1 ========================= 1 ========================= 2 Process Number Controller 2 Process Number Controller 3 ========================= 3 ========================= 4 4 5 Abstract 5 Abstract 6 -------- 6 -------- 7 7 8 The process number controller is used to allow 8 The process number controller is used to allow a cgroup hierarchy to stop any 9 new tasks from being fork()'d or clone()'d aft 9 new tasks from being fork()'d or clone()'d after a certain limit is reached. 10 10 11 Since it is trivial to hit the task limit with 11 Since it is trivial to hit the task limit without hitting any kmemcg limits in 12 place, PIDs are a fundamental resource. As suc 12 place, PIDs are a fundamental resource. As such, PID exhaustion must be 13 preventable in the scope of a cgroup hierarchy 13 preventable in the scope of a cgroup hierarchy by allowing resource limiting of 14 the number of tasks in a cgroup. 14 the number of tasks in a cgroup. 15 15 16 Usage 16 Usage 17 ----- 17 ----- 18 18 19 In order to use the `pids` controller, set the 19 In order to use the `pids` controller, set the maximum number of tasks in 20 pids.max (this is not available in the root cg 20 pids.max (this is not available in the root cgroup for obvious reasons). The 21 number of processes currently in the cgroup is 21 number of processes currently in the cgroup is given by pids.current. 22 22 23 Organisational operations are not blocked by c 23 Organisational operations are not blocked by cgroup policies, so it is possible 24 to have pids.current > pids.max. This can be d 24 to have pids.current > pids.max. This can be done by either setting the limit to 25 be smaller than pids.current, or attaching eno 25 be smaller than pids.current, or attaching enough processes to the cgroup such 26 that pids.current > pids.max. However, it is n 26 that pids.current > pids.max. However, it is not possible to violate a cgroup 27 policy through fork() or clone(). fork() and c 27 policy through fork() or clone(). fork() and clone() will return -EAGAIN if the 28 creation of a new process would cause a cgroup 28 creation of a new process would cause a cgroup policy to be violated. 29 29 30 To set a cgroup to have no limit, set pids.max 30 To set a cgroup to have no limit, set pids.max to "max". This is the default for 31 all new cgroups (N.B. that PID limits are hier 31 all new cgroups (N.B. that PID limits are hierarchical, so the most stringent 32 limit in the hierarchy is followed). 32 limit in the hierarchy is followed). 33 33 34 pids.current tracks all child cgroup hierarchi 34 pids.current tracks all child cgroup hierarchies, so parent/pids.current is a 35 superset of parent/child/pids.current. 35 superset of parent/child/pids.current. 36 36 37 The pids.events file contains event counters: 37 The pids.events file contains event counters: 38 38 39 - max: Number of times fork failed in the cg !! 39 - max: Number of times fork failed because limit was hit. 40 self or ancestors. << 41 40 42 Example 41 Example 43 ------- 42 ------- 44 43 45 First, we mount the pids controller:: 44 First, we mount the pids controller:: 46 45 47 # mkdir -p /sys/fs/cgroup/pids 46 # mkdir -p /sys/fs/cgroup/pids 48 # mount -t cgroup -o pids none /sys/fs 47 # mount -t cgroup -o pids none /sys/fs/cgroup/pids 49 48 50 Then we create a hierarchy, set limits and att 49 Then we create a hierarchy, set limits and attach processes to it:: 51 50 52 # mkdir -p /sys/fs/cgroup/pids/parent/ 51 # mkdir -p /sys/fs/cgroup/pids/parent/child 53 # echo 2 > /sys/fs/cgroup/pids/parent/ 52 # echo 2 > /sys/fs/cgroup/pids/parent/pids.max 54 # echo $$ > /sys/fs/cgroup/pids/parent 53 # echo $$ > /sys/fs/cgroup/pids/parent/cgroup.procs 55 # cat /sys/fs/cgroup/pids/parent/pids. 54 # cat /sys/fs/cgroup/pids/parent/pids.current 56 2 55 2 57 # 56 # 58 57 59 It should be noted that attempts to overcome t 58 It should be noted that attempts to overcome the set limit (2 in this case) will 60 fail:: 59 fail:: 61 60 62 # cat /sys/fs/cgroup/pids/parent/pids. 61 # cat /sys/fs/cgroup/pids/parent/pids.current 63 2 62 2 64 # ( /bin/echo "Here's some processes f 63 # ( /bin/echo "Here's some processes for you." | cat ) 65 sh: fork: Resource temporary unavailab 64 sh: fork: Resource temporary unavailable 66 # 65 # 67 66 68 Even if we migrate to a child cgroup (which do 67 Even if we migrate to a child cgroup (which doesn't have a set limit), we will 69 not be able to overcome the most stringent lim 68 not be able to overcome the most stringent limit in the hierarchy (in this case, 70 parent's):: 69 parent's):: 71 70 72 # echo $$ > /sys/fs/cgroup/pids/parent 71 # echo $$ > /sys/fs/cgroup/pids/parent/child/cgroup.procs 73 # cat /sys/fs/cgroup/pids/parent/pids. 72 # cat /sys/fs/cgroup/pids/parent/pids.current 74 2 73 2 75 # cat /sys/fs/cgroup/pids/parent/child 74 # cat /sys/fs/cgroup/pids/parent/child/pids.current 76 2 75 2 77 # cat /sys/fs/cgroup/pids/parent/child 76 # cat /sys/fs/cgroup/pids/parent/child/pids.max 78 max 77 max 79 # ( /bin/echo "Here's some processes f 78 # ( /bin/echo "Here's some processes for you." | cat ) 80 sh: fork: Resource temporary unavailab 79 sh: fork: Resource temporary unavailable 81 # 80 # 82 81 83 We can set a limit that is smaller than pids.c 82 We can set a limit that is smaller than pids.current, which will stop any new 84 processes from being forked at all (note that 83 processes from being forked at all (note that the shell itself counts towards 85 pids.current):: 84 pids.current):: 86 85 87 # echo 1 > /sys/fs/cgroup/pids/parent/ 86 # echo 1 > /sys/fs/cgroup/pids/parent/pids.max 88 # /bin/echo "We can't even spawn a sin 87 # /bin/echo "We can't even spawn a single process now." 89 sh: fork: Resource temporary unavailab 88 sh: fork: Resource temporary unavailable 90 # echo 0 > /sys/fs/cgroup/pids/parent/ 89 # echo 0 > /sys/fs/cgroup/pids/parent/pids.max 91 # /bin/echo "We can't even spawn a sin 90 # /bin/echo "We can't even spawn a single process now." 92 sh: fork: Resource temporary unavailab 91 sh: fork: Resource temporary unavailable 93 # 92 #
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.