[lxc-devel] [RFC PATCH 0/1] allow setting cgroup items before the cgroup is entered

Dwight Engen dwight.engen at oracle.com
Wed May 15 15:26:06 UTC 2013 

On Tue, 14 May 2013 11:01:04 -0500
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Dwight Engen (dwight.engen at oracle.com):
> > Hi,
> > 
> > I tried to put lxc.cgroup.memory.kmem.limit_in_bytes = 4194304 in a
> > config file to test forkbomb prevention. The problem with this is
> > that kmem.limit_in_bytes (per the kernel documentation) "cannot be
> > set if the cgroup have children, or if there are already tasks in
> > the cgroup". Currently, lxc does lxc_cgroup_enter() before doing
> > setup_cgroup() in the lxc_spawn() flow and therefore gets -EBUSY.
> > 
> > Commit 544a48a0 leads me to believe that we don't want to move
> > setup_cgroup() earlier, so I've refactored it to create an
> > additional setup_cgroup_pre_enter() that gets called before
> > lxc_cgroup_enter(). Currently it only writes kmem.limit_in_bytes,
> > if there are other items that need to be setup pre-enter, they
> > could easily be added to the list. This fixes the problem for me. I
> > think we are trying to keep lxc from knowing about specific cgroup
> > control knobs, but I have not thought of another way to do this.
> > Thoughts?
> 
> I think the only problem with configuring cgroups early is that some
> block devices which the container might want to mount could be denied.

Hi Serge, I think by this you mean having lxc mount a block device
into the container that the container won't have a
cgroup.devices.allow line for. So I tried putting a line like:

  lxc.mount.entry = /dev/sda1 mnt none defaults 0 0  

in the conf, but this did not work for me even with the current code
(setup_cgroup() after lxc_cgroup_enter(), and more importantly after
the child has done lxc_setup() and done the mounts). The child is
getting "No such device" so I'm confused as to the use case we're trying
to make work. Probably I'm simply doing something wrong here to get it
mounted.

> So perhaps we should do the inverse of what you're doing.  Configure
> all cgroups right before lxc_cgroup_enter(), except for devices
> cgroup, which gets configured after mounts happen?

This is easy to do, but I'd like a test case to try out :)

> -serge

More information about the lxc-devel mailing list