cgroups

[00:00:00]
>> Brian Holt: Now we have unshared the file system. We've unshared the namespaces, but we still have a really big problem left with kind of our solution here. So imagine that you're an ecommerce company and that tomorrow is Black Friday, Boxing Day, Singles' Day. As far as I know, those are the three biggest shopping days in the year.

[00:00:24]
So pick the one that makes the most sense to you. And Bob and Alice are gearing up to sell all of their widgets or stickers or whatever. Everything's all ready to go. They're all on their shared server. They all rented out from Bob's discount basement servers. And all of a sudden, everything goes down, everything crashes.

[00:00:49]
And so Bob and Alice can sell nothing because their server has crashed and Eve is on the other side selling her wares with no problems whatsoever. They were cherooted, they were unshared, they were, all that kind of stuff. So what happened? Well, if Eve has her own change rooted, and she has her own unshared environment, what happens, if she just runs a process that just eats all of the RAM and pins the CPU?

[00:01:20]
>> Brian Holt: It's a problem, right, because there's no limit here there's nothing limiting Alice from saying l just give me all the CPU and give me all of the RAM. And that that's kind of the last problem that we need to solve before we've truly containerized this process so that they really can't mess with each other.

[00:01:41]
So enter something called cgroups, or control groups. Invented at Google, and they basically say, all right, here's this isolated environment, it only gets this much CPU, it gets this much RAM, and once it takes all those things, it's done. It's a methodology of isolating resources, right? Resources in the sense of like computing resources available to individual process trees.

[00:02:12]
>> Brian Holt: So one thing I'm gonna throw out here is this, is, this course is specifically using C groups, v2. The previous version of this course taught C groups v1. So if you run this command right here, grab -c cgroup/proc/mounts. So if I run this from within here, you should get 0 or 1.

[00:02:35]
If you get more than that, you are on cgroup's, v1, and you either need to upgrade your operating system which I left some instructions for their use, like a more recent version of Linux. Or if you really, really want to learn about cgroups v1, which don't because they're deprecated the first version of this course did actually talk about them.

[00:02:58]
So, this entire exercise is done here in secret speed one, okay?
>> Brian Holt: Most of you this should not be a problem because we're kind of past that point.
>> Brian Holt: Okay?
>> Brian Holt: So yeah, this was invented at Google because if Maps has some infinite loop bug, they didn't want it to bring down Gmail at the same time.

[00:03:26]
>> Brian Holt: So it's kind of a strange API to interact with. Cgroups at least I found it's a pseudo file system. So like you like read and write to files and then like those are configurations to govern your cgroups. It's kind of strange, but, it actually ended up being kind of convenient.

[00:03:43]
And it's pretty easy to script if you want to do that as well. So yeah, let's just take a look. So I am going to open my terminal here, this is still in, this is the non-unshared environment. I still have that one up and running over here, but I'm gonna be running all this stuff from my non-change-rooted unshared environment.

[00:04:12]
So if I go to cd/sys/fs/cgroup and I look here there is a bunch of just stuff, right? These are all the various different ways of interacting with cgroups, which is kind of cool. So you can actually just say like cat cpu.max or something. And it'll tell you what its current configuration is at the moment.

[00:04:39]
And you can modify this as well which is kind of cool. You actually can't modify this right now because it's running, but if it wasn't running, you'd be able to modify it. You can see here CPU, a bunch of these I don't know what they do. IO is basically how fast you can read and write to the disc memory, as you might imagine, governs the RAM.

[00:04:58]
How many threads it can spawn that's kind of an interesting one. We'll actually modify that one later to prevent a fork bomb attack, which is pretty cool. So this is just, right now, the root cgroup. So this governs basically everything. So you can imagine, in the root cgroup, it has everything, because you don't want to artificially limit your root.

[00:05:21]
That would make much sense. But let's go ahead and make our own cgroup. So I'm gonna just make a directory. I'm gonna call what I call it sandbox, sandbox. So I now have a directory down here called sandbox. I'm gonna cd into sandbox and look, it has a bunch of stuff in it.

