[lxc-devel] [PATCH] Importance for adding pids of lxc-attach to the cgroup of container

"Axel Schöner" axel.schoener at gmx.de
Wed Oct 5 18:46:25 UTC 2011


I've submitted a patch-set a few days before, but i didn't get any feedback yet.

The reason for this patch is, by using "lxc-attach" to enter the namespaces of 
a container, the "lxc-attach" process and its child processes are not added to 
the cgroup task-files of the container.
That means, that the cgroup based restrictions for these processes would not 
be applied!

I think that should be fixed. The patches are again attached to this mail.

It can be reproduced by starting a container, attach to it and execute a 
command like "top" inside. Execute "ps -ejH" from the outside and identify the 
pids of "lxc-attach" an "top".
Then look at the task-file of the containers cgroup and search the pids of the 
"lxc-attach" and "top" process. They will not be there.


I demonstrate this by two examples:

Fist example, running a process by lxc-attach without the patch:

 1373  1373  1373 ?        00:00:00   sshd
 1496  1496  1496 ?        00:00:00     sshd
 1568  1568  1568 pts/0    00:00:00       bash
 1769  1769  1568 pts/0    00:00:00         lxc-attach
 1770  1770  1568 pts/0    00:00:00           bash
 1780  1780  1568 pts/0    00:00:00             top
 1781  1781  1781 ?        00:00:00     sshd
 1852  1852  1852 pts/6    00:00:00       bash
 1910  1910  1852 pts/6    00:00:00         ps
 1389  1308  1308 ?        00:00:00   gvfsd
 1402   863   863 ?        00:00:00   upowerd
 1406  1406  1406 ?        00:00:00   pulseaudio
 1489  1406  1406 ?        00:00:00     gconf-helper
 1408   863   863 ?        00:00:00   rtkit-daemon
 1686  1686  1686 ?        00:00:00   lxc-start
 1688  1688  1688 ?        00:00:00     init

cat /cgroup/lxc_tty1/tasks 
1688
1731
1736

Now run it after patching:

 1373  1373  1373 ?        00:00:00   sshd
 1496  1496  1496 ?        00:00:00     sshd
 1568  1568  1568 pts/0    00:00:00       bash
 5576  5576  1568 pts/0    00:00:00         lxc-attach
 5577  5577  1568 pts/0    00:00:00           bash
 5587  5587  1568 pts/0    00:00:00             top
 1781  1781  1781 ?        00:00:00     sshd
 1852  1852  1852 pts/6    00:00:00       bash
 5588  5588  1852 pts/6    00:00:00         ps
 1389  1308  1308 ?        00:00:00   gvfsd
 1402   863   863 ?        00:00:00   upowerd
 1406  1406  1406 ?        00:00:00   pulseaudio
 1489  1406  1406 ?        00:00:00     gconf-helper
 1408   863   863 ?        00:00:00   rtkit-daemon
 5496  5496  5496 ?        00:00:00   lxc-start
 5499  5499  5499 ?        00:00:00     init

cat /cgroup/lxc_tty1/tasks 
5499
5541
5545
5576
5577
5587


The second example demonstrates that the cgroup restriction doesn't work without the patch.
In the configuration of a container I set "lxc.cgroup.cpuset.cpus = 0", then i test it by launching cpuburn two times, here are the results:

Without the patch:
ps -aux | grep burn
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root     14818  100  0.0    148     4 pts/1    R    18:02   0:28 burnP6
root     14819  100  0.0    148     4 pts/1    R+   18:02   0:26 burnP6

With the patch:
lxc.cgroup.cpuset.cpus = 0
ps -aux | grep burn
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root     19223 52.7  0.0    148     4 pts/1    R    18:05   0:19 burnP6
root     19224 49.9  0.0    148     4 pts/1    R+   18:05   0:17 burnP6


Background:
I'm using "lxc-attach" by PAM to login a user into an adhoc created container, console based an graphical. We intend to make the source code publicly available in the near future.


Axel Schöner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_attach_cgroup_1of5_namespace.c
Type: text/x-csrc
Size: 844 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111005/c7de3178/attachment.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_attach_cgroup_2of5_namespace.h
Type: text/x-chdr
Size: 396 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111005/c7de3178/attachment.h>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_attach_cgroup_3of5_cgroup.c
Type: text/x-csrc
Size: 1464 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111005/c7de3178/attachment-0001.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_attach_cgroup_4of5_cgroup.h
Type: text/x-chdr
Size: 404 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111005/c7de3178/attachment-0001.h>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_attach_cgroup_5of5_lxc_attach.c
Type: text/x-csrc
Size: 433 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111005/c7de3178/attachment-0002.c>


More information about the lxc-devel mailing list