Chapter 3. Control Groups

In this chapter, you will learn about one of the fundamental building blocks that are used to make containers: control groups, more commonly known as cgroups.

Cgroups limit the resources, such as memory, CPU, and network input/output, that a group of processes can use. From a security perspective, well-tuned cgroups can ensure that one process can’t affect the behavior of other processes by hogging all the resources—for example, using all the CPU or memory to starve other applications. There is also a control group called pid for limiting the total number of processes allowed within a control group, which can prevent the effectiveness of a fork bomb.

Note

A fork bomb rapidly creates processes that in turn create more processes, leading to an exponential growth in the use of resources that ultimately cripples the machine. This video of a talk I gave a few years back includes a demonstration of using the pid control group to limit the effect of a fork bomb.

As you will see in detail in Chapter 4, containers run as regular Linux processes, so cgroups can be used to limit the resources available to each container. Let’s see how cgroups are organized.

Cgroup Hierarchies

There is a hierarchy of control groups for each type of resource being managed, and each hierarchy is managed by a cgroup controller. Any Linux process is a member of one cgroup of each type, and when it is first created, a process inherits the cgroups of its parent.

The Linux kernel communicates ...

Get Container Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.