Understanding the new control groups API page
YOUTUBE zMJD8PJKoYQ Rami Rosen - Namespaces and CGroups, the basis of Linux containers
The latest version of the Linux kernel has moved to a security model that is similar to an object capabilities model. It's known as Control Groups and contains two components: control groups and namespaces. Using control groups and namespaces, the Linux kernel makes physical kernel resources visible to process and available for allocation and use during program execution. For example, programs allocate memory during execution and the memory must be managed by the kernel, so during process initialization the Linux kernel uses a memory namespace to control the memory allocations visible to the new process. Together, Linux control groups and namespaces form a very capability-like API.
Exposing this API to users, who want to write software to perform resource management on programs. deadpage
Enabling the Control Group API In a typical pyr8 deployment, only a small number of processes have the control group API enabled. It can be enabled by passing the --with-cgroup flag as shown. bash pyr8 --with-cgroup ...
Processes that need to manage cgroups for other processes and partition resources for a physical system need to be run with CAP_SYS_ADMIN, typically by running them as root. The Control Group Class Methods - cap(): capability<utils> Returns a C++-backed capability object for this database object. - dir(): capability<Directory> Returns a C++-backed capability object for the control group directory on the filesystem. - fork(capability<File> binary, list<string> args, Map env): capability<Process> Returns a C++-backed capability object for a process spawned in this control group.