[lxc-users] changing cgroup limits from inside the container
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Sep 10 22:50:07 UTC 2015
Quoting Fajar A. Nugraha (list at fajar.net):
> On Wed, Sep 9, 2015 at 10:32 PM, tapczan <tapczan at unx.pl> wrote:
> > Increasing memory limit from inside the container:
> >
> > # echo 32212254720 >
> > /sys/fs/cgroup/memory/lxc/dev-c10/memory.memsw.limit_in_bytes
> > # cat /sys/fs/cgroup/memory/lxc/dev-c10/memory.memsw.limit_in_bytes
> > 32212254720
> >
> > So I can modify memory limit from inside the container.
> >
> > What's interesting I can also modify those values via cgmanager:
> >
> > # cgm getvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes
> > method return sender=(null sender) -> dest=(null destination) reply_serial=1
> > string "32212254720"
> >
> > # cgm setvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes 3221225472
> > method return sender=(null sender) -> dest=(null destination) reply_serial=1
> >
> > # cgm getvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes
> > method return sender=(null sender) -> dest=(null destination) reply_serial=1
> > string "3221225472"
>
>
> >
> > I've tried a couple of different lxc versions like: 1.07, 1.12, 1.13
> > with the same result.
> >
> > The question is how to prevent changing values like memory limits from
> > inside the container?
>
>
> I think this is one of the consequences of privileged container.
> unprivileged containers correctly prevents that. From inside the
> container (I use memory.soft_limit_in_bytes as an example because my
> kernel doesn't have memsw.limit_in_bytes):
>
> root at trusty:/# cat /proc/self/cgroup
> 12:name=systemd:/user/1000.user/193.session/lxc/trusty
> 11:perf_event:/user/1000.user/193.session/lxc/trusty
> 10:net_prio:/user/1000.user/193.session/lxc/trusty
> 9:net_cls:/user/1000.user/193.session/lxc/trusty
> 8:memory:/user/1000.user/193.session/lxc/trusty
> 7:hugetlb:/user/1000.user/193.session/lxc/trusty
> 6:freezer:/user/1000.user/193.session/lxc/trusty
> 5:devices:/user/1000.user/193.session/lxc/trusty
> 4:cpuset:/user/1000.user/193.session/lxc/trusty
> 3:cpuacct:/user/1000.user/193.session/lxc/trusty
> 2:cpu:/user/1000.user/193.session/lxc/trusty
> 1:blkio:/user/1000.user/193.session/lxc/trusty
>
> root at trusty:/# cgm getvalue memory . memory.soft_limit_in_bytes
> 1073741824
>
> root at trusty:/# cgm setvalue memory . memory.soft_limit_in_bytes 2147483648
> call to cgmanager_set_value_sync failed: invalid request
>
> This is with lxc-1.1.3, cgmanager 0.37
Right, the way to prevent it would be to exploit the hierarchy. So you
can either set a limit on /lxc, or create /lxc/dev-c10 with the limits
you want and use /lxc/dev-c10/dev-c10.real as the actual container
cgroup. At one point we did that automatically, but it does have a
performance penalty to have an extra cgroup depth.
-serge
More information about the lxc-users
mailing list