[lxc-users] processes escaped from memory cgroup in container, but CPU group is OK

[Fajar A. Nugraha]

On Fri, Nov 21, 2014 at 2:45 PM, Michael R. Hines <
mrhines at linux.vnet.ibm.com> wrote:

> Hi All,
>
> I am using LXC 1.0.5, and I have container running Redhat 7.0 on a Power7
> processor. My host kernel version is 3.10.42.
>
> The cgroup for this container located at /cgroup/cpu works very well - I
> can manually echo
> different shares and control resource usage as expected.
>
> But, to my surprise, I set the "memory.limit_in_bytes" option of the
> container in /cgroup/memory/lxc/../container/memory.limit
> to a low number (like 2G in bytes), and the container was still able to
> consume all the memory in the system.
>
> So, digging deeper I printed the output of "cgroup.procs" and found that
> *only* systemd inside the container
> was properly joined into the group, whereas all the other child processes
> of the container were missing.
>
>

How did you create the RH7 container?

>From my past experience with fedora templates, systemd on the container
tried to create its own cgroup, OUTSIDE of the normal container cgroup
path. I suspect in your case it works (as in, container started) because
there's nothing limiting the container from mounting cgroupfs and creating
its own cgroup. That wouldn't have worked on an Ubuntu host with default
apparmor settings active.

I ended up using the default apparmor profile (to keep it secure), but
manually creating and bind-mount the cgroups that systemd needs. See
https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html
, search "snippet"

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20141122/de531077/attachment.html>