1CGCONFIG.CONF(5)              File Formats Manual             CGCONFIG.CONF(5)
2
3
4

NAME

6       cgconfig.conf - libcgroup configuration file
7

DESCRIPTION

9       cgconfig.conf  is a configuration file used by libcgroup to define con‐
10       trol groups, their parameters and their mount points.   The  file  con‐
11       sists  of  mount , group and default sections. These sections can be in
12       arbitrary order and all of them are optional. Any  line  starting  with
13       '#' is considered a comment line and is ignored.
14
15       mount section has this form:
16
17              mount {
18                     <controller> = <path>;
19                     ...
20              }
21
22
23       controller
24              Name  of  the kernel subsystem. The list of subsystems supported
25              by the kernel can be found in /proc/cgroups file. Named  hierar‐
26              chy  can  be  specified  as controller "name=<somename>". Do not
27              forget to use double quotes around  this  controller  name  (see
28              examples below).
29
30              Libcgroup  merges  all  subsystems mounted to the same directory
31              (see Example 1) and the directory is mounted only once.
32
33
34       path   The directory path where the group  hierarchy  associated  to  a
35              given  controller  shall  be  mounted.  The directory is created
36              automatically on cgconfig service startup if it does  not  exist
37              and is deleted on service shutdown.
38
39       If no mount section is specified, no controllers are mounted.
40
41       group section has this form:
42
43              group <name> {
44                     [permissions]
45                     <controller> {
46                            <param name> = <param value>;
47                            ...
48                     }
49                     ...
50              }
51
52
53       name   Name of the control group. It can contain only characters, which
54              are allowed for directory names.  The groups form a tree, i.e. a
55              control  group can contain zero or more subgroups. Subgroups can
56              be specified using '/' delimiter.
57
58              The root control group is always created  automatically  in  all
59              hierarchies and it is the base of the group hierarchy. It can be
60              explicitly specified in cgconfig.conf  by  using  '.'  as  group
61              name.  This can be used e.g. to set its permissions, as shown in
62              Example 6.
63
64              When the parent control group of a subgroup is not specified  it
65              is created automatically.
66
67
68       permissions
69              Permissions  of  the  given control group on mounted filesystem.
70              root has always permission  to  do  anything  with  the  control
71              group.  Permissions have the following syntax:
72                        perm {
73                               task {
74                                      uid = <task user>;
75                                      gid = <task group>;
76                                      fperm = <file permissions>
77                               }
78                               admin {
79                                      uid = <admin name>;
80                                      gid = <admin group>;
81                                      dperm = <directory permissions>
82                                      fperm = <file permissions>
83                               }
84                        }
85
86
87              task user/group  Name  of  the user and the group, which own the
88                               tasks file of the control  group.  Given  fperm
89                               then specify the file permissions.  Please note
90                               that the given value is not used as was  speci‐
91                               fied.  Instead,  current file owner permissions
92                               are used as a "umask" for group and others per‐
93                               missions.  For example if fperm = 777 then both
94                               group and others will get the same  permissions
95                               as the file owner.
96
97              admin user/group Name  of  the  user and the group which own the
98                               rest of control group's files. Given fperm  and
99                               dperm  control  file and directory permissions.
100                               Again,  the  given  value  is  masked  by   the
101                               file/directory owner permissions.
102
103              Permissions  are  only  apply to the enclosing control group and
104              are not inherited by subgroups. If there is no perm  section  in
105              the  control  group  definition,  root:root  is the owner of all
106              files and default file permissions are preserved if fperm  resp.
107              dperm are not specified.
108
109       controller
110              Name of the kernel subsystem.  The section can be empty, default
111              kernel parameters will be used in this case. By specifying  con‐
112              troller  the control group and all its parents are controlled by
113              the specific subsystem. One control group can be  controlled  by
114              multiple  subsystems, even if the subsystems are mounted on dif‐
115              ferent directories. Each control group must be controlled by  at
116              least  one  subsystem,  so that libcgroup knows in which hierar‐
117              chies the control group should be created.
118
119              The parameters of the given controller can be  modified  in  the
120              following section enclosed in brackets.
121
122              param name
123                     Name of the file to set. Each controller can have zero or
124                     more parameters.
125
126              param value
127                     Value which should be written to the file when  the  con‐
128                     trol group is created. If it is enclosed in double quotes
129                     `"', it can contain spaces and other special characters.
130
131       If no group section is specified, no groups are created.
132
133       default section has this form:
134
135              default {
136                     perm {
137                            task {
138                                   uid = <task user>;
139                                   gid = <task group>;
140                                   fperm = <file permissions>
141                            }
142                            admin {
143                                   uid = <admin name>;
144                                   gid = <admin group>;
145                                   dperm = <directory permissions>
146                                   fperm = <file permissions>
147                            }
148                     }
149              }
150
151       Content of the perm section has the same form as in group section.  The
152       permissions  defined  here  specify owner and permissions of groups and
153       files of all groups, which do not have explicitly specified their  per‐
154       missions in their group section.
155
156       template section has the same structure as group section. Template name
157       uses the same templates string as  cgrules.conf  destination  tag  (see
158       (cgrules.conf  (5)).   Template  definition  is used as a control group
159       definition for rules in cgrules.conf  (5)  with  the  same  destination
160       name.  Templates does not use default section settings.
161
162

