2009/8/24 Daniel Lezcano <span dir="ltr"><<a href="mailto:daniel.lezcano@free.fr">daniel.lezcano@free.fr</a>></span><br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="h5">Krzysztof Taraszka wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/8/24 Daniel Lezcano <<a href="mailto:daniel.lezcano@free.fr" target="_blank">daniel.lezcano@free.fr</a>><br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Krzysztof Taraszka wrote:<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/8/24 Daniel Lezcano <<a href="mailto:daniel.lezcano@free.fr" target="_blank">daniel.lezcano@free.fr</a>><br>
<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Krzysztof Taraszka wrote:<br>
<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/8/24 Daniel Lezcano <<a href="mailto:dlezcano@fr.ibm.com" target="_blank">dlezcano@fr.ibm.com</a>><br>
<br>
<br>
<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Krzysztof Taraszka wrote:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/8/24 Daniel Lezcano <<a href="mailto:daniel.lezcano@free.fr" target="_blank">daniel.lezcano@free.fr</a>><br>
<br>
Krzysztof Taraszka wrote:<br>
<br>
<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/8/23 Daniel Lezcano <<a href="mailto:daniel.lezcano@free.fr" target="_blank">daniel.lezcano@free.fr</a>><br>
<br>
<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
(...)<br>
<br>
<br>
<br>
<br>
With the lxc tools I did:<br>
<br>
<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
lxc-execute -n foo /bin/bash<br>
echo 268435456 > /cgroup/foo/memory.limit_in_bytes<br>
mount --bind /cgroup/foo/memory.meminfo /proc/meminfo<br>
for i in $(seq 1 100); do sleep 3600 & done<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
(...)<br>
<br>
<br>
<br>
<br>
:)<br>
<br>
<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
hmmm... I think that access to the cgroup inside container is very<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
risk<br>
because I am able to manage for example memory resources (what if I<br>
am<br>
not<br>
the host owner and... I can give me via non-secure mounted /cgroup<br>
(inside<br>
container) all available memory resources...).<br>
I think that the /proc/meminfo should be pass to the container in<br>
the<br>
other<br>
way, but this is the topic for the other thread.<br>
<br>
<br>
It is not a problem, I did it in this way because it's easy to test<br>
but<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
in<br>
a real use case, the memory limit is setup by the lxc configuration<br>
file<br>
and<br>
the cgroup directory will be no longer accessible from the container.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
So.. how there will be another method (more secure) for giving<br>
/proc/meminfo<br>
with limits to the container, right?<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
Same method. The lxc tools can be configured with a fstab to mount more<br>
mount points, furthermore if memory.meminfo is available I will add the<br>
code<br>
to mount it automatically to /proc/meminfo in the lxc tools.<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
Hmm... setup_fs() from lxc_init.c or another way?<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
No, I was thinking in the setup_cgroup() function in conf.c.<br>
<br>
Something like:<br>
<br>
...<br>
<br>
if (!access("/var/lib/lxc/mycontainer/nsgroup/memory.meminfo"), F_OK) {<br>
mount("/var/lib/lxc/mycontainer/nsgroup/memory.meminfo",<br>
"/proc/meminfo",<br>
MS_BIND, ...);<br>
}<br>
<br>
...<br>
<br>
<br>
but a bit more clean :)<br>
<br>
<br>
<br>
<br>
</blockquote>
hmm... ok, got it, but don't know why does it won't work ;)<br>
<br>
@@ -999,12 +999,14 @@<br>
static int setup_cgroup(const char *name)<br>
{<br>
char filename[MAXPATHLEN];<br>
+ char meminfofilename[MAXPATHLEN];<br>
char line[MAXPATHLEN];<br>
struct stat s;<br>
int ret;<br>
<br>
snprintf(filename, MAXPATHLEN, LXCPATH "/%s/cgroup", name);<br>
-<br>
+ snprintf(meminfofilename, MAXPATHLEN, LXCPATH<br>
"/%s/nsgroup/memory.meminfo", name);<br>
+<br>
if (stat(filename, &s)) {<br>
SYSERROR("failed to stat '%s'", filename);<br>
return -1;<br>
@@ -1024,6 +1026,10 @@<br>
<br>
INFO("cgroup has been setup");<br>
<br>
+ /* mount memory.meminfo as /proc/meminfo */<br>
+ if (!access(meminfofilename, F_OK)) {<br>
+ mount(meminfofilename, "/proc/meminfo", "none", MS_BIND, 0);<br>
+ }<br>
return 0;<br>
}<br>
<br>
<br>
hmm... any idea Daniel? :)<br>
<br>
<br>
<br>
</blockquote>
Yep, can you check the return code of the mount call and return an error ?<br>
if (mount(....)) {<br>
SYSERROR("failed to mount '%s' to '/proc/meminfo'", meminfofilename);<br>
return -1;<br>
}<br>
at least to verify if this does not fail.<br>
and maybe add an INFO trace if the mount is successful saying<br>
"/proc/meminfo" is setup with the cgroup.<br>
<br>
ps : you should launch the command with the "-l INFO" to see the message.<br>
<br>
<br>
</blockquote>
<br>
<br>
<br>
<br>
Hmmm....<br>
i think that I know where the problem might be:<br>
<br>
look here:<br>
<br>
lxc1:~# cat debin.log<br>
lxc-start 1251109397.922 INFO lxc_conf - tty's configured<br>
lxc-start 1251109397.922 INFO lxc_start - 'debian' is initialized<br>
lxc-start 1251109397.974 INFO lxc_conf - 'debian' hostname has<br>
been setup<br>
lxc-start 1251109397.975 INFO lxc_conf - network has been setup<br>
lxc-start 1251109397.976 INFO lxc_conf - cgroup has been setup<br>
lxc-start 1251109397.976 INFO lxc_conf - /proc/meminfo is setup<br>
with the cgroup<br>
lxc-start 1251109397.976 INFO lxc_conf - mount points have been<br>
setup<br>
lxc-start 1251109397.976 INFO lxc_conf - console '/dev/pts/1'<br>
mounted to '/usr/local/var/lib/lxc/debian/rootfs/dev/console'<br>
lxc-start 1251109397.977 INFO lxc_conf - 4 tty(s) has been setup<br>
lxc-start 1251109397.977 INFO lxc_conf - chrooted to<br>
'/usr/local/var/lib/lxc/debian/rootfs'<br>
lxc-start 1251109397.977 INFO lxc_conf - created new pts instance<br>
lxc-start 1251109397.977 NOTICE lxc_conf - 'debian' is setup.<br>
lxc-start 1251109397.977 NOTICE lxc_start - exec'ing '/sbin/init'<br>
lxc-start 1251109397.978 NOTICE lxc_start - '/sbin/init' started<br>
with pid '24339'<br>
<br>
i think that /proc/meminfo should be mounted after /proc . why? i think<br>
that, because mounting /proc may override /proc/meminfo<br>
Am I right? :)<br>
<br>
</blockquote></div></div>
Ha ! haha ! arrgh ! no way ! You are right :/<br>
</blockquote><div><br>Hehe ;) <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
In the case of application container, lxc mounts /proc but in the case of system container it is the system who do that so after the /proc/meminfo has been mounted.<br>
<br>
Maybe we can look at modifying fs/proc/meminfo.c instead. Let me do a small patch for the kernel...<br>
<br>
</blockquote></div><br>Okey. I am waiting for your patch :)<br><br>-- <br>Krzysztof Taraszka<br>