Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

9.10.2. Configuring Cgroups

Node hosts use Linux kernel cgroups to contain application processes and to allocate resources fairly. cgroups use two services that must both be running for cgroups containment to be in effect:
  • The cgconfig service provides the LVFS interface to the cgroup subsystems. Use the /etc/cgconfig.conf file to configure this service.
  • The cgred "rules" daemon assigns new processes to a cgroup based on matching rules. Use the /etc/cgrules.conf file to configure this service.
Run the following commands to configure cgroups: 
# for f in "runuser" "runuser-l" "sshd" "system-auth-ac"
do t="/etc/pam.d/$f"
 if ! grep -q "pam_cgroup" "$t"
 then printf 'session\t\toptional\tpam_cgroup.so\n' >> "$t"
 fi
done

# cp -vf /opt/rh/ruby193/root/usr/share/gems/doc/openshift-origin-node-*/cgconfig.conf /etc/cgconfig.conf
# restorecon -v /etc/cgconfig.conf
# restorecon -v /etc/cgrules.conf
# mkdir -p /cgroup
# restorecon -rv /cgroup
# chkconfig cgconfig on
# chkconfig cgred on
# service cgconfig restart
# service cgred restart
Copy to Clipboard Toggle word wrap

Important

Start the cgroups services in the following order for OpenShift Enterprise to function correctly:
  1. cgconfig
  2. cgred
Use the service service-name start command to start each of these services in order.

Note

If you use the kickstart or bash script, the configure_cgroups_on_node function performs these steps.
Verifying the cgroups Configuration

When cgroups have been configured correctly you should see the following:

  • The /etc/cgconfig.conf file exists with SELinux label system_u:object_r:cgconfig_etc_t:s0.
  • The /etc/cgconfig.conf file mounts cpu, cpuacct, memory, and net_cls on the /cgroup directory.
  • The /cgroup directory exists, with SELinux label system_u:object_r:cgroup_t:s0.
  • The command service cgconfig status returns Running.
  • The /cgroup directory exists and contains subsystem files for cpu, cpuacct, memory, and net_cls.

When the cgred service is running correctly you should see the following:
  • The /etc/cgrules.conf file exists with SELinux label system_u:object_r:cgrules_etc_t:s0.
  • The service cgred status command shows that cgred is running.

Important

If you created the configuration files interactively as a root user, the SELinux user label would be unconfined_u and not system_u. For example, the SELinux label in /etc/cgconfig.conf would be unconfined_u:object_r:cgconfig_etc_t:s0.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat