How can I create and use cgroups as a non-root user?
For example, can I, entirely as a non-root user:
?
I first asked here but I didn't receive a complete answer. I also asked on stackoverflow, but the question was closed as off topic.
You can't do that as a normal user. But you can setup a cgroup as root, and make it configurable by your user.
If you do not already have the default cgroups controllers mounted by e.g. systemd:
$ sudo mount -t tmpfs cgroup_root /sys/fs/cgroup
$ sudo mkdir /sys/fs/cgroup/cpuset
$ sudo mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset
Create a cgroup:
$ sudo mkdir /sys/fs/cgroup/cpuset/${USER}
$ sudo chown -R ${USER} /sys/fs/cgroup/cpuset/${USER}
You can now modify the configuration of your cgroup as a normal user:
$ echo 0-3 > /sys/fs/cgroup/cpuset/${USER}/cpuset.cpus
Add a process to that group:
$ ./my_task &
$ echo $! > /sys/fs/cgroup/cpuset/${USER}/tasks
Or create a subgroup:
$ mkdir /sys/fs/cgroup/cpuset/${USER}/subgroup
$ echo 0-1 > /sys/fs/cgroup/cpuset/${USER}/subgroup/cpuset.cpus
$ ./my_other_task &
$ echo $! > /sys/fs/cgroup/cpuset/${USER}/subgroup/tasks
If you have recent enough Linux distribution you should be able to run processes in transient (temporary) cgroups, e.g.
$ systemd-run --user --scope /bin/bash
However, systemd is broken in many Linux distributions all Ubuntu variants prior version release 21.10 and then the above fails with something like
polkitd(authority=local)[1300]: Registered Authentication Agent for unix-process:10428:26722972 (system bus name :1.478 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_DK.utf8)
systemd[2601]: run-rbe547d13ad2c41d7857ea9e660e51ab9.scope: Failed to add PIDs to scope's control group: Permission denied
systemd[2601]: run-rbe547d13ad2c41d7857ea9e660e51ab9.scope: Failed with result 'resources'.
systemd[2601]: Failed to start /bin/bash.
polkitd(authority=local)[1300]: Unregistered Authentication Agent for unix-process:10428:26722972 (system bus name :1.478, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_DK.utf8) (disconnected from bus)
The reason for this failure is that running transient cgroups without root requires support for cgroupv2 / cgroup2 but Canonical really wants to push snap. And using cgroup2 would have broken snap until the snap had been patch enough. Ubuntu 21.10 is the first Ubuntu release that has smart enough snap to work with cgroup2 so any older Ubuntu version is intentionally broken for transient cgroups to allow snap to run at all.
I guess distributions that do not even try to support the misfeature called snap will have much less problems supporting cgroup2 and this should work with older distribution versions, too.
If mount | grep cgroup2 outputs anything, your system is recent enough.
If you're using Ubuntu you (the root user) can install cgroup-lite and add what you need to /etc/cgconfig.conf, including which user(s) can change the cgroup's configuration. It runs on boot.
Failing that you (the root user) could add your own script to run during boot.
There is a series of articles on LWN on cgroups, see part 1, or look though the search there. Systemd includes a set of helpers to manage (processes caged by) cgroups.
