25

How can I create and use cgroups as a non-root user?

For example, can I, entirely as a non-root user:

  • create a cgroup with access to one CPU
  • create a new process in that cgroup

?

I first asked here but I didn't receive a complete answer. I also asked on stackoverflow, but the question was closed as off topic.

Community
  • 1
Adam Monsen
  • 695
  • 1
  • 7
  • 21

4 Answers4

20

You can't do that as a normal user. But you can setup a cgroup as root, and make it configurable by your user.

If you do not already have the default cgroups controllers mounted by e.g. systemd:

$ sudo mount -t tmpfs cgroup_root /sys/fs/cgroup
$ sudo mkdir /sys/fs/cgroup/cpuset
$ sudo mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset

Create a cgroup:

$ sudo mkdir /sys/fs/cgroup/cpuset/${USER}
$ sudo chown -R ${USER} /sys/fs/cgroup/cpuset/${USER}

You can now modify the configuration of your cgroup as a normal user:

$ echo 0-3 > /sys/fs/cgroup/cpuset/${USER}/cpuset.cpus

Add a process to that group:

$ ./my_task &
$ echo $! > /sys/fs/cgroup/cpuset/${USER}/tasks

Or create a subgroup:

$ mkdir /sys/fs/cgroup/cpuset/${USER}/subgroup
$ echo 0-1 > /sys/fs/cgroup/cpuset/${USER}/subgroup/cpuset.cpus
$ ./my_other_task &
$ echo $! > /sys/fs/cgroup/cpuset/${USER}/subgroup/tasks
chris
  • 432
  • 4
  • 9
  • how would you delete the subgroup? `rm -r` fails for me – hbogert Jun 11 '16 at 15:34
  • 1
    `rm -r` would try to delete the files first, which fails. Use `rmdir` to remove a cgroup. – Dennis B. Jun 12 '16 at 15:59
  • You cannot `rmdir` until the `tasks` file is empty. root would need to look at the tasks file in the subgroup, and echo each pid there into the root cgroup's tasks file (`/dev/cpuset/tasks` on my RHEL 6.7 [kernel 2.6.32-358] box, but it looks like `/sys/fs/cgroup/cpuset/tasks` might by appropriate here). – Mike S Dec 12 '17 at 22:25
1

If you're using Ubuntu you (the root user) can install cgroup-lite and add what you need to /etc/cgconfig.conf, including which user(s) can change the cgroup's configuration. It runs on boot.

Failing that you (the root user) could add your own script to run during boot.

Ken Sharp
  • 194
  • 10
0

In theory you should be able to run processes in transient (temporary) cgroups, e.g.

$ systemd-run --user --scope /bin/bash

but in reality, systemd is broken in many Linux distributions and that fails with something like

polkitd(authority=local)[1300]: Registered Authentication Agent for unix-process:10428:26722972 (system bus name :1.478 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_DK.utf8)
systemd[2601]: run-rbe547d13ad2c41d7857ea9e660e51ab9.scope: Failed to add PIDs to scope's control group: Permission denied
systemd[2601]: run-rbe547d13ad2c41d7857ea9e660e51ab9.scope: Failed with result 'resources'.
systemd[2601]: Failed to start /bin/bash.
polkitd(authority=local)[1300]: Unregistered Authentication Agent for unix-process:10428:26722972 (system bus name :1.478, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_DK.utf8) (disconnected from bus)

I don't know the exact reason for this failure but until this bug is fixed, you need root access to be able to configure control groups (cgroup).

Mikko Rantalainen
  • 858
  • 12
  • 27
  • Interesting. What distributions did this fail on? – Michael Hampton Sep 04 '21 at 13:49
  • I'm currently running Ubuntu 18.04 LTS. I know it used to fail with older versions, too, but I haven't tested if it works in more recent version. It appears that it's missing fixes to bug https://github.com/systemd/systemd/issues/9512 – note that without `sudo` you probably don't want `--scope` but `--pty`. – Mikko Rantalainen Sep 04 '21 at 13:55
  • Works for me on 248, no sudo or --pty needed. I wonder why Ubuntu hasn't backported it? Did nobody open a bug in launchpad? – Michael Hampton Sep 04 '21 at 15:26
  • It seems that the problem was the hack called `snap` by Canonical. It didn't support `cgroupv2` until recently so Ubuntu postponed the switch until `snap` could work with newer API. This should work with Ubuntu 21.10 or greater according to documentation. – Mikko Rantalainen Sep 04 '21 at 15:29
  • If `mount | grep cgroupv2` outputs something, you're running recent enough system. – Mikko Rantalainen Sep 04 '21 at 15:30
0

There is a series of articles on LWN on cgroups, see part 1, or look though the search there. Systemd includes a set of helpers to manage (processes caged by) cgroups.

Ivan Vučica
  • 224
  • 1
  • 4
  • 13
vonbrand
  • 1,153
  • 2
  • 8
  • 16