27

How can I create and use cgroups as a non-root user?

For example, can I, entirely as a non-root user:

  • create a cgroup with access to one CPU
  • create a new process in that cgroup

?

I first asked here but I didn't receive a complete answer. I also asked on stackoverflow, but the question was closed as off topic.

Community
  • 1
Adam Monsen
  • 725
  • 1
  • 7
  • 24

4 Answers4

21

You can't do that as a normal user. But you can setup a cgroup as root, and make it configurable by your user.

If you do not already have the default cgroups controllers mounted by e.g. systemd:

$ sudo mount -t tmpfs cgroup_root /sys/fs/cgroup
$ sudo mkdir /sys/fs/cgroup/cpuset
$ sudo mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset

Create a cgroup:

$ sudo mkdir /sys/fs/cgroup/cpuset/${USER}
$ sudo chown -R ${USER} /sys/fs/cgroup/cpuset/${USER}

You can now modify the configuration of your cgroup as a normal user:

$ echo 0-3 > /sys/fs/cgroup/cpuset/${USER}/cpuset.cpus

Add a process to that group:

$ ./my_task &
$ echo $! > /sys/fs/cgroup/cpuset/${USER}/tasks

Or create a subgroup:

$ mkdir /sys/fs/cgroup/cpuset/${USER}/subgroup
$ echo 0-1 > /sys/fs/cgroup/cpuset/${USER}/subgroup/cpuset.cpus
$ ./my_other_task &
$ echo $! > /sys/fs/cgroup/cpuset/${USER}/subgroup/tasks
chris
  • 442
  • 4
  • 9
  • how would you delete the subgroup? `rm -r` fails for me – hbogert Jun 11 '16 at 15:34
  • 1
    `rm -r` would try to delete the files first, which fails. Use `rmdir` to remove a cgroup. – Dennis B. Jun 12 '16 at 15:59
  • You cannot `rmdir` until the `tasks` file is empty. root would need to look at the tasks file in the subgroup, and echo each pid there into the root cgroup's tasks file (`/dev/cpuset/tasks` on my RHEL 6.7 [kernel 2.6.32-358] box, but it looks like `/sys/fs/cgroup/cpuset/tasks` might by appropriate here). – Mike S Dec 12 '17 at 22:25
1

If you're using Ubuntu you (the root user) can install cgroup-lite and add what you need to /etc/cgconfig.conf, including which user(s) can change the cgroup's configuration. It runs on boot.

Failing that you (the root user) could add your own script to run during boot.

Ken Sharp
  • 191
  • 10
0

If you have recent enough Linux distribution you should be able to run processes in transient (temporary) cgroups, e.g.

$ systemd-run --user --scope /bin/bash

However, systemd is broken in many Linux distributions Ubuntu versions prior 21.10 and that fails with something like

polkitd(authority=local)[1300]: Registered Authentication Agent for unix-process:10428:26722972 (system bus name :1.478 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_DK.utf8)
systemd[2601]: run-rbe547d13ad2c41d7857ea9e660e51ab9.scope: Failed to add PIDs to scope's control group: Permission denied
systemd[2601]: run-rbe547d13ad2c41d7857ea9e660e51ab9.scope: Failed with result 'resources'.
systemd[2601]: Failed to start /bin/bash.
polkitd(authority=local)[1300]: Unregistered Authentication Agent for unix-process:10428:26722972 (system bus name :1.478, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_DK.utf8) (disconnected from bus)

The reason for this failure is that running transient cgroups without root requires support for cgroupv2 but Canonical really wants to push snap and using cgroupv2 would have broken snap until the snap had been patch enough. Ubuntu 21.10 is the first Ubuntu release that has smart enough snap to work with cgroupv2 so any older Ubuntu version is intentionally broken for transient cgroups to allow snap to run at all.

I guess distributions that do not even try to support the misfeature called snap will have much less problems supporting cgroupv2 and this should work with older distribution versions, too.

Mikko Rantalainen
  • 1,030
  • 14
  • 30
  • Interesting. What distributions did this fail on? – Michael Hampton Sep 04 '21 at 13:49
  • I'm currently running Ubuntu 18.04 LTS. I know it used to fail with older versions, too, but I haven't tested if it works in more recent version. It appears that it's missing fixes to bug https://github.com/systemd/systemd/issues/9512 – note that without `sudo` you probably don't want `--scope` but `--pty`. – Mikko Rantalainen Sep 04 '21 at 13:55
  • Works for me on 248, no sudo or --pty needed. I wonder why Ubuntu hasn't backported it? Did nobody open a bug in launchpad? – Michael Hampton Sep 04 '21 at 15:26
  • It seems that the problem was the hack called `snap` by Canonical. It didn't support `cgroupv2` until recently so Ubuntu postponed the switch until `snap` could work with newer API. This should work with Ubuntu 21.10 or greater according to documentation. – Mikko Rantalainen Sep 04 '21 at 15:29
  • If `mount | grep cgroupv2` outputs something, you're running recent enough system. – Mikko Rantalainen Sep 04 '21 at 15:30
0

There is a series of articles on LWN on cgroups, see part 1, or look though the search there. Systemd includes a set of helpers to manage (processes caged by) cgroups.

Ivan Vučica
  • 224
  • 1
  • 4
  • 13
vonbrand
  • 1,149
  • 2
  • 8
  • 16