, or USB) |
| cpu | this subsystem uses the scheduler to provide cgroup tasks access to the CPU |
| cpuacct | this subsystem generates automatic reports on CPU resources used by tasks in a cgroup |
| cpuset | this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup |
| devices | this subsystem allows or denies access to devices by tasks in a cgroup |
| freezer | this subsystem suspends or resumes tasks in a cgroup |
| memory | this subsystem sets limits on memory use by tasks in a cgroup and generates automatic reports on memory resources used by those task |
| net_cls | this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task |
| net_prio | this subsystem provides a way to dynamically set the priority of network traffic per network interface |
| ns | the namespace subsystem |
| perf_event | this subsystem identifies cgroup membership of tasks and can be used for performance analysis |
## Configure example
As requirement was stop chrome stall system then memory and cpu will be limited
rules are located in _/etc/cgrules.conf_
Set permisions to whome applies
```
perm {
admin {
uid = youruser;
gid = youruser;
}
task {
uid = youruser;
gid = youruser;
}
}
```
Limit cpus where process is going to run, run process on 0-1 CPU's
```
cpuset {
cpuset.mems="0";
cpuset.cpus="0-1";
}
```
Limit cpus load, set CPU usage max to 90%
```
cpu {
cpu.shares = 900;
}
```
Limit process max memory to 4G
```
memory {
memory.limit_in_bytes = "4000000000";
}
```
Final config looks like
```
group chrome {
perm {
admin {
uid = fam;
gid = fam;
}
task {
uid = fam;
gid = fam;
}
}
cpuset {
cpuset.mems="0";
cpuset.cpus="0-1";
}
memory {
memory.limit_in_bytes = "4000000000";
}
cpu {
cpu.shares = 900;
}
net_cls {
net_cls.classid = 11;
}
}
```
Update and run rulles. rulles applied to cgroups and set on launched process
with memory,cpuset,cpu cgroup rulles.
```
cgconfigparser -l /etc/cgconfig.conf
cgexec -g memory,cpuset,cpu:chrome /usr/bin/chromium
```
Now we are safe to run some videos on internet and no system stalling is happening.
## Configuring process to use specific interface
### Set cgroup classid
```
net_cls {
net_cls.classid = 0x10001;
}
```
### Iptables filtering
```
iptables -N CHROME_OUT
iptables -N CHROME_IN
iptables -t filter -A OUTPUT -j CHROME_OUT -m cgroup --cgroup 0x10001
iptables -A CHROME_OUT -j DROP
iptables -A CHROME_OUT -o tun0 -j ACCEPT
iptables -t filter -A INPUT -j CHROME_IN -m cgroup --cgroup 0x10001
iptables -A CHROME_IN -j DROP
iptables -A CHROME_OUT -i tun0 -j ACCEPT
```
So now single/secure interface is avaliable for cgroupe chrome, if secure interface down
then no network connection
### Run
```
cgexec -g memory,cpuset,cpu,net_cls:chrome /usr/bin/chromium
```
## Exploring other configuration options
Cgroups is configured trought sysfs
```
ls /sys/fs/cgroup
blkio cpuacct devices memory net_prio rdma
cgmanager cpu,cpuacct freezer net_cls perf_event systemd
cpu cpuset hugetlb net_cls,net_prio pids unified
```
If we have applied rules from previouse section then we are able to find them in
```
cat /sys/fs/cgroup/cpu/chrome/cpu.shares
900
cat /sys/fs/cgroup/memory/chrome/memory.limit_in_bytes
3999997952
cat /sys/fs/cgroup/cpuset/chrome/cpuset.mems
0
cat /sys/fs/cgroup/cpuset/chrome/cpuset.cpus
0-1
```
More options on each of subsystems can be found with:
```
ls /sys/fs/cgroup/*/
```
Here some extra options for cpu
```
ls /sys/fs/cgroup/cpu/
cgroup.clone_children cpuacct.usage_percpu cpu.shares
cgroup.procs cpuacct.usage_percpu_sys cpu.stat
cgroup.sane_behavior cpuacct.usage_percpu_user notify_on_release
chrome cpuacct.usage_sys release_agent
cpuacct.stat cpuacct.usage_user tasks
cpuacct.usage cpu.cfs_period_us
cpuacct.usage_all cpu.cfs_quota_us
```
## Links
[1] [https://wiki.archlinux.org/index.php/Cgroups](https://wiki.archlinux.org/index.php/Cgroups)
[2] [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01)
[3] [https://blog.michael.kuron-germany.de/tag/iptables/](https://blog.michael.kuron-germany.de/tag/iptables/)
|