[lxc-users] changing cgroup limits from inside the container

Fajar A. Nugraha list at fajar.net
Thu Sep 10 03:20:21 UTC 2015 

On Wed, Sep 9, 2015 at 10:32 PM, tapczan <tapczan at unx.pl> wrote:
> Increasing memory limit from inside the container:
>
> # echo 32212254720 >
> /sys/fs/cgroup/memory/lxc/dev-c10/memory.memsw.limit_in_bytes
> # cat /sys/fs/cgroup/memory/lxc/dev-c10/memory.memsw.limit_in_bytes
> 32212254720
>
> So I can modify memory limit from inside the container.
>
> What's interesting I can also modify those values via cgmanager:
>
> # cgm getvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes
> method return sender=(null sender) -> dest=(null destination) reply_serial=1
>    string "32212254720"
>
> # cgm setvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes 3221225472
> method return sender=(null sender) -> dest=(null destination) reply_serial=1
>
> # cgm getvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes
> method return sender=(null sender) -> dest=(null destination) reply_serial=1
>    string "3221225472"


>
> I've tried a couple of different lxc versions like: 1.07, 1.12, 1.13
> with the same result.
>
> The question is how to prevent changing values like memory limits from
> inside the container?


I think this is one of the consequences of privileged container.
unprivileged containers correctly prevents that. From inside the
container (I use memory.soft_limit_in_bytes as an example because my
kernel doesn't have memsw.limit_in_bytes):

root at trusty:/# cat /proc/self/cgroup
12:name=systemd:/user/1000.user/193.session/lxc/trusty
11:perf_event:/user/1000.user/193.session/lxc/trusty
10:net_prio:/user/1000.user/193.session/lxc/trusty
9:net_cls:/user/1000.user/193.session/lxc/trusty
8:memory:/user/1000.user/193.session/lxc/trusty
7:hugetlb:/user/1000.user/193.session/lxc/trusty
6:freezer:/user/1000.user/193.session/lxc/trusty
5:devices:/user/1000.user/193.session/lxc/trusty
4:cpuset:/user/1000.user/193.session/lxc/trusty
3:cpuacct:/user/1000.user/193.session/lxc/trusty
2:cpu:/user/1000.user/193.session/lxc/trusty
1:blkio:/user/1000.user/193.session/lxc/trusty

root at trusty:/# cgm getvalue memory . memory.soft_limit_in_bytes
1073741824

root at trusty:/# cgm setvalue memory . memory.soft_limit_in_bytes 2147483648
call to cgmanager_set_value_sync failed: invalid request

This is with lxc-1.1.3, cgmanager 0.37

-- 
Fajar

More information about the lxc-users mailing list