9.10.2. Configuring Cgroups

Node hosts use Linux kernel cgroups to contain application processes and to allocate resources fairly. cgroups use two services that must both be running for cgroups containment to be in effect:
  • The cgconfig service provides the LVFS interface to the cgroup subsystems. Use the /etc/cgconfig.conf file to configure this service.
  • The cgred "rules" daemon assigns new processes to a cgroup based on matching rules. Use the /etc/cgrules.conf file to configure this service.
Run the following commands to configure cgroups: 
# for f in "runuser" "runuser-l" "sshd" "system-auth-ac"
do t="/etc/pam.d/$f"
 if ! grep -q "pam_cgroup" "$t"
 then printf 'session\t\toptional\tpam_cgroup.so\n' >> "$t"
 fi
done

# cp -vf /opt/rh/ruby193/root/usr/share/gems/doc/openshift-origin-node-*/cgconfig.conf /etc/cgconfig.conf
# restorecon -v /etc/cgconfig.conf
# restorecon -v /etc/cgrules.conf
# mkdir -p /cgroup
# restorecon -rv /cgroup
# chkconfig cgconfig on
# chkconfig cgred on
# service cgconfig restart
# service cgred restart

Important

Start the cgroups services in the following order for OpenShift Enterprise to function correctly:
  1. cgconfig
  2. cgred
Use the service service-name start command to start each of these services in order.

Note

If you use the kickstart or bash script, the configure_cgroups_on_node function performs these steps.
Verifying the cgroups Configuration

When cgroups have been configured correctly you should see the following:

  • The /etc/cgconfig.conf file exists with SELinux label system_u:object_r:cgconfig_etc_t:s0.
  • The /etc/cgconfig.conf file mounts cpu, cpuacct, memory, and net_cls on the /cgroup directory.
  • The /cgroup directory exists, with SELinux label system_u:object_r:cgroup_t:s0.
  • The command service cgconfig status returns Running.
  • The /cgroup directory exists and contains subsystem files for cpu, cpuacct, memory, and net_cls.

When the cgred service is running correctly you should see the following:
  • The /etc/cgrules.conf file exists with SELinux label system_u:object_r:cgrules_etc_t:s0.
  • The service cgred status command shows that cgred is running.

Important

If you created the configuration files interactively as a root user, the SELinux user label would be unconfined_u and not system_u. For example, the SELinux label in /etc/cgconfig.conf would be unconfined_u:object_r:cgconfig_etc_t:s0.