[lxc-users] changing cgroup limits from inside the container

tapczan tapczan at unx.pl
Wed Sep 9 15:32:04 UTC 2015


Hello

I have a standard setup of LXC container: name "dev-c10" with option
"lxc.mount.auto = cgroup:ro proc:mixed sys:mixed".

Mounts from inside:

# mount
/dev/loop0 on / type ext4 (rw)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
cgroup on /sys/fs/cgroup type tmpfs (rw)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
none on /dev type tmpfs (rw,mode=0755)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /sys/fs/pstore type pstore (rw)
proc on /proc/sys/net type proc (rw,noexec,nosuid,nodev,relatime)
proc on /proc/sys type proc (rw,noexec,nosuid,nodev,relatime)
proc on /proc/sysrq-trigger type proc (rw,noexec,nosuid,nodev,relatime)
sysfs on /sys/devices/virtual/net type sysfs (rw,relatime)
none on /sys/fs/cgroup/cgmanager type tmpfs (rw,relatime,size=4k,mode=755)
devpts on /dev/lxc/console type devpts
(rw,noexec,nosuid,relatime,gid=5,mode=620,ptmxmode=000)
devpts on /dev/lxc/tty1 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=666)
devpts on /dev/lxc/tty2 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=666)
devpts on /dev/lxc/tty3 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=666)
devpts on /dev/lxc/tty4 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=666)
none on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)

Limit 3G memory for the container:

# cat /sys/fs/cgroup/memory/lxc/dev-c10/memory.memsw.limit_in_bytes
3221225472

Increasing memory limit from inside the container:

# echo 32212254720 >
/sys/fs/cgroup/memory/lxc/dev-c10/memory.memsw.limit_in_bytes
# cat /sys/fs/cgroup/memory/lxc/dev-c10/memory.memsw.limit_in_bytes
32212254720

So I can modify memory limit from inside the container.

What's interesting I can also modify those values via cgmanager:

# cgm getvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes
method return sender=(null sender) -> dest=(null destination) reply_serial=1
   string "32212254720"

# cgm setvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes 3221225472
method return sender=(null sender) -> dest=(null destination) reply_serial=1

# cgm getvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes
method return sender=(null sender) -> dest=(null destination) reply_serial=1
   string "3221225472"

I've tried a couple of different lxc versions like: 1.07, 1.12, 1.13
with the same result.

The question is how to prevent changing values like memory limits from
inside the container?

Thanks!


More information about the lxc-users mailing list