SR Linux applications
SR Linux is a suite of modular, lightweight applications running like any others in a Linux environment. Each SR Linux application supports a different protocol or function, such as BGP, LLDP, AAA, and so on. These applications use gRPC and APIs to communicate with each other and external systems over TCP.
One SR Linux application, the application manager (app_mgr), is responsible for monitoring the health of the process IDs running each SR Linux applications and restarting them if they fail. The application manager reads in application-specific YAML configuration and YANG models and starts each application (or allows an application not to start if there no configuration exists for it). There is an instance of the app_mgr that handles applications running on the CPM and an instance of the app_mgr on each IMM that handles applications running on the line card.
In addition to the Nokia-provided SR Linux applications, SR Linux supports installation of user-defined applications, which are managed and configured in the same way as the default SR Linux applications. User-defined SR Linux applications can be loaded, reloaded, and unloaded from the system as necessary.
Installing an application
To install an application, copy the application files into the appropriate SR Linux directories, then reload the application manager and start the application.
The example in this topic installs an application called fib_agent.
The application consists of files named fib_agent.yml,
fib_agent.sh, fib_agent.py, and
fib_agent.yang. The fib_agent.yml file is
installed in the /etc/opt/srlinux/appmgr/ directory. The
.yml file for a user-defined application must reside in this
directory in order for the app_mgr to read its YAML configuration.
The .yml file defines the locations of the other application files.
The other application files can reside anywhere in the system other than in the
/opt/srlinux/ directory or any tempfs file system.
In this example, the fib_agent.sh and fib_agent.py files are
installed in the directory /user_agents/, and the
fib_agent.yang file is installed in the directory
/yang/. The locations for these files are defined in the
fib_agent.yml file.
-
Copy the application files into the SR Linux
directories.
--{ candidate }--[ ]-- # bash # cp fib_agent.yml /etc/opt/srlinux/appmgr/. # cp fib_agent.sh /user_agents/. # cp fib_agent.py /user_agents/. # cp fib_agent.yang /yang/. # exit -
From the SR Linux
CLI, reload the application manager.
--{ candidate }--[ ]-- # tools system app-management application app_mgr reload -
Apply the changes to the configuration.
--{ candidate }--[ ]-- # fib-agent --{ candidate }--[ fib-agent ]-- # commit stay All changes have been committed. Starting new transaction. --{ candidate }--[ fib-agent ]-- -
Verify that the application is running.
# show system application fib_agent +-----------+-----+---------+-----------------------+--------------------------+ | Name | PID | State | Version | Last Change | +===========+=====+=========+=======================+==========================+ | fib_agent | 227 | running | v21.3.0-61-gd19567393 | 2021-01-13T20:16:45.697Z | +-----------+-----+---------+-----------------------+--------------------------+
Starting an application
To start an SR Linux application instance, use the start option in the tools system app-management command.
To start an SR Linux application instance:
--{ running }--[ ]--
# tools system app-management application mpls_mgr start
/system/app-management/application[name=mpls_mgr]:
Application 'mpls_mgr' was startedRestarting applications
SR Linux applications that are currently running can be restarted; that is, stopped then started again. SR Linux supports the following types of application restarts: warm restart, cold restart, and hot restart. The difference between these restart types lies in how the application state is maintained in the IDB:
-
warm restart
Warm restart allows forwarding to continue based on the previous state of the application. A warm restart causes the application to leave its state information in IDB during the restart, then recover it after the restart. This restart type results in less disruption to surrounding applications that depend on the restarting application's state.
-
cold restart
Cold restart results in a typical stop and start of the application, including purging its state in IDB.
-
hot restart
Note: Hot restart is supported exclusively for theisis_mgrapplication and is only available on the 7250 IXR Gen 2, 7250 IXR 6e/10e, and 7250 IXR Gen 3 platforms..When an application crashes on a system with redundancy configured, the application attempts hot-restart. Triggering a hot-restart initiates an switchover. Hot restart enables forwarding and preserves the application's state information in IDB and allows for the rapid restart of applications in case of a failure, minimizing downtime and ensuring continuous operation. For more information, see Non-Stop Routing (NSR).
# info from state system app-management application chassis_mgr supported-restart-types
system {
app-management {
application chassis_mgr {
supported-restart-types [
cold
warm
]
}
}
}
Not all SR Linux applications support warm restart. For a list of applications that support warm restart, see the SR Linux Software Release Notes.
Applications can be restarted automatically by app_mgr (for example, if an application fails and needs to be restarted) or you can restart an application manually from the CLI using a tools command. When app_mgr restarts an application, the application is warm-restarted if the application supports it; otherwise the application is cold-restarted. If you restart an application using a tools command, you can specify whether the application is cold or warm restarted. If you do not specify the restart type, the application is warm-restarted if the application supports it; otherwise the application is cold-restarted.
Restarting an application
You can restart an application from the SR Linux CLI. The application can be cold-restarted, warm-restarted (if the application supports warm restart). Using the info from state command, you can display the type of restart (cold or warm) that was used the last time the application was restarted.
