Linux - Linux Control Groups (cgroups)

Linux Control Groups, commonly known as cgroups, are a Linux kernel feature that allows administrators to organize processes into groups and allocate or limit the system resources they can use. Introduced to improve resource management, cgroups enable efficient sharing of CPU, memory, disk I/O, network bandwidth, and other system resources among multiple applications or users. They are widely used in cloud computing, virtualization, and container technologies such as Docker and Kubernetes.

Unlike traditional process management, where resources are distributed dynamically based on system demand, cgroups provide fine-grained control over resource allocation. This ensures that critical applications receive sufficient resources while preventing less important processes from consuming excessive system capacity.

Why cgroups are Important

Modern servers often run multiple applications simultaneously. Without proper resource control, one application may consume excessive CPU or memory, causing other applications to slow down or even crash.

For example:

  • A web server hosting multiple websites should ensure that one busy website does not affect others.

  • A database server should receive guaranteed memory even when other applications experience high load.

  • Cloud providers must isolate customer workloads so that each virtual machine or container receives its allocated resources.

  • Developers running containers on a single system need to prevent one container from monopolizing CPU or RAM.

Cgroups solve these problems by enforcing resource limits and monitoring resource usage.

Features of cgroups

Linux cgroups provide several important capabilities.

Resource Limiting

Administrators can specify the maximum amount of CPU, memory, disk I/O, or network bandwidth that a group of processes can consume.

Resource Prioritization

Some applications can be assigned higher priority than others, ensuring better performance during heavy workloads.

Resource Accounting

Cgroups maintain detailed statistics about resource consumption, including CPU time, memory usage, and disk operations.

Process Grouping

Multiple related processes can be placed into a single control group and managed collectively.

Resource Isolation

Applications running in separate cgroups operate independently, reducing interference between workloads.

Components of cgroups

A cgroup consists of several components working together.

Control Group

A collection of one or more processes that share common resource management policies.

Controllers (Subsystems)

Controllers manage specific types of resources. Each controller applies limits and tracks resource usage for its assigned processes.

Common controllers include:

Controller Function
cpu Controls CPU allocation and scheduling
cpuset Assigns CPUs and memory nodes
memory Limits RAM usage
io Controls disk input/output operations
pids Limits the number of processes
devices Controls access to hardware devices
freezer Suspends and resumes process execution
hugetlb Manages huge page memory allocation

How cgroups Work

The Linux kernel organizes cgroups in a hierarchical structure.

For example:

/
├── WebServers
│   ├── Apache
│   └── Nginx
├── Databases
│   └── MySQL
└── Containers
    ├── Container1
    └── Container2

Each group has its own resource configuration.

Processes assigned to these groups automatically inherit the limits defined for that group.

CPU Resource Control

CPU usage can be restricted or prioritized.

Example:

Suppose a server has four CPU cores.

A video encoding application may require significant processing power, while a monitoring application needs only occasional CPU access.

Using cgroups:

  • Video encoder receives 70% CPU time.

  • Monitoring service receives 10%.

  • Web server receives 20%.

This prevents background applications from slowing critical services.

Memory Resource Control

Memory is one of the most commonly managed resources.

Administrators can specify:

  • Maximum RAM usage

  • Minimum guaranteed memory

  • Swap usage

  • Memory reclaim behavior

Example:

Web Server:
Memory Limit = 4 GB

Database:
Memory Limit = 8 GB

Backup Service:
Memory Limit = 2 GB

If the backup service attempts to use more than 2 GB, the kernel may terminate processes or deny additional memory allocation, depending on the configuration.

Disk I/O Control

Applications performing heavy disk operations can slow down the entire system.

The I/O controller allows administrators to:

  • Limit read speed

  • Limit write speed

  • Set disk priorities

  • Control bandwidth usage

Example:

A nightly backup job can be limited to prevent it from affecting database performance during business hours.

Process Limits

The PIDs controller restricts the number of processes a cgroup may create.

Example:

Maximum Processes = 100

If the application attempts to create the 101st process, the kernel blocks the request.

This helps prevent:

  • Fork bombs

  • Resource exhaustion

  • Accidental runaway applications

Device Access Control

The Devices controller controls which hardware devices a process can access.

Examples include:

  • USB devices

  • Hard disks

  • Audio devices

  • Graphics hardware

Containers often use this feature to prevent unauthorized hardware access.

cgroups Version 1 and Version 2

Linux supports two versions of cgroups.

cgroups v1

  • Multiple independent hierarchies

  • Separate controllers

  • Greater flexibility

  • More complex management

cgroups v2

  • Unified hierarchy

  • Simpler configuration

  • Better resource distribution

  • Improved security

  • Preferred by modern Linux distributions

Most current Linux systems use cgroups v2 by default.

Relationship Between cgroups and Containers

Containers rely heavily on cgroups.

When a Docker container starts, Docker automatically creates a cgroup for it.

The cgroup controls:

  • CPU usage

  • Memory consumption

  • Disk bandwidth

  • Number of processes

  • Device access

Without cgroups, containers would not have effective resource isolation.

cgroups and systemd

Modern Linux distributions use systemd to manage services.

Systemd automatically creates cgroups for:

  • System services

  • User sessions

  • Background processes

For example:

system.slice
user.slice
machine.slice

Each slice contains processes with separate resource policies.

Administrators can modify service resource limits through systemd configuration files without manually managing cgroups.

Monitoring cgroups

Linux provides several ways to monitor cgroups.

Common methods include:

  • Viewing files under /sys/fs/cgroup

  • Using systemd-cgtop

  • Using systemctl status

  • Reading controller statistics

  • Performance monitoring tools

These tools provide information about:

  • CPU usage

  • Memory usage

  • Process count

  • I/O activity

  • Resource limits

Advantages of cgroups

  • Efficient resource allocation

  • Better application isolation

  • Improved system stability

  • Fair sharing of hardware resources

  • Enhanced security

  • Prevents resource starvation

  • Supports cloud computing and virtualization

  • Essential for container technologies

  • Simplifies performance management

  • Enables detailed resource monitoring

Limitations of cgroups

  • Configuration can become complex in large environments.

  • Improper resource limits may reduce application performance.

  • Some legacy applications may not behave as expected under strict resource constraints.

  • Administrators need a good understanding of workload requirements to configure optimal limits.

  • Monitoring many cgroups on large systems may introduce a small amount of management overhead.

Practical Applications

Linux cgroups are widely used in real-world environments.

  • Cloud service providers allocate guaranteed resources to each customer.

  • Docker and Kubernetes use cgroups to isolate containers and enforce resource quotas.

  • Web hosting companies prevent one hosted application from affecting others.

  • Database servers reserve memory and CPU resources for critical workloads.

  • High-performance computing clusters allocate processing resources among multiple users.

  • Continuous Integration and Continuous Deployment (CI/CD) systems isolate build jobs to prevent resource conflicts.

  • Enterprise Linux servers use cgroups to ensure that business-critical applications remain responsive during periods of high system load.

Conclusion

Linux Control Groups (cgroups) provide a powerful mechanism for managing and isolating system resources. By grouping processes and applying limits on CPU, memory, disk I/O, process counts, and device access, cgroups help maintain system stability, improve security, and ensure fair resource distribution. They are a fundamental component of modern Linux systems and play a crucial role in containerization, cloud computing, virtualization, and enterprise server management. Understanding cgroups enables Linux administrators to optimize system performance, prevent resource contention, and build reliable, scalable computing environments.