[lxc-devel] [RFC PATCH 0/1] allow setting cgroup items before the cgroup is entered

[Serge Hallyn]

Quoting Dwight Engen (dwight.engen at oracle.com):
> Hi,
> 
> I tried to put lxc.cgroup.memory.kmem.limit_in_bytes = 4194304 in a
> config file to test forkbomb prevention. The problem with this is that
> kmem.limit_in_bytes (per the kernel documentation) "cannot be set if
> the cgroup have children, or if there are already tasks in the cgroup".
> Currently, lxc does lxc_cgroup_enter() before doing setup_cgroup() in
> the lxc_spawn() flow and therefore gets -EBUSY.
> 
> Commit 544a48a0 leads me to believe that we don't want to move
> setup_cgroup() earlier, so I've refactored it to create an additional
> setup_cgroup_pre_enter() that gets called before lxc_cgroup_enter().
> Currently it only writes kmem.limit_in_bytes, if there are other items
> that need to be setup pre-enter, they could easily be added to the
> list. This fixes the problem for me. I think we are trying to keep lxc
> from knowing about specific cgroup control knobs, but I have not
> thought of another way to do this. Thoughts?

I think the only problem with configuring cgroups early is that some
block devices which the container might want to mount could be denied.

So perhaps we should do the inverse of what you're doing.  Configure
all cgroups right before lxc_cgroup_enter(), except for devices
cgroup, which gets configured after mounts happen?

-serge