Restart an SR Linux application instance
--{ running }--[ ]--
# tools system app-management application chassis_mgr restart cold
/system/app-management/application[name=chassis_mgr]:
Application 'chassis_mgr' was killed with signal 9
/system/app-management/application[name=chassis_mgr]:
Application 'chassis_mgr' was restarted
Display the type of restart used the last time the application was restarted
--{ running }--[ ]--
# info with-context from state system app-management application chassis_mgr last-start-type
system {
app-management {
application chassis_mgr {
last-start-type cold
}
}
}Display AHR (Application Hot Restart) application last restart type
isis_mgr application and is only
available on the 7250 IXR Gen 2, 7250 IXR 6e/10e, and 7250 IXR Gen 3
platforms.You can display the last start or restart type of a hot restart application using the info.from.state.system.app-management.application.<app_name>.last-start-type command.
When a hot restart application crashes on a system with redundancy configured, the application attempts hot-restart. Triggering a hot-restart initiates an switchover. For more information, see Non-Stop Routing (NSR).--{ running }--[ ]--
# info with-context from state system app-management application isis_mgr_A last-start-type
system {
app-management {
application isis_mgr_A {
last-start-type hot
}
}
}Terminating an application
You can use the stop, quit, or kill options in the tools system app-management command to terminate an SR Linux application:
-
stop
Gracefully terminates the application, allowing it to clean up before exiting.
-
quit
Terminates the application and generates a core dump. The core dump files are saved in the
/var/coredirectory. -
kill
Terminates the application immediately, without allowing it to clean up before exiting.
Terminate an application gracefully
--{ candidate }--[ ]--
# tools system app-management application mpls_mgr stop
/system/app-management/application[name=mpls_mgr]:
Application 'mpls_mgr' was killed with signal 15
Terminate an application and generate a core dump
--{ candidate }--[ ]--
# tools system app-management application mpls_mgr quit
/system/app-management/application[name=mpls_mgr]:
Application 'mpls_mgr' was killed with signal 3
Terminate an application immediately
--{ candidate }--[ ]--
# tools system app-management application mpls_mgr kill
/system/app-management/application[name=mpls_mgr]:
Application 'mpls_mgr' was killed with signal 9
Reloading application configuration
To reload the application configuration, reload the application manager. Reloading the application manager causes it to process any changes in the installed applications' YAML configuration and restart the applications. Applications that are no longer present in the system are stopped, and their YANG modules are removed from the management server. Applications removed from the system have their nodes or augmentations removed from the system schema.
--{ * running }--[ ]--
# tools system app-management application app_mgr reload
Clearing application statistics
You can display statistics collected for an application with the info from state command. To reset the statistics counters for the application, use the statistics clear option in the tools system app-management command.
To reset the statistics counters for an application:
--{ running }--[ ]--
# tools system app-management application mpls_mgr statistics clear
Restricted operations for applications
An application may have one or more operations that are restricted by default. For example, the linux_mgr application has stop, quit, and kill as restricted operations, meaning that these options are not available when entering the tools system app-management command for the linux_mgr application.
Restricted operations for SR Linux applications lists the restricted operations for each SR Linux application.
Application |
Restricted operations |
|---|---|
aaa_mgr |
reload |
acl_mgr |
reload |
app_mgr |
start, stop, restart, quit, kill |
arp_nd_mgr |
reload |
bfd_mgr |
reload |
bgp_mgr |
reload |
chassis_mgr |
stop, quit, kill, reload |
device_mgr |
reload |
dhcp_client_mgr |
stop, reload |
fib_mgr |
reload |
grpc_server |
reload |
idb_server |
start, stop, restart, quit, kill, reload |
json_rpc_config |
reload |
linux_mgr |
stop, quit, kill |
lldp_mgr |
reload |
log_mgr |
reload |
mgmt_server |
start, stop, quit, kill, reload |
mpls_mgr |
reload |
net_inst_mgr |
start, stop, quit, kill, reload |
oam_mgr |
reload |
plcy_mgr |
reload |
qos_mgr |
reload |
sdk_mgr |
reload |
static_route_mgr |
reload |
supportd |
reload |
xdp_cpm |
stop, restart, quit, kill, reload |
xdp_lc |
reload |
Restricted options are specified in the restricted-operations setting in the YAML file for the application.
Configuring an application
To configure an SR Linux application, edit settings in the application YAML file, then reload the application manager to activate the changes.
The example in this section shows how to configure an application to specify the action the SR Linux device takes when the application fails. If an SR Linux application fails a specified number of times over a specified time period, the SR Linux device can reboot the system or attempt to restart the application after waiting a specified number of seconds.
For example, if the aaa_mgr application stops responding five times within a 500-second window, the SR Linux device can be configured to wait 100 seconds, then restart the aaa_mgr application.
The following actions can be taken if an SR Linux application fails:
-
Reboot the system.
-
Wait a specified number of seconds, then attempt to restart the failed application.
-
Move the failed application to error state without rebooting the system or attempting to restart the application.
If you stop or restart an application using the tools system app-management command in the SR Linux CLI, it is not considered an application failure; the failure action for the application, if one is configured, does not occur. However, if the failed application waits a specified period of time (or forever) to be restarted, or has been moved into error state, you can restart the application manually with the tools system app-management application restart CLI command.
To configure the failure action for an application:
-
Check the status of the SR Linux
applications.