EXAMPLES

164   Example 1
165       The configuration file:
166
167              mount {
168                     cpu = /mnt/cgroups/cpu;
169                     cpuacct = /mnt/cgroups/cpu;
170              }
171
172       creates  the  hierarchy  controlled  by  two  subsystems with no groups
173       inside. It corresponds to the following operations:
174
175              mkdir /mnt/cgroups/cpu
176              mount -t cgroup -o cpu,cpuacct cpu /mnt/cgroups/cpu
177
178
179   Example 2
180       The configuration file:
181
182              mount {
183                     cpu = /mnt/cgroups/cpu;
184                     "name=scheduler" = /mnt/cgroups/cpu;
185                     "name=noctrl" = /mnt/cgroups/noctrl;
186              }
187
188              group daemons {
189                     cpu {
190                            cpu.shares = "1000";
191                     }
192              }
193              group test {
194                     "name=noctrl" {
195                     }
196              }
197       creates two hierarchies. One hierarchy named  scheduler  controlled  by
198       cpu  subsystem,  with  group  daemons inside. Second hierarchy is named
199       noctrl without any controller, with group test. It corresponds to  fol‐
200       lowing operations:
201
202              mkdir /mnt/cgroups/cpu
203              mount -t cgroup -o cpu,name=scheduler cpu /mnt/cgroups/cpu
204              mount -t cgroup -o none,name=noctrl none /mnt/cgroups/noctrl
205
206              mkdir /mnt/cgroups/cpu/daemons
207              echo 1000 > /mnt/cgroups/cpu/daemons/www/cpu.shares
208
209              mkdir /mnt/cgroups/noctrl/tests
210
211       The  daemons  group is created automatically when its first subgroup is
212       created. All its parameters have the default value and  only  root  can
213       access group's files.
214
215       Since  both  cpuacct  and cpu subsystems are mounted to the same direc‐
216       tory, all groups are implicitly controlled also by  cpuacct  subsystem,
217       even if there is no cpuacct section in any of the groups.
218
219
220   Example 3
221       The configuration file:
222
223              mount {
224                     cpu = /mnt/cgroups/cpu;
225                     cpuacct = /mnt/cgroups/cpu;
226              }
227
228              group daemons/www {
229                     perm {
230                            task {
231                                   uid = root;
232                                   gid = webmaster;
233                                   fperm = 770;
234                            }
235                            admin {
236                                   uid = root;
237                                   gid = root;
238                                   dperm = 775;
239                                   fperm = 744;
240                            }
241                     }
242                     cpu {
243                            cpu.shares = "1000";
244                     }
245              }
246
247              group daemons/ftp {
248                     perm {
249                            task {
250                                   uid = root;
251                                   gid = ftpmaster;
252                                   fperm = 774;
253                            }
254                            admin {
255                                   uid = root;
256                                   gid = root;
257                                   dperm = 755;
258                                   fperm = 700;
259                            }
260                     }
261                     cpu {
262                            cpu.shares = "500";
263                     }
264              }
265       creates  the  hierarchy controlled by two subsystems with one group and
266       two subgroups inside, setting one parameter.   It  corresponds  to  the
267       following  operations (except for file permissions which are little bit
268       trickier to emulate via chmod):
269
270
271              mkdir /mnt/cgroups/cpu
272              mount -t cgroup -o cpu,cpuacct cpu /mnt/cgroups/cpu
273
274              mkdir /mnt/cgroups/cpu/daemons
275
276              mkdir /mnt/cgroups/cpu/daemons/www
277              chown root:root /mnt/cgroups/cpu/daemons/www/*
278              chown root:webmaster /mnt/cgroups/cpu/daemons/www/tasks
279              echo 1000 > /mnt/cgroups/cpu/daemons/www/cpu.shares
280
281               # + chmod the files so the result looks like:
282               # ls -la /mnt/cgroups/cpu/daemons/www/
283               # admin.dperm = 755:
284               # drwxr-xr-x. 2 root webmaster 0 Jun 16 11:51 .
285               #
286               # admin.fperm = 744:
287               # --w-------. 1 root webmaster 0 Jun 16 11:51 cgroup.event_control
288               # -r--r--r--. 1 root webmaster 0 Jun 16 11:51 cgroup.procs
