Learn/Systems/Glossary/

What is a Cgroup

A cgroup (control group) is a Linux kernel feature that limits and tracks how much CPU, memory, disk I/O, and network bandwidth a group of processes can use. If namespaces control what a process can see, cgroups control what it can consume.

How it works

Cgroups organize processes into a hierarchy. Each node in the hierarchy can have resource limits attached through controllers:

  • Memory controller — set a maximum memory limit. When a cgroup exceeds it, the kernel either reclaims memory or kills a process (the OOM killer).
  • CPU controller — assign CPU shares (relative weight) or a hard quota (e.g., "this group can use at most 200ms of CPU per second").
  • I/O controller — throttle disk read/write bandwidth or IOPS.
  • PID controller — limit the number of processes a group can create (prevents fork bombs).

Cgroups are exposed as a filesystem, typically mounted at /sys/fs/cgroup. Creating a directory creates a cgroup. Writing a PID to its cgroup.procs file adds that process to the group. Writing a number to memory.max sets its memory limit.

Cgroups v2 (the modern version) uses a unified hierarchy — each process belongs to exactly one cgroup, and all controllers are managed together. The older v1 had separate hierarchies per controller, which was harder to manage and could produce inconsistent behavior.

Every container runtime uses cgroups. When you run docker run --memory=512m --cpus=1.5, Docker creates a cgroup with a 512 MB memory limit and a CPU quota of 1.5 cores. The container's processes are placed in this cgroup, and the kernel enforces the limits transparently.

Kubernetes relies on cgroups for pod resource requests and limits. The kubelet configures cgroups for each pod, and the OOM killer terminates pods that exceed their memory limits.

Why it matters

Cgroups are the resource enforcement half of containers. Namespaces provide isolation (what you see), and cgroups provide limits (what you can use). Without cgroups, a single runaway container could consume all the host's memory or CPU, starving everything else. Understanding cgroups explains why containers have resource limits, how the OOM killer decides what to terminate, and why Kubernetes pod limits actually work.

See How Containers Work for how namespaces and cgroups combine.

Prerequisites

Related

This concept appears in

Referenced by