[lxc-devel] [PATCH] Importance for adding pids of lxc-attach to the cgroup of container
"Axel Schöner"
axel.schoener at gmx.de
Wed Oct 5 18:46:25 UTC 2011
I've submitted a patch-set a few days before, but i didn't get any feedback yet.
The reason for this patch is, by using "lxc-attach" to enter the namespaces of
a container, the "lxc-attach" process and its child processes are not added to
the cgroup task-files of the container.
That means, that the cgroup based restrictions for these processes would not
be applied!
I think that should be fixed. The patches are again attached to this mail.
It can be reproduced by starting a container, attach to it and execute a
command like "top" inside. Execute "ps -ejH" from the outside and identify the
pids of "lxc-attach" an "top".
Then look at the task-file of the containers cgroup and search the pids of the
"lxc-attach" and "top" process. They will not be there.
I demonstrate this by two examples:
Fist example, running a process by lxc-attach without the patch:
1373 1373 1373 ? 00:00:00 sshd
1496 1496 1496 ? 00:00:00 sshd
1568 1568 1568 pts/0 00:00:00 bash
1769 1769 1568 pts/0 00:00:00 lxc-attach
1770 1770 1568 pts/0 00:00:00 bash
1780 1780 1568 pts/0 00:00:00 top
1781 1781 1781 ? 00:00:00 sshd
1852 1852 1852 pts/6 00:00:00 bash
1910 1910 1852 pts/6 00:00:00 ps
1389 1308 1308 ? 00:00:00 gvfsd
1402 863 863 ? 00:00:00 upowerd
1406 1406 1406 ? 00:00:00 pulseaudio
1489 1406 1406 ? 00:00:00 gconf-helper
1408 863 863 ? 00:00:00 rtkit-daemon
1686 1686 1686 ? 00:00:00 lxc-start
1688 1688 1688 ? 00:00:00 init
cat /cgroup/lxc_tty1/tasks
1688
1731
1736
Now run it after patching:
1373 1373 1373 ? 00:00:00 sshd
1496 1496 1496 ? 00:00:00 sshd
1568 1568 1568 pts/0 00:00:00 bash
5576 5576 1568 pts/0 00:00:00 lxc-attach
5577 5577 1568 pts/0 00:00:00 bash
5587 5587 1568 pts/0 00:00:00 top
1781 1781 1781 ? 00:00:00 sshd
1852 1852 1852 pts/6 00:00:00 bash
5588 5588 1852 pts/6 00:00:00 ps
1389 1308 1308 ? 00:00:00 gvfsd
1402 863 863 ? 00:00:00 upowerd
1406 1406 1406 ? 00:00:00 pulseaudio
1489 1406 1406 ? 00:00:00 gconf-helper
1408 863 863 ? 00:00:00 rtkit-daemon
5496 5496 5496 ? 00:00:00 lxc-start
5499 5499 5499 ? 00:00:00 init
cat /cgroup/lxc_tty1/tasks
5499
5541
5545
5576
5577
5587
The second example demonstrates that the cgroup restriction doesn't work without the patch.
In the configuration of a container I set "lxc.cgroup.cpuset.cpus = 0", then i test it by launching cpuburn two times, here are the results:
Without the patch:
ps -aux | grep burn
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 14818 100 0.0 148 4 pts/1 R 18:02 0:28 burnP6
root 14819 100 0.0 148 4 pts/1 R+ 18:02 0:26 burnP6
With the patch:
lxc.cgroup.cpuset.cpus = 0
ps -aux | grep burn
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 19223 52.7 0.0 148 4 pts/1 R 18:05 0:19 burnP6
root 19224 49.9 0.0 148 4 pts/1 R+ 18:05 0:17 burnP6
Background:
I'm using "lxc-attach" by PAM to login a user into an adhoc created container, console based an graphical. We intend to make the source code publicly available in the near future.
Axel Schöner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_attach_cgroup_1of5_namespace.c
Type: text/x-csrc
Size: 844 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111005/c7de3178/attachment.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_attach_cgroup_2of5_namespace.h
Type: text/x-chdr
Size: 396 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111005/c7de3178/attachment.h>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_attach_cgroup_3of5_cgroup.c
Type: text/x-csrc
Size: 1464 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111005/c7de3178/attachment-0001.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_attach_cgroup_4of5_cgroup.h
Type: text/x-chdr
Size: 404 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111005/c7de3178/attachment-0001.h>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_attach_cgroup_5of5_lxc_attach.c
Type: text/x-csrc
Size: 433 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111005/c7de3178/attachment-0002.c>
More information about the lxc-devel
mailing list