289               # -r--r--r--. 1 root webmaster 0 Jun 16 11:51 cpuacct.stat
290               # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpuacct.usage
291               # -r--r--r--. 1 root webmaster 0 Jun 16 11:51 cpuacct.usage_percpu
292               # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpu.rt_period_us
293               # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpu.rt_runtime_us
294               # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 cpu.shares
295               # -rw-r--r--. 1 root webmaster 0 Jun 16 11:51 notify_on_release
296               #
297               # tasks.fperm = 770
298               # -rw-rw----. 1 root webmaster 0 Jun 16 11:51 tasks
299
300
301              mkdir /mnt/cgroups/cpu/daemons/ftp
302              chown root:root /mnt/cgroups/cpu/daemons/ftp/*
303              chown root:ftpmaster /mnt/cgroups/cpu/daemons/ftp/tasks
304              echo 500 > /mnt/cgroups/cpu/daemons/ftp/cpu.shares
305
306               # + chmod the files so the result looks like:
307               # ls -la /mnt/cgroups/cpu/daemons/ftp/
308               # admin.dperm = 755:
309               # drwxr-xr-x. 2 root ftpmaster 0 Jun 16 11:51 .
310               #
311               # admin.fperm = 700:
312               # --w-------. 1 root ftpmaster 0 Jun 16 11:51 cgroup.event_control
313               # -r--------. 1 root ftpmaster 0 Jun 16 11:51 cgroup.procs
314               # -r--------. 1 root ftpmaster 0 Jun 16 11:51 cpuacct.stat
315               # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpuacct.usage
316               # -r--------. 1 root ftpmaster 0 Jun 16 11:51 cpuacct.usage_percpu
317               # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpu.rt_period_us
318               # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpu.rt_runtime_us
319               # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 cpu.shares
320               # -rw-------. 1 root ftpmaster 0 Jun 16 11:51 notify_on_release
321               #
322               # tasks.fperm = 774:
323               # -rw-rw-r--. 1 root ftpmaster 0 Jun 16 11:51 tasks
324
325
326       The daemons group is created automatically when its first  subgroup  is
327       created.  All  its  parameters have the default value and only root can
328       access the group's files.
329
330       Since both cpuacct and cpu subsystems are mounted to  the  same  direc‐
331       tory,  all groups are implicitly also controlled by the cpuacct subsys‐
332       tem, even if there is no cpuacct section in any of the groups.
333
334
335   Example 4
336       The configuration file:
337
338
339              mount {
340                     cpu = /mnt/cgroups/cpu;
341                     cpuacct = /mnt/cgroups/cpuacct;
342              }
343
344              group daemons {
345                     cpuacct{
346                     }
347                     cpu {
348                     }
349              }
350       creates two hierarchies and one common group in both of them.  It  cor‐
351       responds to the following operations:
352
353              mkdir /mnt/cgroups/cpu
354              mkdir /mnt/cgroups/cpuacct
355              mount -t cgroup -o cpu cpu /mnt/cgroups/cpu
356              mount -t cgroup -o cpuacct cpuacct /mnt/cgroups/cpuacct
357
358              mkdir /mnt/cgroups/cpu/daemons
359              mkdir /mnt/cgroups/cpuacct/daemons
360
361       In fact there are two groups created. One in the cpuacct hierarchy, the
362       second in the cpu hierarchy. These two groups have  nothing  in  common
363       and can contain different subgroups and different tasks.
364
365
366   Example 5
367       The configuration file:
368
369
370              mount {
371                     cpu = /mnt/cgroups/cpu;
372                     cpuacct = /mnt/cgroups/cpuacct;
373              }
374
375              group daemons {
376                     cpuacct{
377                     }
378              }
379
380              group daemons/www {
381                     cpu {
382                            cpu.shares = "1000";
383                     }
384              }
385
386              group daemons/ftp {
387                     cpu {
388                            cpu.shares = "500";
389                     }
390              }
391       creates  two  hierarchies  with few groups inside. One of the groups is
392       created in both hierarchies.
393
394       It corresponds to the following operations:
395
396              mkdir /mnt/cgroups/cpu
397              mkdir /mnt/cgroups/cpuacct
398              mount -t cgroup -o cpu cpu /mnt/cgroups/cpu
399              mount -t cgroup -o cpuacct cpuacct /mnt/cgroups/cpuacct
400
401              mkdir /mnt/cgroups/cpuacct/daemons
402              mkdir /mnt/cgroups/cpu/daemons
403              mkdir /mnt/cgroups/cpu/daemons/www
404              echo 1000 > /mnt/cgroups/cpu/daemons/www/cpu.shares
