[lxc-users] processes escaped from memory cgroup in container, but CPU group is OK
Michael R. Hines
mrhines at linux.vnet.ibm.com
Mon Nov 24 05:30:14 UTC 2014
On 11/22/2014 06:10 AM, Fajar A. Nugraha wrote:
> On Fri, Nov 21, 2014 at 2:45 PM, Michael R. Hines
> <mrhines at linux.vnet.ibm.com <mailto:mrhines at linux.vnet.ibm.com>> wrote:
>
> Hi All,
>
> I am using LXC 1.0.5, and I have container running Redhat 7.0 on a
> Power7 processor. My host kernel version is 3.10.42.
>
> The cgroup for this container located at /cgroup/cpu works very
> well - I can manually echo
> different shares and control resource usage as expected.
>
> But, to my surprise, I set the "memory.limit_in_bytes" option of
> the container in /cgroup/memory/lxc/../container/memory.limit
> to a low number (like 2G in bytes), and the container was still
> able to consume all the memory in the system.
>
> So, digging deeper I printed the output of "cgroup.procs" and
> found that *only* systemd inside the container
> was properly joined into the group, whereas all the other child
> processes of the container were missing.
>
>
>
> How did you create the RH7 container?
>
Thank you for your response: I directly copied it from KVM..... was that
a bad idea?
> From my past experience with fedora templates, systemd on the
> container tried to create its own cgroup, OUTSIDE of the normal
> container cgroup path. I suspect in your case it works (as in,
> container started) because there's nothing limiting the container from
> mounting cgroupfs and creating its own cgroup. That wouldn't have
> worked on an Ubuntu host with default apparmor settings active.
>
Wow. Ok. So, I need to setup apparmor correctly on host-side of RH?
> I ended up using the default apparmor profile (to keep it secure), but
> manually creating and bind-mount the cgroups that systemd needs. See
> https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html
> , search "snippet"
>
Excellent - I will give that a try.....
- Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20141124/79810797/attachment.html>
More information about the lxc-users
mailing list