--{ running }--[ ]-- # show system application +--------------+-----+--------------------+-----------------------+--------------------------+ | Name | PID | State | Version | Last Change | +==============+=====+====================+=======================+==========================+ | aaa_mgr | 242 | error | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.967Z | | acl_mgr | 193 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.967Z | | app_mgr | 118 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:11.161Z | | arp_nd_mgr | 104 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.967Z | | bfd_mgr | | waiting-for-config | | | | bgp_mgr | 109 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:13.156Z | | chassis_mgr | 115 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.967Z | | dev_mgr | 150 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.001Z | | fib_mgr | 168 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.968Z | | grpc_server | 157 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:13.296Z | | idb_server | 171 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.228Z | | igmp_mgr | | waiting-for-config | | | | isis_mgr | | waiting-for-config | | | | json_rpc | 166 | running | | 2022-01-21T20:15:13.234Z | | label_mgr | 139 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:13.186Z | | lag_mgr | 103 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.968Z | | ldp_mgr | | waiting-for-config | | | | linux_mgr | 116 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.968Z | | lldp_mgr | 149 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:13.206Z | | log_mgr | 127 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.968Z | | mgmt_server | 149 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.968Z | | mirror_mgr | | waiting-for-config | | | | mpls_mgr | | waiting-for-config | | | | net_inst_mgr | 160 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.968Z | | oam_mgr | 160 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:13.231Z | | ospf_mgr | | waiting-for-config | | | | p4rt_server | 641 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T21:56:47.935Z | | plcy_mgr | 177 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:13.242Z | | qos_mgr | 186 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:13.322Z | | sshd-mgmt | 192 | running | | 2022-01-21T20:15:19.710Z | | xdp_cpm | 197 | running | v22.3.0-34-ge0ee326f8 | 2022-01-21T20:15:10.968Z | | xdp_lc_1 | 108 | running | | 2022-01-21T20:15:10.968Z | +--------------+-----+--------------------+-----------------------+--------------------------+ -
Use the info from state command to check the current failure
action settings for the application to
configure.
The following failure action settings can be configured for an application:
-
failure-thresholdNumber of times that the application must fail during the failure-window period before the failure-action is taken; the default is three times.
-
failure-windowNumber of seconds over which the application must fail the failure-threshold number of times before the failure-action is taken; the default is 300 seconds.
-
failure-actionAction to take if the application fails failure-threshold times over failure-window seconds. This action can be one of the following:
-
reboot– reboot the system; this is the default failure-action -
wait = seconds– wait this number of seconds, then attempt to restart the application -
wait = forever– move the application to error state and do not reboot the system or attempt to restart the application
-
These settings are highlighted in the following example:--{ running }--[ ]-- # info with-context from state system app-management application aaa_mgr system { app-management { application aaa_mgr { pid 242 state error last-change 2022-01-21T20:15:10.967Z author Nokia failure-threshold 3 failure-window 300 failure-action reboot path /opt/srlinux/bin launch-command ./sr_aaa_mgr search-command ./sr_aaa_mgr version v22.3.0-34-ge0ee326f8 restricted-operations [ reload ] statistics { restart-count 0 } yang { modules [ srl_nokia-aaa srl_nokia-aaa-types ] source-directories [ /opt/srlinux/models/ietf /opt/srlinux/models/srl_nokia/models/common /opt/srlinux/models/srl_nokia/models/network-instance /opt/srlinux/models/srl_nokia/models/system ] } } } } -
-
Edit the YAML configuration for the application.
The YAML configuration files for SR Linux applications are located in the directory
/opt/srlinux/appmgron theSR Linux device. They are namedsr_application_name_config.yml; for example,sr_aaa_mgr_config.yml. -
In the
.ymlfile, add or change the settings for thefailure-threshold,failure-window, andfailure-actionparameters.In the following example, the failure action settings in the
sr_aaa_mgr_config.ymlfile are configured so that if the aaa_mgr application fails five times over a 500-second period, the SR Linux device waits 100 seconds, then attempts to restart the aaa_mgr application:aaa_mgr_setup: path: /opt/srlinux/bin launch-command: ./aaamgr_set_env.sh run-as-user: root never-show: Yes never-restart: Yes start-order: 1 aaa_mgr: path: /opt/srlinux/bin launch-command: ./sr_aaa_mgr search-command: ./sr_aaa_mgr run-as-user: root restricted-operations: ['reload'] failure-threshold: 5 failure-window : 500 failure-action: "wait=100" yang-modules: names: - "srl_nokia-aaa" - "srl_nokia-aaa-types" source-directories: - "/opt/srlinux/models/ietf" - "/opt/srlinux/models/srl_nokia/models/common" - "/opt/srlinux/models/srl_nokia/models/system" - "/opt/srlinux/models/srl_nokia/models/network-instance" -
Save and close the
.ymlconfiguration file. -
In the SR Linux
CLI, reload the application manager.
--{ running }--[ ]-- # tools system app-management application app_mgr reloadThis command reloads any application whose.ymlconfiguration file has changed. It does not affect any service. -
Use the info from state command to verify that the changes
to the failure action settings are now in effect.
