Control Groups

Control group hierarchy, resource limits for CPU/memory/IO, and systemd slice integration.

Cgroup v2 Overview

Verify cgroup v2 is active β€” unified hierarchy
stat -fc %T /sys/fs/cgroup/
Output cgroup2fs confirms cgroup v2. If tmpfs, the system is on v1 or hybrid mode.
Show cgroup mount point and controllers
cat /sys/fs/cgroup/cgroup.controllers
List available controllers β€” cpu, memory, io, pids, etc.
cat /sys/fs/cgroup/cgroup.subtree_control

Systemd Cgroup Tools

Show the cgroup hierarchy as a tree β€” slices, scopes, services
systemd-cgls
Show a specific slice’s cgroup tree β€” e.g., all user sessions
systemd-cgls /user.slice
Real-time resource usage by cgroup β€” like top for cgroups
systemd-cgtop
Show which cgroup a process belongs to
cat /proc/$(pgrep -x sshd | head -1)/cgroup
List all cgroups a specific PID is in
systemd-cgls --unit sshd.service

Systemd Resource Controls

Set CPU quota on a service β€” limit to 50% of one core
sudo systemctl set-property httpd.service CPUQuota=50%
Set memory limit on a service β€” hard cap, OOM-killed if exceeded
sudo systemctl set-property httpd.service MemoryMax=512M
Set memory high watermark β€” throttled but not killed above this
sudo systemctl set-property httpd.service MemoryHigh=384M
Set I/O weight β€” relative priority (1-10000, default 100)
sudo systemctl set-property httpd.service IOWeight=50
Limit maximum number of tasks (processes/threads)
sudo systemctl set-property httpd.service TasksMax=100
Set CPU weight β€” relative share (1-10000, default 100)
sudo systemctl set-property httpd.service CPUWeight=200
set-property creates a drop-in file in /etc/systemd/system/<unit>.d/ making the change persistent. Add --runtime for non-persistent changes.

Service Unit Overrides

Set resource limits directly in a service unit override
sudo systemctl edit httpd.service
Override content β€” cgroup resource controls in [Service] section
# Contents of the override:
# [Service]
# CPUQuota=50%
# MemoryMax=512M
# MemoryHigh=384M
# IOWeight=50
# TasksMax=100
View effective resource controls for a service
systemctl show httpd.service | awk -F= '/^(CPU|Memory|IO|Tasks)(Quota|Max|High|Weight|Accounting)/'

Slices, Scopes, and Services

List all slices β€” organizational cgroup containers
systemctl list-units --type=slice
Show the default slice hierarchy β€” system, user, machine
systemd-cgls --no-pager | head -20
Create a custom slice for grouping related services
# /etc/systemd/system/lab.slice
# [Slice]
# CPUQuota=200%
# MemoryMax=2G
Assign a service to a custom slice
sudo systemctl set-property httpd.service Slice=lab.slice
Run a transient scope with resource limits β€” for one-off commands
sudo systemd-run --scope --slice=lab.slice -p MemoryMax=256M /usr/bin/stress --vm 2 --vm-bytes 128M

Direct Cgroup Filesystem

Browse the cgroup filesystem β€” raw interface
ls /sys/fs/cgroup/system.slice/sshd.service/
Read memory usage of a cgroup β€” current bytes
cat /sys/fs/cgroup/system.slice/sshd.service/memory.current
Read memory limit of a cgroup β€” max bytes
cat /sys/fs/cgroup/system.slice/sshd.service/memory.max
Read CPU usage statistics β€” usage_usec, user_usec, system_usec
cat /sys/fs/cgroup/system.slice/sshd.service/cpu.stat
List PIDs in a cgroup
cat /sys/fs/cgroup/system.slice/sshd.service/cgroup.procs

Resource Accounting

Enable CPU accounting for all services β€” tracks usage even without limits
sudo mkdir -p /etc/systemd/system.conf.d/
echo -e '[Manager]\nDefaultCPUAccounting=yes' | sudo tee /etc/systemd/system.conf.d/accounting.conf
sudo systemctl daemon-reexec
Enable memory accounting globally
echo -e '[Manager]\nDefaultMemoryAccounting=yes' | sudo tee -a /etc/systemd/system.conf.d/accounting.conf
sudo systemctl daemon-reexec
Check resource usage of a service β€” CPU, memory, tasks
systemctl status httpd.service | awk '/Memory:|CPU:|Tasks:/'

Practical Patterns

Limit a runaway build β€” constrain make to 2 cores and 4G RAM
sudo systemd-run --scope -p CPUQuota=200% -p MemoryMax=4G make -j$(nproc)
Protect system from OOM β€” set memory limits on non-critical services
sudo systemctl set-property syncthing.service MemoryMax=1G MemoryHigh=768M
Monitor cgroup resource pressure β€” PSI (Pressure Stall Information)
cat /proc/pressure/memory
cat /proc/pressure/cpu
cat /proc/pressure/io
Per-cgroup pressure monitoring β€” finer granularity
cat /sys/fs/cgroup/system.slice/httpd.service/memory.pressure

RHCSA Patterns

Limit a service to 30% CPU and 256M memory β€” persistent
sudo systemctl set-property httpd.service CPUQuota=30% MemoryMax=256M
systemctl show httpd.service | awk -F= '/^(CPUQuota|MemoryMax)/'
Verify cgroup controls are applied β€” check the drop-in
cat /etc/systemd/system/httpd.service.d/50-CPUQuota.conf
cat /etc/systemd/system/httpd.service.d/50-MemoryMax.conf

See Also

  • systemd — manages cgroup slices for services

  • Namespaces — isolation complement to cgroup resource limits