[lxc-devel] Memory Resources
Daniel Lezcano
daniel.lezcano at free.fr
Mon Aug 24 08:19:29 UTC 2009
Krzysztof Taraszka wrote:
> 2009/8/23 Daniel Lezcano <daniel.lezcano at free.fr>
>
> (...)
>
>
>
>> With the lxc tools I did:
>>
>> lxc-execute -n foo /bin/bash
>> echo 268435456 > /cgroup/foo/memory.limit_in_bytes
>> mount --bind /cgroup/foo/memory.meminfo /proc/meminfo
>> for i in $(seq 1 100); do sleep 3600 & done
>>
>
>
> (...)
>
>
>
>> :)
>>
>>
>>
> hmmm... I think that access to the cgroup inside container is very risk
> because I am able to manage for example memory resources (what if I am not
> the host owner and... I can give me via non-secure mounted /cgroup (inside
> container) all available memory resources...).
> I think that the /proc/meminfo should be pass to the container in the other
> way, but this is the topic for the other thread.
>
It is not a problem, I did it in this way because it's easy to test but
in a real use case, the memory limit is setup by the lxc configuration
file and the cgroup directory will be no longer accessible from the
container.
More information about the lxc-devel
mailing list