[lxc-users] User input on resource limits for containers

benaryorg binary at benary.org
Mon Aug 24 15:54:27 UTC 2015


I am currently restructuring a monolithic server to use containers and
therefore want everything to be secure and working as one piece.

>  - Are you using resource limits with LXC?

Yes I do. In general on my private boxes I try to limit everything rough
enough to not restrict the containers but not to be able to have two
containers (or the host) fighting for the resources.

>  - What kind of resource limits are you setting (cpu, memory, I/O, ...)?

I set the memory limit in most cases but would not bother to also set
the CPU limit if it was made a bit easier (compared to the current lxc
variables for that).

I sometimes set the cpu-cores to "everything but the first" so that the
host system has at least one core to operate on.


>  - Are you updating the resource limits of running containers?

Only when setting up and experimenting for the ideal setup.

>  - Are you reading the current resource usage of your containers?

If one or more containers do not have enough resources then, of course,
I want to know which container stole it, but that is rarely a problem.

>  - Are you using resource limits only to prevent containers from using
>    all the host resources or as a way to provide different tier of
>    containers, some faster than others?

I want my containers to be limited to what they should do.

My database has less cpu than the webserver (which serves dynamic pages)
but more RAM.

The host system gets it's own bit of emergency memory and a core.

>  - Would percentage based limits (percentage of the host resources) be
>    useful to you?

Definitely.

One could then limit 9 containers to each 10% of cpu/ram and cover the
host system with the remainder.

This would only apply to static containers though.

>  - Are you using the cpuset controller only as a way to limit the
number of
>    CPUs exposed to the container or is pinning to specific physical CPUs
>    actually important to you?

I only use it to limit the cpus.

>
>  - Would you be interested in being able to limit network IOps and
>    bandwidth for a container?

That would also be useful in the case of a DDoS or a bug that makes a
process overload everything.

The other containers would still function, making it easier to find the
problem.

>  - Is the split between memory, swap and kernel memory useful to you?

Not for me, but I can imagine to make use of that and the swappiness in
the future.

>  - Would you like a way to prevent overprovisioning, causing container
>    failure if the stated resource limits exceeds what's available on the
>    host?

The only resource this applies to would be memory or disk space (correct
me if I am wrong).

I would handle both of those myself.
The memory by providing enough swap and the disk by having partitions
for each container.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150824/a44e423b/attachment.sig>


More information about the lxc-users mailing list