[00:05:41]
I just made a directory, I didn't do anything right. But it knows that if you're creating a directory in here, you're making a new cgroup. But notice that's not all of them and that's actually kind of a problem for us. If I cat cgroup.controllers, you can see it actually doesn't have any of the controllers, available to it.

[00:06:01]
But if I go up a directory into the normal cgroups and I say cgroup.controllers, you'll see that it has all of the controllers available to it. We want to make these controllers available to the sandbox cgroup, which, by the way, you can call your cgroup whatever you want.

[00:06:20]
I just called it sandbox because I am not creative and I think that's what the doc said. So, being called my cool cgroup or something like that, whatever you want.
>> Brian Holt: So,
>> Brian Holt: What we wanna do is, we wanna add our sandbox. Our unshared environments to our seat are our sandbox.

[00:06:46]
So what I'm gonna do is, I'm gonna pull up this, I'm gonna find our unshared environment, right? This bash right here, this is the one that we want to add. So it's whatever one that comes after unshare so this bash so we're gonna find 8262 here and then we're gonna echo that pid into /sys/fs/cgroup/sandbox/cgroup.prox.

[00:07:23]
Okay, so now if I go into sandbox and I cat cgroup.procs, you can see I have one process that belongs to that cgroup. We didn't look at this before. But if you look at cgroup.prox here, you'll see that there's a bunch of other processes in here. But notice 8262 is not in here.

[00:07:56]
So a process can only belong to one cgroup, exactly one cgroup. So if you move it, If I said the same thing here but I put it just in the normal cgroup one and out of the cgroups proc there, and I said cat this again, notice that it's there again, and if I said cat sandbox.

[00:08:23]
Notice that just by moving it to the other cgroup, it was smart enough to go and say, you moved it. I'm gonna remove it from the other cgroup. It does that for you automatically, which is kind of fun. So I wanna put that back. Okay, so and I have this with the cgroup.prox.

[00:08:48]
Okay, so now this is now in the cgroup. The cgroup is doing nothing right now, right? But it is part of that cgroup. Okay, now we wanna get those controllers available to that cgroup, we can see that this cgroup, this root cgroup has all of these controllers available to it and that our sandbox one does not.

[00:09:13]
The reason for that is we have one called cgroup.subtree control. This has nothing in it. And you're basically saying that I'm not gonna make any of these controllers available to any of my children, cgroups. Now, you might say like, okay, cool, well, let's just add it. The problem is that as long as the cgroup has any process that belongs to it, we can actually modify.

[00:09:41]
What subtree controllers are available, so we're gonna have to temporarily move all of the processes into a different C group so that we can activate the subtree controller. So we're gonna say make directory and, we'll just give the full path that That always helps people. cgroup/, I called it other-procs, you can call it whatever you want.

[00:10:09]
And I'm gonna say cat /sys/fs/cgroup.proc.
>> Brian Holt: Is it cgroup.procs? There we go. Okay, then we're gonna do echo 1 into other proc/cs and we're gonna do that one by one for each one because you can only do one at a time. Again, this wasn't made for handcrafting containers.

[00:10:57]
What we're doing it's quite unusual so no one bothered to make this a better developer experience, but that's fine.
>> Brian Holt: That might have been the ps aux are the cat there. Okay, so now that I've done that 1 by 1, if I say cat /sys/fs/cgroup/cgroup.proc, I should have nothing in there.

[00:11:35]
Good. If you have anything in there, just make sure you move those ones as well.
>> Brian Holt: And then I'm just gonna grab this one because I don't want to type it all out. This one right here.
>> Brian Holt: So echo and then you're just saying add all of these.

[00:11:54]
So the plus just means add these to the subtree controller.
>> Brian Holt: And so now if you say Ls into sandbox, check this out look at all the stuff that we have in here now because we added those controllers to be able to be available to this child control group.

[00:12:19]
Now we can really wreak havoc on whatever processes are contained in the sandbox, which is exactly what we wanna do.