--{ running }--[ ]-- # info with-context from state system app-management application aaa_mgr system { app-management { application aaa_mgr { pid 242 state running last-change 2022-01-21T20:15:10.967Z author Nokia failure-threshold 5 failure-window 500 failure-action wait=100 path /opt/srlinux/bin launch-command ./sr_aaa_mgr search-command ./sr_aaa_mgr version v22.3.0-34-ge0ee326f8 restricted-operations [ reload ] statistics { restart-count 0 } yang { modules [ srl_nokia-aaa srl_nokia-aaa-types ] source-directories [ /opt/srlinux/models/ietf /opt/srlinux/models/srl_nokia/models/common /opt/srlinux/models/srl_nokia/models/network-instance /opt/srlinux/models/srl_nokia/models/system ] } } } }
Removing an application from the system
To remove an application from the system, remove the application files from the SR Linux directories where they are located, then reload the application manager.
When an application is removed from the system, SR Linux stops sending updates for the paths that the application would populate. If the application is subsequently reloaded, SR Linux resumes sending updates.
For active CLI sessions, the schema is updated to remove the application. If an active CLI session exists in a context that is no longer present because of the application being removed, the CLI context is changed to the next highest valid context.
User-defined applications can be removed from the system, but removing Nokia-provided SR Linux applications is not supported.
In the following example, the fib_agent application, consisting of
files named fib_agent.yml, fib_agent.sh,
fib_agent.py, and fib_agent.yang, is removed
from the system.
-
Remove the application files from the SR Linux
directories.
--{ candidate }--[ ]-- # bash # rm /etc/opt/srlinux/appmgr/fib_agent.yml # rm /user_agents/fib_agent.sh # rm /user_agents/fib_agent.py # rm /yang/fib_agent.yang # exit -
From the SR Linux
CLI, reload the application manager.
--{ candidate }--[ ]-- # tools system app-management application app_mgr reloadThe application manager stops any application that is no longer present and removes the application's YANG module from the management server.
Partioning and isolating application resources
The SR Linux protects system processes through the use of control groups (cgroups), which impose resource consumption limits on resource-intensive customer applications.
Cgroup profiles
Cgroup profiles define how usage limits are applied. On the SR Linux, cgroup profiles are supported for CPU and memory and are
defined in cgroup_profile.json configuration
files.
SR Linux provides a default cgroup profile; customers can configure additional cgroup profiles.
Default cgroup profile
The SR Linux-provided default cgroup profile is located in the /opt/srlinux/appmgr/cgroup_profile.json directory.
If the default cgroup profile fails to parse or be read by the app_mgr, the SR Linux does not start.
The following shows the default cgroup_profile.json file definition:
{
"profiles": [
{
"name": "workload.slice",
"path": "workload.slice",
"controller": {
"memory": {
"max": 0.8,
"swap_max": 0,
"low": 0,
"max_unoccupied_mem": "1024"
},
"cpu": {
"weight": "1000",
"period": "100000",
"quota": "0"
},
"cpuset": {
"cpus": "all",
"mems": ""
}
}
},
{
"name": "workload.primary",
"path": "workload.slice/primary",
"controller": {
"memory": {
"max": 0.8,
"swap_max": 0,
"low": 0,
"max_unoccupied_mem": "1024"
},
"cpu": {
"weight": "100",
"period": "100000",
"quota": "0"
},
"cpuset": {
"cpus": "all",
"mems": ""
}
}
},
{
"name": "workload.primary.nondatapath",
"path": "workload.slice/primary/nondatapath",
"controller": {
"cpu": {
"weight": "100",
"period": "100000",
"quota": "0"
},
"cpuset": {
"cpus": "",
"mems": ""
}
}
},
{
"name": "workload.primary.datapath",
"path": "workload.slice/primary/datapath",
"controller": {
"cpu": {
"weight": "100",
"period": "100000",
"quota": "0"
},
"cpuset": {
"cpus": "",
"mems": ""
}
}
},
{
"name": "workload.primary.devicemgr",
"path": "workload.slice/primary/devicemgr",
"controller": {
"cpu": {
"weight": "100",
"period": "100000",
"quota": "0"
},
"cpuset": {
"cpus": "",
"mems": ""
}
}
},
{
"name": "workload.primary.appmgr",
"path": "workload.slice/primary/appmgr",
"controller": {
"cpu": {
"weight": "1000",
"period": "100000",
"quota": "0"
},
"cpuset": {
"cpus": "",
"mems": ""
}
}
},
{
"name": "workload.secondary",
"path": "workload.slice/secondary",
"controller": {
"memory": {
"max": 0.5,
"swap_max": 0,
"low": 0,
"max_unoccupied_mem": "0"
},
"cpu": {
"weight": "100",
"period": "100000",
"quota": "0"
},
"cpuset": {
"cpus": "",
"mems": ""
}
}
},
{
"name": "workload.secondary.default",
"path": "workload.slice/secondary/default",
"controller": {
"memory": {
"max": 0.5,
"swap_max": 0,
"low": 0,
"max_unoccupied_mem": "0"
},
"cpu": {
"weight": "100",
"period": "100000",
"quota": "0"
},
"cpuset": {
"cpus": "",
"mems": ""
}
}
},
{
"name": "workload.secondary.eventmgr",
"path": "workload.slice/secondary/eventmgr",
"controller": {
"memory": {
"max": 0.1,
"swap_max": 0,
"low": 0,
"max_unoccupied_mem": "0"
},
"cpu": {
"weight": "100",
"period": "100000",
"quota": "0"
},
"cpuset": {
"cpus": "",
"mems": ""
}
}
},
{
"name": "userload.default",
"path": "userload.slice/default",
"controller": {
"memory": {
"max": 0.25,
"swap_max": 0,
"low": 0,
"max_unoccupied_mem": "0"
},
"cpu": {
"weight": "100",
"period": "100000",
"quota": "0"
},
"cpuset": {
"cpus": "",
"mems": ""
}
}
}
]
}
Default cgroup profile parameters describes the default cgroup profile parameters.
