CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

cgroups — Linux Control Groups

Linux Advanced
debt(d7/e5/b5/t7)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). detection_hints.tools is empty, and cgroup misconfigurations (e.g., uncapped swap escaping memory.max, v1 vs v2 path confusion, CPU shares vs quota misuse) are not caught by compilers or standard linters. Misconfigurations typically surface only at runtime — often under load or at OOM events — requiring careful review of cgroup hierarchy files or runtime observation via dmesg/systemd tooling. No standard static analysis toolchain covers cgroup configuration correctness.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix is a single inspection command, but actual remediation of common mistakes is non-trivial. Fixing v1-to-v2 path migration, adding memory.swap.max alongside memory.max, or correcting CPU shares/quota confusion in a container runtime or Kubernetes manifest requires touching multiple configuration layers (runtime config, pod specs, systemd units). It's not a one-line swap but also not a full architectural rework.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). cgroups are a foundational resource-management mechanism used by every container runtime and systemd unit on a host. The v1/v2 split, the need to reason about both memory and swap limits, and the CPU shares vs quota distinction impose a persistent cognitive and operational tax on anyone doing containerised workload management. However, most application developers interact with cgroups only indirectly (via Kubernetes limits or systemd MemoryMax), limiting the reach somewhat below b7.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap (contradicts how a similar concept works elsewhere)' (t7). The misconception field explicitly calls out the cgroups-vs-namespaces confusion, and common_mistakes list multiple serious traps: v1 vs v2 path differences, memory.max not capping swap unless memory.swap.max is also set, CPU shares (relative) vs CPU quota (hard cap) behaving very differently. These contradict reasonable mental models — especially for developers coming from other resource-limiting systems. The swap escape is particularly dangerous as it silently bypasses what looks like a hard memory cap.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-10 · reviewed by human

Also Known As

Control Groups cgroup cgroups v2

TL;DR

A Linux kernel feature that groups processes and meters or limits their access to CPU, memory, I/O, network, and other resources — the core primitive that makes Docker, systemd, and Kubernetes resource limits possible.

Explanation

Control groups (cgroups) let the kernel organise processes into hierarchical groups and enforce resource controls per group. Each 'controller' (cpu, memory, io, pids, etc.) tracks and can cap usage for every process in the group. cgroups v1 used one directory tree per controller under /sys/fs/cgroup/<ctrl>/, while cgroups v2 (default on most modern distros) unifies them under a single /sys/fs/cgroup/ tree with a single hierarchy. When you run 'docker run --memory 512m', Docker writes 536870912 to memory.max inside a cgroup it creates for the container. Kubernetes resource requests and limits, systemd service memory caps, and PHP-FPM pool limits via Unit delegation all ultimately configure cgroups. Understanding cgroups is what separates people who can debug 'why is my container being OOM-killed' from people who just add more memory and hope.

Common Misconception

cgroups and namespaces are often lumped together as 'container tech', but they do different jobs: namespaces give processes their own view of the system (PIDs, network, mounts), while cgroups enforce how much of the real system each group can consume. A container needs both.

Why It Matters

Every container runtime, every systemd unit's MemoryMax, every Kubernetes pod's resource limit — they all reduce to cgroup writes. When something gets OOM-killed in a container, 'dmesg' shows the cgroup that tripped the limit. Without cgroups, one noisy neighbour process can starve the entire host.

Common Mistakes

  • Confusing cgroups v1 and v2 paths — v1 has /sys/fs/cgroup/memory/, /sys/fs/cgroup/cpu/ etc.; v2 has a single /sys/fs/cgroup/ tree with cgroup.controllers listing active controllers.
  • Setting memory.max without considering memory.swap.max — a process can escape a memory cap if swap is uncapped.
  • Forgetting that cgroup OOM kills the whole container in most runtime configs — set memory requests above typical spikes to avoid churn.
  • Reading /proc/<pid>/cgroup expecting meaningful output inside a container — you see the cgroup path relative to the container's namespace, not the host.
  • Confusing CPU shares (relative weight) with CPU quota (hard cap) — shares only matter when CPU is contested; quota caps regardless.

Avoid When

  • You control the whole machine and trust every process on it — plain ulimit may suffice.
  • Running on a non-Linux OS — macOS and Windows containers use different mechanisms.

When To Use

  • You need to cap resource usage per process group — mandatory for multi-tenant hosts.
  • Debugging OOM kills or CPU throttling in containerised workloads.
  • Building a container runtime or systemd-delegated service manager.
Added 18 Apr 2026
Views 59

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 3 pings S 1 ping M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 1 ping F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Perplexity 9 Google 5 SEMrush 5 Scrapy 4 Ahrefs 3 Bing 3 Meta AI 2 Claude 2 Qwen 1 PetalBot 1
Also referenced
Linux Processes 118 Kubernetes for PHP Developers 71 Container Orchestration 52 PHP Namespaces 49 Linux Memory Management 48
How they use it
crawler 31 crawler_json 4
Related categories
php 13k devops 2.2k linux 923 cloud 867
DEV INTEL Tools & Severity
🔵 Info ⚙ Fix effort: High
⚡ Quick Fix
Inspect a running container's cgroup: cat /proc/$(pidof nginx)/cgroup; cat /sys/fs/cgroup/$(your cgroup)/memory.max
🔗 Prerequisites
✓ schema.org compliant