<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/22/2014 06:10 AM, Fajar A.
Nugraha wrote:<br>
</div>
<blockquote
cite="mid:CAG1y0sdWT43-C6MLQY6v4fUfaVpiT2nVBV4QOsKmrKqZgFCDYQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Fri, Nov 21, 2014 at 2:45 PM,
Michael R. Hines <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mrhines@linux.vnet.ibm.com" target="_blank">mrhines@linux.vnet.ibm.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi
All,<br>
<br>
I am using LXC 1.0.5, and I have container running Redhat
7.0 on a Power7 processor. My host kernel version is
3.10.42.<br>
<br>
The cgroup for this container located at /cgroup/cpu works
very well - I can manually echo<br>
different shares and control resource usage as expected.<br>
<br>
But, to my surprise, I set the "memory.limit_in_bytes"
option of the container in /cgroup/memory/lxc/../container/memory.limit<br>
to a low number (like 2G in bytes), and the container was
still able to consume all the memory in the system.<br>
<br>
So, digging deeper I printed the output of "cgroup.procs"
and found that *only* systemd inside the container<br>
was properly joined into the group, whereas all the other
child processes of the container were missing.<br>
<br>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>How did you create the RH7 container?</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
Thank you for your response: I directly copied it from KVM..... was
that a bad idea?<br>
<br>
<blockquote
cite="mid:CAG1y0sdWT43-C6MLQY6v4fUfaVpiT2nVBV4QOsKmrKqZgFCDYQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>From my past experience with fedora templates, systemd
on the container tried to create its own cgroup, OUTSIDE
of the normal container cgroup path. I suspect in your
case it works (as in, container started) because there's
nothing limiting the container from mounting cgroupfs and
creating its own cgroup. That wouldn't have worked on an
Ubuntu host with default apparmor settings active.</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Wow. Ok. So, I need to setup apparmor correctly on host-side of RH?<br>
<br>
<blockquote
cite="mid:CAG1y0sdWT43-C6MLQY6v4fUfaVpiT2nVBV4QOsKmrKqZgFCDYQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>I ended up using the default apparmor profile (to keep
it secure), but manually creating and bind-mount the
cgroups that systemd needs. See <a moz-do-not-send="true"
href="https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html"
target="_blank">https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html</a>
, search "snippet"</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Excellent - I will give that a try.....<br>
<br>
- Michael<br>
</body>
</html>