Parameter |
Description |
|---|---|
name |
The cgroup profile name. Type: string |
path |
The cgroup directory path relative to a unified root path. A typical unified root path is /sys/fs/cgroup or /mnt/cgroup/unified. Type: string |
controller |
The memory controller configuration:
|
cpu |
The CPU controller configuration:
|
cpuset |
CPU usage information for the cgroup:
|
Customer-defined cgroup profile
Customers can configure cgroup profiles in the
/etc/opt/srlinux/appmgr/cgroup_profile.json directory. The app_mgr
creates this directory at boot up if it does not exist.
If a customer-defined cgroup profile fails to load, the system continues to function and applications that are loaded into the customer cgroup are loaded using the following Nokia default behaviors:
Nokia-written applications run in the workload.slice/primary cgroup along with any processes that are started by linuxadmin, including sr_cli.
Non-Nokia-written applications run in the workload.slice/secondary cgroup. If a customer builds an application and launches it using the app_mgr without specifying a cgroup, the application runs in this cgroup.
All interactive user applications run in the user.slice/default cgroup, including sr_cli when not started by linuxadmin.
The admin user is treated as any other user in the system. Its processes fall into the user.slice/default cgroup.
Configuring a cgroup
Customers can configure up to three cgroups in the /etc/opt/srlinux/appmgr/cgroup_profile.json directory. Customer applications are assigned to these groups. Any more than three configured cgroups are ignored. The depth of cgroups is limited to two levels where, for example, workload is one level and primary/secondary are two levels. Any levels beyond this are also ignored.
If a cgroup with the same name is used in multiple customer-defined profiles, the system ignores it and uses the cgroup defined in the default profile.
Cgroup configuration example
The following example shows the configuration of two customer-defined cgroups: one for a lightweight database that needs priority access to resources and one for storing the users of the database.
The following procedure describes the steps and the outputs.
The preceding configuration created two cgroup profiles: one for the database slice and one for the frontend slice. The profile for the database slice is configured to limit the database to 50% of system memory. The profile for the frontend slice is configured to limit the web front end to 20% of system memory.
In addition, both cgroup profiles are configured to limit CPU resources for their respective cgroup. The database server CPU is weighted at 10 000 (the maximum CPU weight) and the frontend server CPU is weighted at 5000 (half the CPU weight of the database). The weights are added together and each group is allocated its ratio of CPU as a proportion of the sum. The periods are kept the same and no guaranteed CPU is granted.
-
Install the application, including the YAML binary file and optional YANG module.
In this example, YAML defines two applications: dtw-database and dtw-frontend. These applications are placed into their own cgroups: distributetheweb.slice/database and distributetheweb.slice/frontend.
The app-mgr creates the cgroups.
The following output shows the installation of the database and a web front end.
dtw-database: path: /opt/distributetheweb/bin/ launch-command: ./run_db search-command: ./run_db failure-threshold: 100 failure-action: "wait=60" cgroup: distributetheweb.slice/database oom-score-adj: -500 yang-modules: names: - "database" source-directories: - "/opt/distributetheweb/yang/"dtw-frontend: path: /opt/distributetheweb/bin/ launch-command: ./run_frontend search-command: ./run_frontend failure-threshold: 100 failure-action: "wait=60" cgroup: distributetheweb.slice/frontend oom-score-adj: 200 yang-modules: names: - "frontend" source-directories: - "/opt/distributetheweb/yang/" -
Configure the cgroup profiles in the
/etc/opt/srlinux/appmgr/cgroup_profile.json
directory.
The following output shows the configuration.
{ "profiles": [ { "name": "distributetheweb.database", "path": "distributetheweb.slice/database", "controller": { "memory": { "max": 0.5, "swap_max": 0, "low": 0 }, "cpu": { "weight": "10000", "period": "100000", "quota": "0" } } }, { "name": "distributetheweb.frontend", "path": "distributetheweb.slice/frontend", "controller": { "memory": { "max": 0.2, "swap_max": 0, "low": 0 }, "cpu": { "weight": "5000", "period": "100000", "quota": "0" } } } ] }
Kernel low-memory killer
The kernel low-memory killer driver monitors the memory state of a running system. It reacts to high memory pressure by killing the least essential processes to keep the system performing at acceptable levels.
When the system is low in memory and cannot find free memory space, the out_of_memory function is called. The out_of_memory function makes memory available by killing one or more processes.
When an out-of-memory (OOM) failure occurs, the out_of_memory function is called and it obtains a score from the select_bad_process function. The process with the highest score is the one that is killed. Criteria used to identify a bad process include the following:
The kernel needs a minimum amount of memory for itself.
Try to reclaim a large amount of memory.
Do not kill a process that is using a small amount of memory.
Try to kill the minimum number of processes.
Algorithms that elevate the sacrifice priority on processes the user wants to kill.
