Use of CPUQuota in systemd

I am trying to put a hard limit in CPU usage for a dd command . I have created the following unit file

[Unit]
Description=Virtual Distributed Ethernet

[Service]
ExecStart=/usr/bin/ddcommand
CPUQuota=10%

[Install]
WantedBy=multi-user.target

which call the following simple script

#!/bin/sh
dd if=/dev/zero of=/dev/null bs=1024k

As I have seen in this guide, the CPU usage for my dd service should not exceed the 10%. But when I run the system-cgtop command the usage is about 70-75% .

Any ideas of what am I doing wrong and how can I fix it?

When I execute systemctl show dd I get the following results regarding CPU

CPUShares=18446744073709551615
StartupCPUShares=18446744073709551615
CPUQuotaPerSecUSec=100ms
LimitCPU=18446744073709551615

The Good

Your solution is the correct and should actually be quite future-proof; by using systemd to control the services cgroup settings, eg. CPUQota.

[Unit]
Description=Virtual Distributed Ethernet

[Service]
ExecStart=/usr/bin/ddcommand
CPUQuota=10%

[Install]
WantedBy=multi-user.target

See the man systemd.resource-control for more useful cgroup settings in systemd.

The Bad

There are two caveats to this though, which I (and possibly a few others) stumpled upon. Those caveats are really difficult to track down as there does not seem to be much easily findable information about this, which is the main reason for this answer.

Caveat 1:

The CPUQuota setting is only available since systemd 213, see https://github.com/systemd/systemd/blob/master/NEWS

    * The CFS CPU quota cgroup attribute is now exposed for
      services. The new CPUQuota= switch has been added for this
      which takes a percentage value. Setting this will have the
      result that a service may never get more CPU time than the
      specified percentage, even if the machine is otherwise idle.

This is for example an issue with Debian Jessie which only comes with systemd 208. As an alternative one could configure cpu.cfs_period_us and cpu.cfs_quota_us manually using cgcreate and cgset from the cgroup-bin package, eg.

sudo cgcreate -g cpu:/cpulimited
sudo cgset -r cpu.cfs_period_us=50000 cpulimited
sudo cgset -r cpu.cfs_quota_us=10000 cpulimited
sudo cgexec -g cpu:cpulimited /usr/bin/ddcommand

Caveat 2

For the settings cpu.cfs_period_us and cpu.cfs_quota_us to be available the Kernel needs to be compiled with config-flag CONFIG_CFS_BANDWIDTH. Sadly the 3.16.x Kernel for Debian Jessie is not compiled with this flag by default, see this feature request.

This will be available in Debian Stretch though. One could also use the kernel from jessie-backports, which should have the flag enabled.


I hope this answer helps a few people with the same issue as me...

PS: An easy way to test wether CPUquota is working in your environment is:

$ apt-get install stress
$ systemd-run -p CPUQuota=25% --slice=stress -- stress -c <your cpu count>

and watch with top or htop, the load should be spread (evenly) accross all cpus/cores, summing up to 25%.

Alternative

As an alternative tool one could use cpu-limit which should be available in most distros, eg.

$ apt-get install cpulimit
$ cpulimit -l 10 -P /usr/bin/ddcommand

It works by sending SIGSTOP and SIGCONT to the attached command to pause and resume its operation.

AFAIK it was difficult to control multiple separate/stand-alone processes simultaneously with this, in like group them together, but there might also be solution for this...


I had a similar task to limit CPU usage, but the use case was completely different. It was to stress a regression test suite on local machine to simulate what it undergoes on a loaded CI server (what causes non-deterministic or flaky behaviour of tests). This worked like a charm, in contrary to cpulimit and stress.

systemd-run -p CPUQuota="25%" --scope --uid=$USER --gid=$USER -- pytest ...

--scope made it inherit current shell environment and the command output to stdout as usual. The only difference in output was Running scope as unit run-uN.scope as the first line.

It requires root privileges to run and I have the GUI prompt from pkttyagent. It may be cumbersome to enter the password each time, if you need to run the command several times in a row, for instance to tweak CPUQuota, so prefixing the above command with sudo -E env PATH=$PATH would simplify the task.

Just in case, because there are reports it didn't work/wasn't supported on older versions.

$ uname -r
4.15.0-51-generic
$ systemd --version | head -n 1
systemd 229