405              mkdir /mnt/cgroups/cpu/daemons/ftp
406              echo 500 > /mnt/cgroups/cpu/daemons/ftp/cpu.shares
407       Group daemons is created in both hierarchies. In the cpuacct  hierarchy
408       the group is explicitly mentioned in the configuration file. In the cpu
409       hierarchy the group is created implicitly when www  is  created  there.
410       These  two groups have nothing in common, for example they do not share
411       processes and subgroups. Groups www and ftp are created only in the cpu
412       hierarchy and are not controlled by the cpuacct subsystem.
413
414
415   Example 6
416       The configuration file:
417
418              mount {
419                     cpu = /mnt/cgroups/cpu;
420                     cpuacct = /mnt/cgroups/cpu;
421              }
422
423              group . {
424                     perm {
425                            task {
426                                   uid = root;
427                                   gid = operator;
428                            }
429                            admin {
430                                   uid = root;
431                                   gid = operator;
432                            }
433                     }
434                     cpu {
435                     }
436              }
437
438              group daemons {
439                     perm {
440                            task {
441                                   uid = root;
442                                   gid = daemonmaster;
443                            }
444                            admin {
445                                   uid = root;
446                                   gid = operator;
447                            }
448                     }
449                     cpu {
450                     }
451              }
452       creates  the hierarchy controlled by two subsystems with one group hav‐
453       ing some special permissions.  It corresponds to the  following  opera‐
454       tions:
455
456              mkdir /mnt/cgroups/cpu
457              mount -t cgroup -o cpu,cpuacct cpu /mnt/cgroups/cpu
458
459              chown root:operator /mnt/cgroups/cpu/*
460              chown root:operator /mnt/cgroups/cpu/tasks
461
462              mkdir /mnt/cgroups/cpu/daemons
463              chown root:operator /mnt/cgroups/cpu/daemons/*
464              chown root:daemonmaster /mnt/cgroups/cpu/daemons/tasks
465
466       Users which are members of the operator group are allowed to administer
467       the control groups, i.e. create new control groups and  move  processes
468       between these groups without having root privileges.
469
470       Members  of  the  daemonmaster  group can move processes to the daemons
471       control group, but they can not move the process out of the group. Only
472       the operator or root can do that.
473
474
475   Example 7
476       The configuration file:
477
478
479              mount {
480                     cpu = /mnt/cgroups/cpu;
481                     cpuacct = /mnt/cgroups/cpuacct;
482              }
483
484              group students {
485                     cpuacct{
486                     }
487                     cpu {
488                     }
489              }
490
491              template students/%u {
492                     cpuacct{
493                     }
494                     cpu {
495                     }
496              }
497
498              mkdir /mnt/cgroups/cpu/daemons
499              mkdir /mnt/cgroups/cpuacct/daemons
500
501       The  situation  is  the similar as in Example 4. The only difference is
502       template, which is used if some rule uses "/students/%u" as a  destina‐
503       tion.
504
505
506
507

RECOMMENDATIONS

509   Keep hierarchies separated
510       Having  multiple  hierarchies  is  perfectly valid and can be useful in
511       various scenarios. To keeps things clean, do not create  one  group  in
512       multiple  hierarchies. Examples 4 and 5 show how unreadable and confus‐
513       ing it can be, especially when  reading  somebody  elses  configuration
514       file.
515
516
517   Explicit is better than implicit
518       libcgroup  can  implicitly  create groups which are needed for the cre‐
519       ation of configured subgroups. This may be useful and save some  typing
520       in simple scenarios. When it comes to multiple hierarchies, it's better
521       to explicitly specify all groups and all controllers related to them.
522
523

FILES

525       /etc/cgconfig.conf
526       default libcgroup configuration file
527
528

SEE ALSO

530       cgconfigparser (8)
531
532

BUGS

534       Parameter values must be single strings  without  spaces.   Parsing  of
535       quoted strings is not implemented.
536
537
538
539
540
541
542
543                                                              CGCONFIG.CONF(5)
Impressum