In addition to this list, the OOM killer checks the OOM score. The OOM killer sets the OOM score for each process and then multiplies that value by memory usage. The processes with higher values have a high probability of being terminated by the OOM killer.
SR Linux process kill strategy
The kernel calculates the oom_score using the formula 10 × percentage of memory used by the process. The maximum score is 10 × 100% = 1000. The oom_score of a process can be found in the /proc directory (/proc/$pid/oom_score). An oom_score of 1000 means the process is using all the memory, an oom_score of 500 means it is using half the memory, and an oom_score of 0 means it is using no memory.
The OOM killer checks the oom_score_adj file in the /proc/$pid/oom_score_adj directory to adjust its final calculated score. The default value is 0.
The oom_score_adj value can range from –1000 to 1000. A score of –1000 results
in a process using 100% of the memory and in not being terminated by the OOM killer.
However, a score of 1000 causes the Linux kernel to terminate the process even when it
uses minimal memory. A score of –100 results in a process using 10% of the memory before
it is considered for termination, as its score remains 0 until its unadjusted score
reaches 100.
The oom_score_adj value for each process is defined in its corresponding YAML
definition file. The system groups the processes based on their score, which the SR Linux OOM killer uses as
the hierarchy for terminating a rogue process, as follows:
group1 = –998
For processes that should never be killed, such as app_mgr, idb_server, and all processes on the IMM.
group2 = –200
For processes that ideally should not be killed because doing so has a substantial impact on the system, such as mgmt_server, chassis_mgr, and net_inst_mgr. A score of –200 means the process gets to use 20% of the memory before their memory use starts being counted.
group3 = 0
For process that should be killed if they are using too much memory such as BGP, ISIS, and OSPF.
group4 = 500
For processes that should be preferentially killed, such as cli and oam_mgr.
OOM adjust score per process lists the OOM adjust score for each process.
Process name |
OOM adjust score |
|---|---|
aaa_mgr |
0 |
acl_mgr |
0 |
app_mgr |
–998 |
sarp_nd_mgr |
–200 |
bfd_mgr |
–200 |
bgp_mgr |
0 |
chassis_mgr |
–200 |
dev_mgr |
–200 |
dhcp_client_mgr |
0 |
dhcp_relay_mgr |
0 |
eth_switch_mgr |
–200 |
evpn_mgr |
0 |
fib_mgr |
0 |
grpc_server |
500 |
idb_server |
–998 |
isis_mgr |
0 |
json_rpc |
500 |
l2_mac_learn_mgr |
0 |
l2_mac_mgr |
0 |
l2_static_mac_mgr |
0 |
lag_mgr |
0 |
linux_mgr |
0 |
lldp_mgr |
0 |
log_mgr |
0 |
mcid_mgr |
0 |
mgmt_server |
–200 |
mpls_mgr |
0 |
net_inst_mgr |
–200 |
oam_mgr |
500 |
ospf_mgr |
0 |
plcy_mgr |
0 |
qos_mgr |
0 |
sdk_mgr |
500 |
sflow_sample_mgr |
500 |
sshd-mgmt |
0 |
static_route_mgr |
0 |
supportd |
0 |
timesrv |
0 |
vrrp_mgr |
0 |
vxlan_mgr |
0 |
xdp_cpm |
–200 |
Application manager extensions for cgroups
The cgroup feature provides two additional parameters in the app_mgr YAML file: the cgroup parameter and the oom-score-adj parameter.
The app_mgr uses the cgroup parameter to launch an application
within a specific cgroup. A valid value for the cgroup parameter is
the path of a cgroup as specified in the cgroup profile (equivalent to
/profiles/name[]/path), from the cgroupv2 root. If this cgroup does
not exist, the app_mgr launches the user application from the default cgroup profile
path workload.slice/secondary.
The app_mgr uses the oom-score-adj parameter to set the OOM adjust score for a process. This score is fed into the SR Linux OOM killer. Valid oom-score-adj scores are any value in the range of –1000 to 1000. A process with a score of –1000 is least likely to be killed while a process with a score of 1000 is most likely to be killed. At –1000, a process can use 100% of memory and still avoid being terminated by the OOM killer; however, SR Linux kills the process more frequently.
The cgroup parameter and the oom-score-adj parameter are shown in the following output.
bgp_mgr:
path: @SRLINUX_BINARY_INSTALL_PREFIX@
launch-command: @YAML_LAUNCH_ENVIRONMENT@ ./sr_bgp_mgr
search-command: ./sr_bgp_mgr
oom-score-adj: 0
wait-for-config: Yes
author: 'Nokia'
restricted-operations: ['reload']
cgroup: workload.slice/primary
yang-modules:
names:
- "srl_nokia-bgp"
- "srl_nokia-bgp-vpn"
- "srl_nokia-rib-bgp"
- "srl_nokia-system-network-instance-bgp-vpn"
tools:
- "srl_nokia-tools-bgp"
source-directories:
- "@SRLINUX_FILE_INSTALL_PREFIX@/models/ietf"
- "@SRLINUX_FILE_INSTALL_PREFIX@/models/srl_nokia/models/common"
- "@SRLINUX_FILE_INSTALL_PREFIX@/models/srl_nokia/models/interfaces"
- "@SRLINUX_FILE_INSTALL_PREFIX@/models/srl_nokia/models/network-
instance"
- "@SRLINUX_FILE_INSTALL_PREFIX@/models/srl_nokia/models/routing-policy"
- "@SRLINUX_FILE_INSTALL_PREFIX@/models/srl_nokia/models/system"
Debugging cgroups
Cgroup debugging capability is available through:
SR Linux CLI commands
Linux-provided CLI commands
SR Linux cgroup debugging commands
The SR Linux provides CLI commands to perform the following:
check the usage of existing cgroups
show information about the OOM adjust score of applications managed by the app_mgr
show information about the cgroups that are associated with the applications that are managed by the app_mgr
list all of the applications associated with a specified cgroup
Checking existing cgroup usage
The following output is an example of checking existing cgroup usage.
