Pyr8 User's Manual

« The Database API | Table of Contents »

The Linux Control Groups API

The latest version of the Linux kernel has moved to a security model that is similar to pyr8’s object capabilities model. It’s known as “Control Groups” and contains two components: control groups and namespaces.

Using control groups and namespaces, the Linux kernel makes physical kernel resources visible to process and available for allocation and use during program execution. For example, programs allocate memory during execution and the memory must be managed by the kernel, so during process initialization the Linux kernel uses a memory namespace to control the memory allocations visible to the new process.

Together, Linux’s control groups and namespaces form a very capability-like API and pyr8 exposes that API to users, who want to write software to perform resource management on pyr8 programs.

Enabling the Control Group API

In a typical pyr8 deployment, only a small number of processes have the control group API enabled. It can be enabled by passing the --with-cgroup flag as shown.

bash pyr8 --with-cgroup ...

Processes that need to manage cgroups for other processes and partition resources for a physical system need to be run with CAP_SYS_ADMIN, typically by running them as root.

The Control Group Class

Methods

cap(): capability<utils>
Returns a C++-backed capability object for this database object.
dir(): capability<Directory>
Returns a C++-backed capability object for the control group’s directory on the filesystem.
fork(capability<File> binary, list<string> args, Map env): capability<Process>
Returns a C++-backed capability object for a process spawned in this control group.
« The Database API | Table of Contents »