2009/8/24 Daniel Lezcano <span dir="ltr"><<a href="mailto:daniel.lezcano@free.fr">daniel.lezcano@free.fr</a>></span><br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="h5">Krzysztof Taraszka wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/8/24 Daniel Lezcano <<a href="mailto:daniel.lezcano@free.fr" target="_blank">daniel.lezcano@free.fr</a>><br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Krzysztof Taraszka wrote:<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/8/24 Daniel Lezcano <<a href="mailto:dlezcano@fr.ibm.com" target="_blank">dlezcano@fr.ibm.com</a>><br>
<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Krzysztof Taraszka wrote:<br>
<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/8/24 Daniel Lezcano <<a href="mailto:daniel.lezcano@free.fr" target="_blank">daniel.lezcano@free.fr</a>><br>
<br>
Krzysztof Taraszka wrote:<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/8/23 Daniel Lezcano <<a href="mailto:daniel.lezcano@free.fr" target="_blank">daniel.lezcano@free.fr</a>><br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
(...)<br>
<br>
<br>
<br>
<br>
With the lxc tools I did:<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
lxc-execute -n foo /bin/bash<br>
echo 268435456 > /cgroup/foo/memory.limit_in_bytes<br>
mount --bind /cgroup/foo/memory.meminfo /proc/meminfo<br>
for i in $(seq 1 100); do sleep 3600 & done<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
(...)<br>
<br>
<br>
<br>
<br>
:)<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
hmmm... I think that access to the cgroup inside container is very<br>
<br>
<br>
<br>
</blockquote>
risk<br>
because I am able to manage for example memory resources (what if I am<br>
not<br>
the host owner and... I can give me via non-secure mounted /cgroup<br>
(inside<br>
container) all available memory resources...).<br>
I think that the /proc/meminfo should be pass to the container in the<br>
other<br>
way, but this is the topic for the other thread.<br>
<br>
<br>
It is not a problem, I did it in this way because it's easy to test<br>
but<br>
<br>
<br>
<br>
</blockquote>
in<br>
a real use case, the memory limit is setup by the lxc configuration<br>
file<br>
and<br>
the cgroup directory will be no longer accessible from the container.<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
So.. how there will be another method (more secure) for giving<br>
/proc/meminfo<br>
with limits to the container, right?<br>
<br>
<br>
<br>
<br>
</blockquote>
Same method. The lxc tools can be configured with a fstab to mount more<br>
mount points, furthermore if memory.meminfo is available I will add the<br>
code<br>
to mount it automatically to /proc/meminfo in the lxc tools.<br>
<br>
<br>
<br>
<br>
</blockquote>
Hmm... setup_fs() from lxc_init.c or another way?<br>
<br>
<br>
<br>
</blockquote>
No, I was thinking in the setup_cgroup() function in conf.c.<br>
<br>
Something like:<br>
<br>
...<br>
<br>
if (!access("/var/lib/lxc/mycontainer/nsgroup/memory.meminfo"), F_OK) {<br>
mount("/var/lib/lxc/mycontainer/nsgroup/memory.meminfo", "/proc/meminfo",<br>
MS_BIND, ...);<br>
}<br>
<br>
...<br>
<br>
<br>
but a bit more clean :)<br>
<br>
<br>
</blockquote>
<br>
<br>
hmm... ok, got it, but don't know why does it won't work ;)<br>
<br>
@@ -999,12 +999,14 @@<br>
static int setup_cgroup(const char *name)<br>
{<br>
char filename[MAXPATHLEN];<br>
+ char meminfofilename[MAXPATHLEN];<br>
char line[MAXPATHLEN];<br>
struct stat s;<br>
int ret;<br>
<br>
snprintf(filename, MAXPATHLEN, LXCPATH "/%s/cgroup", name);<br>
-<br>
+ snprintf(meminfofilename, MAXPATHLEN, LXCPATH<br>
"/%s/nsgroup/memory.meminfo", name);<br>
+<br>
if (stat(filename, &s)) {<br>
SYSERROR("failed to stat '%s'", filename);<br>
return -1;<br>
@@ -1024,6 +1026,10 @@<br>
<br>
INFO("cgroup has been setup");<br>
<br>
+ /* mount memory.meminfo as /proc/meminfo */<br>
+ if (!access(meminfofilename, F_OK)) {<br>
+ mount(meminfofilename, "/proc/meminfo", "none", MS_BIND, 0);<br>
+ }<br>
return 0;<br>
}<br>
<br>
<br>
hmm... any idea Daniel? :)<br>
<br>
</blockquote></div></div>
Yep, can you check the return code of the mount call and return an error ?<br>
if (mount(....)) {<br>
SYSERROR("failed to mount '%s' to '/proc/meminfo'", meminfofilename);<br>
return -1;<br>
}<br>
at least to verify if this does not fail.<br>
and maybe add an INFO trace if the mount is successful saying "/proc/meminfo" is setup with the cgroup.<br>
<br>
ps : you should launch the command with the "-l INFO" to see the message.<br>
</blockquote></div><br><br>Weird.<span class="mw"></span> I made a test and move the mount the /proc/meminfo to the setup_console() and it did not take effect. mount() did not fail (there were no failed log).<br>Why I moved this part of code? Well.. I was wonder that what was happend if I mount /proc/meminfo after the setup_mount() to override /proc/meminfo.<br>
Don't have idea what can I do next ;) Daniel?<br><br>-- <br>Krzysztof Taraszka<br>