--{ running }--[ ]--
# info from state platform control A cgroup *
cgroup /mnt/cgroup/unified/userload.slice/default {
memory-statistics {
current 0
current-swap 0
anon 0
kernel-stack 0
slab 0
sock 0
anon-thp 0
file 0
file-writeback 0
file-dirty 0
memory-events {
low 0
high 0
max 0
oom 0
oom-kill 0
}
}
cpuacct-statistics {
user 0
system 0
}
cgroup /mnt/cgroup/unified/workload.slice {
memory-statistics {
current 5887053824
current-swap 0
anon 5344722944
kernel-stack 3178496
slab 21182248
sock 0
anon-thp 2734686208
file 249106432
file-writeback 0
file-dirty 0
memory-events {
low 0
high 0
max 0
oom 0
oom-kill 0
}
}
cpuacct-statistics {
user 180449217810
system 31712573916
}
}
cgroup /mnt/cgroup/unified/workload.slice/primary {
memory-statistics {
current 5840982016
current-swap 0
anon 5342904320
kernel-stack 3162112
slab 21072224
sock 0
anon-thp 2734686208
file 205103104
file-writeback 0
file-dirty 0
memory-events {
low 0
high 0
max 0
oom 0
oom-kill 0
}
}
cpuacct-statistics {
user 180448931554
system 31712492691
}
}
|
|
|
cgroup /mnt/cgroup/unified/workload.slice/secondary {
memory-statistics {
current 2015232
current-swap 0
anon 1818624
kernel-stack 16384
slab 75232
sock 0
anon-thp 0
file 4096
file-writeback 0
file-dirty 0
memory-events {
low 0
high 0
max 0
oom 0
oom-kill 0
}
}
cpuacct-statistics {
user 291582
system 79431
}
}
cgroup /mnt/cgroup/unified/workload.slice/secondary/default {
memory-statistics {
current 1994752
current-swap 0
anon 1818624
kernel-stack 16384
slab 75232
sock 0
anon-thp 0
file 4096
file-writeback 0
file-dirty 0
memory-events {
low 0
high 0
max 0
oom 0
oom-kill 0
}
}
cpuacct-statistics {
user 291582
system 79431
}
}
cgroup /mnt/cgroup/unified/workload.slice/secondary/eventmgr {
memory-statistics {
current 0
current-swap 0
anon 0
kernel-stack 0
slab 0
sock 0
anon-thp 0
file 0
file-writeback 0
file-dirty 0
memory-events {
low 0
high 0
max 0
oom 0
oom-kill 0
}
}
cpuacct-statistics {
user 0
system 0
}
}Showing current OOM adjust scores
The following output is an example of showing information about the current OOM adjust scores for all applications that are managed by the app_mgr.
--{ running }--[ ]--
# info with-context from state system app-management application * oom-score-adj
system {
app-management {
application aaa_mgr {
oom-score-adj 0
}
application acl_mgr {
oom-score-adj 0
}
application app_mgr {
oom-score-adj -998
}
application arp_nd_mgr {
oom-score-adj -200
}
|
|
|
application vxlan_mgr {
oom-score-adj 0
}
application xdp_lc_1 {
oom-score-adj -200
}
}
}
Showing cgroup information
The following output is an example of showing information about cgroups that are associated with applications managed by the app_mgr.
--{ running }--[ ]--
# info from state system app-management application * cgroup
application aaa_mgr {
cgroup /mnt/cgroup/unified/workload.slice/primary/nondatapath
}
application acl_mgr {
cgroup /mnt/cgroup/unified/workload.slice/primary/nondatapath
}
application arp_nd_mgr {
cgroup /mnt/cgroup/unified/workload.slice/primary/nondatapath
}
application bfd_mgr {
cgroup /mnt/cgroup/unified/workload.slice/primary/nondatapath
}
application chassis_mgr {
cgroup /mnt/cgroup/unified/workload.slice/primary/nondatapath
}
application dev_mgr {
cgroup /mnt/cgroup/unified/workload.slice/primary/devicemgr
}
application dhcp_client_mgr {
cgroup /mnt/cgroup/unified/workload.slice/primary/nondatapath
}
application evpn_mgr {
cgroup /mnt/cgroup/unified/workload.slice/primary/nondatapath
}
application fib_mgr {
cgroup /mnt/cgroup/unified/workload.slice/primary/nondatapath
}
application grpc_server {
cgroup /mnt/cgroup/unified/workload.slice/primary/nondatapath
|
|
|
application supportd {
cgroup /mnt/cgroup/unified/workload.slice/primary/nondatapath
}
application vxlan_mgr {
cgroup /mnt/cgroup/unified/workload.slice/primary/nondatapath
}
application xdp_lc_1 {
cgroup /mnt/cgroup/unified/workload.slice/primary/datapath
}
Listing all the applications associated with a specified cgroup
Use the tools system cgroup command pgrep cgroup cgroupname command to list all the applications associated with a specified group; the following output shows an example.
