Control Groups are a Linux feature for organizing processes in hierarchical groups and applying resources limits to them. Each rkt pod is placed in a different cgroup to separate the processes of the pod from the processes of the host. Memory and CPU isolators are also implemented with cgroups.
Every pod and application within that pod is run within its own cgroup.
rktstarted from the command line
When a recent version of systemd is running on the host and
rkt is not started as a systemd service (typically, from the command line),
rkt will call
--register=true. This will cause
systemd-nspawn to call the D-Bus method
systemd-machined and the cgroup
/machine.slice/machine-rkt... will be created. This requires systemd v216+ as detected by the machinedRegister function in stage1's
When systemd is not running on the host, or the systemd version is too old (< v216),
systemd-nspawn with the
--register=false parameter. In this case,
systemd-nspawn or other systemd components will not create new cgroups for rkt. Instead,
rkt creates a new cgroup for each pod under the current cgroup, like
rktstarted as a systemd service
rkt is able to detect if it is started as a systemd service (from a
.service file or from
In that case,
systemd-nspawn is started with the
This will cause
systemd-nspawn to use the D-Bus method call
RegisterMachineWithNetwork instead of
CreateMachineWithNetwork and the pod will remain in the cgroup of the service.
By default, the slice is
systemd.slice but users are advised to select
systemd-run --slice=machine or
Slice=machine.slice in the
It will result in
/machine.slice/servicename.service when the user select that slice.
/machine.slice/machine-rkt...when started on the command line with systemd v216+.
/$SLICE.slice/servicename.servicewhen started from a systemd service.
$CALLER_CGROUP/machine-some-id.slicewithout systemd, or with systemd pre-v216
For example, a simple pod run interactively on a system with systemd would look like:
├─machine.slice │ └─machine-rkt\x2df28d074b\x2da8bb\x2d4246\x2d96a5\x2db961e1fe7035.scope │ ├─init.scope │ │ └─/usr/lib/systemd/systemd │ └─system.slice │ ├─alpine-sh.service │ │ ├─/bin/sh │ └─systemd-journald.service │ └─/usr/lib/systemd/systemd-journald
Right now, rkt uses the
When the stage1 starts, it mounts
/sys . Then, for every subsystem, it:
This is so that the pod itself cannot escape the cgroup. Currently the cgroup filesystems are not accessible to applications within the pod, but that may change.
rkt prior to v1.23 mounted each individual knob read-write. E.g.
Unified hierarchy and cgroup2 is a new feature in Linux that will be available in Linux 4.4.
This is tracked by #1757.
CGroup Namespaces is a new feature being developed in Linux.
This is tracked by #1757.
Appc/spec defines the network isolator
resource/network-bandwidth to limit the network bandwidth used by each app in the pod.
This is not implemented yet.
This could be implemented with cgroups.