0

I am familiar with Docker, Rkt and LXD, but if I did not have the ability to install all these tools, what would be the basic mechanisms to provide isolation of CPU, memory and Disk for a particular process?

CPU - I want to say that only 1 socket of the two is usable by this process

Memory - I don't want this process to use more than 10GB memory

Disk - I don't want the process to use more than 100GB of disk and have visibility (ls should not list it) of files that are not created by this process

I think installing Docker, Rkt and what-not is very heavy weight solution for something basic that I am trying to accomplish

Is cgroups the underlying API I should tap into to get what I need? If so, is there a good book to learn about CGroups

I am running on EC2 - RHEL and Ubuntu both.

user855
  • 19,048
  • 38
  • 98
  • 162

1 Answers1

1

See man page for cgroups(7) for introduction, the full documentation of cgroup interface is maintained in linux kernel:

On top of that, on a distribution with systemd and cgroup v2 interface, cgroup features should be used via systemd and not directly. See also man page for systemd.resource-control.

For distribution specific information, see:

Quick answers to your questions

I want to say that only 1 socket of the two is usable by this process

This could be done via cpuset controller from cgroup v1 (both on RHEL 6 and RHEL 7).

I don't want this process to use more than 10GB memory

See memory controller of cgroup v1 interface or MemoryLimit of systemd resource control interface.

I don't want the process to use more than 100GB of disk

This is out of cgroups area of control, use disk quotas instead.

have visibility (ls should not list it) of files that are not created by this process

This is out of cgroups functionality, use either filesystem access right, filesystem namespaces or PrivateTmp systemd service option, depending on your use case.

marbu
  • 1,939
  • 2
  • 16
  • 30