--{ running }--[ ]--
# tools system cgroup command pgrep cgroup workload.slice/primary/nondatapath
| Pid | Process |
+=======+=====================+
| 22368 | sr_supportd |
| 22481 | top |
| 23140 | sr_idb_server |
| 23284 | sr_aaa_mgr |
| 23350 | sr_acl_mgr |
| 23401 | sr_arp_nd_mgr |
| 23465 | sr_bfd_mgr |
| 23516 | sr_chassis_mgr |
| 23563 | sr_dhcp_client_mgr |
| 23602 | sr_evpn_mgr |
| 23671 | sr_fib_mgr |
| 23741 | sr_l2_mac_learn_mgr |
| 23795 | sr_l2_mac_mgr |
| 23848 | sr_lag_mgr |
| 23891 | sr_linux_mgr |
| 23963 | sr_log_mgr |
| 24023 | sr_mcid_mgr |
| 24085 | sr_mfib_mgr |
| 24131 | sr_mgmt_server |
| 24188 | sr_net_inst_mgr |
| 24250 | sr_radius_mgr |
| 24289 | sr_sflow_sample_mgr |
| 24346 | sr_stat_id_mgr |
| 25575 | sr_grpc_server |
| 25614 | sr_plcy_mgr |
| 25655 | sr_qos_mgr |
| 25693 | sr_vxlan_mgr |
| 69524 | bash |
| 69541 | python |
+-------+---------------------+Linux-provided cgroup debugging commands
The following Linux-provided CLI commands are available for debugging cgroups:
the systemd-cgls command
the systemd-cgtop command
The systemd-cgls command dumps the cgroup hierarchy. The following output shows an example of the systemd-cgls command.
[linuxadmin@srlinux unified]$ systemd-cgls
Control group /:
-.slice
├─workload.slice (#6685)
│ ├─primary (#6750)
│ │ ├─nondatapath (#6792)
│ │ │ ├─22368 ./sr_supportd --server-mode
│ │ │ ├─22481 top -b -d 600 -H -i -w 512
│ │ │ ├─23140 ./sr_idb_server
│ │ │ ├─23284 ./sr_aaa_mgr
│ │ │ ├─23350 ./sr_acl_mgr
│ │ │ ├─23401 ./sr_arp_nd_mgr
│ │ │ ├─23465 ./sr_bfd_mgr
│ │ │ ├─23516 ./sr_chassis_mgr
│ │ │ ├─23563 ./sr_dhcp_client_mgr
│ │ │ ├─23602 ./sr_evpn_mgr
│ │ │ ├─23671 ./sr_fib_mgr
│ │ │ ├─23741 ./sr_l2_mac_learn_mgr
│ │ │ ├─23795 ./sr_l2_mac_mgr
│ │ │ ├─23848 ./sr_lag_mgr
│ │ │ ├─23891 ./sr_linux_mgr
│ │ │ ├─23963 ./sr_log_mgr
│ │ │ ├─24023 ./sr_mcid_mgr
│ │ │ ├─24085 ./sr_mfib_mgr
│ │ │ ├─24131 ./sr_mgmt_server
│ │ │ ├─24188 ./sr_net_inst_mgr
│ │ │ ├─24250 ./sr_radius_mgr
│ │ │ ├─24289 ./sr_sflow_sample_mgr
│ │ │ ├─24346 ./sr_stat_id_mgr
│ │ │ ├─25575 ./sr_grpc_server
│ │ │ ├─25614 ./sr_plcy_mgr
│ │ │ ├─25655 ./sr_qos_mgr
│ │ │ └─25693 ./sr_vxlan_mgr
│ │ ├─devicemgr (#6846)
│ │ │ └─22567 ./sr_device_mgr
│ │ ├─datapath (#6819)
│ │ │ └─24385 sr_xdp_lc_1 --slot_num 1 --complex_num 2
│ │ └─appmgr (#6873)
│ │ └─20843 ./sr_app_mgr
│ └─secondary (#6900)
│ └─default (#6942)
│ └─26090 sshd: /usr/sbin/sshd -f /etc/ssh/sshd_config_mgmt
The systemd-cgtop command dumps the current usage of each cgroup. The following output shows an example of the systemd-cgtop command.
Path Tasks %CPU Memory Input/s Output/s
/ 186 - - - -
/system.slice/crond.service 1 - - - -
/system.slice/dbus.service 1 - - - -
/system.slice/polkit.service 1 - - - -
/system.slice/rngd.service 1 - - - -
/system.slice/sr_watchdog.service 1 - - - -
/system.slice/srlinux.service 53 - - - -
/system.slice/sshd.service 1 - - - -
/system.slic...ial-getty@ttyS0.service 3 - - - -
/system.slice/systemd-journald.service 1 - - - -
/system.slice/systemd-logind.service 1 - - - -
/system.slice/systemd-udevd.service 1 - - - -
/system.slice/ztpapi.service 1 - - - -