Based on kernel version 4.3. Page generated on 2015-11-02 12:44 EST.
1 Process Number Controller 2 ========================= 3 4 Abstract 5 -------- 6 7 The process number controller is used to allow a cgroup hierarchy to stop any 8 new tasks from being fork()'d or clone()'d after a certain limit is reached. 9 10 Since it is trivial to hit the task limit without hitting any kmemcg limits in 11 place, PIDs are a fundamental resource. As such, PID exhaustion must be 12 preventable in the scope of a cgroup hierarchy by allowing resource limiting of 13 the number of tasks in a cgroup. 14 15 Usage 16 ----- 17 18 In order to use the `pids` controller, set the maximum number of tasks in 19 pids.max (this is not available in the root cgroup for obvious reasons). The 20 number of processes currently in the cgroup is given by pids.current. 21 22 Organisational operations are not blocked by cgroup policies, so it is possible 23 to have pids.current > pids.max. This can be done by either setting the limit to 24 be smaller than pids.current, or attaching enough processes to the cgroup such 25 that pids.current > pids.max. However, it is not possible to violate a cgroup 26 policy through fork() or clone(). fork() and clone() will return -EAGAIN if the 27 creation of a new process would cause a cgroup policy to be violated. 28 29 To set a cgroup to have no limit, set pids.max to "max". This is the default for 30 all new cgroups (N.B. that PID limits are hierarchical, so the most stringent 31 limit in the hierarchy is followed). 32 33 pids.current tracks all child cgroup hierarchies, so parent/pids.current is a 34 superset of parent/child/pids.current. 35 36 Example 37 ------- 38 39 First, we mount the pids controller: 40 # mkdir -p /sys/fs/cgroup/pids 41 # mount -t cgroup -o pids none /sys/fs/cgroup/pids 42 43 Then we create a hierarchy, set limits and attach processes to it: 44 # mkdir -p /sys/fs/cgroup/pids/parent/child 45 # echo 2 > /sys/fs/cgroup/pids/parent/pids.max 46 # echo $$ > /sys/fs/cgroup/pids/parent/cgroup.procs 47 # cat /sys/fs/cgroup/pids/parent/pids.current 48 2 49 # 50 51 It should be noted that attempts to overcome the set limit (2 in this case) will 52 fail: 53 54 # cat /sys/fs/cgroup/pids/parent/pids.current 55 2 56 # ( /bin/echo "Here's some processes for you." | cat ) 57 sh: fork: Resource temporary unavailable 58 # 59 60 Even if we migrate to a child cgroup (which doesn't have a set limit), we will 61 not be able to overcome the most stringent limit in the hierarchy (in this case, 62 parent's): 63 64 # echo $$ > /sys/fs/cgroup/pids/parent/child/cgroup.procs 65 # cat /sys/fs/cgroup/pids/parent/pids.current 66 2 67 # cat /sys/fs/cgroup/pids/parent/child/pids.current 68 2 69 # cat /sys/fs/cgroup/pids/parent/child/pids.max 70 max 71 # ( /bin/echo "Here's some processes for you." | cat ) 72 sh: fork: Resource temporary unavailable 73 # 74 75 We can set a limit that is smaller than pids.current, which will stop any new 76 processes from being forked at all (note that the shell itself counts towards 77 pids.current): 78 79 # echo 1 > /sys/fs/cgroup/pids/parent/pids.max 80 # /bin/echo "We can't even spawn a single process now." 81 sh: fork: Resource temporary unavailable 82 # echo 0 > /sys/fs/cgroup/pids/parent/pids.max 83 # /bin/echo "We can't even spawn a single process now." 84 sh: fork: Resource temporary unavailable 85 #