[lxc-users] using cgroups

rob e redgerhoo at yahoo.com.au
Sat Jul 2 03:24:44 UTC 2016 

On 02/07/16 12:41, Serge E. Hallyn wrote:
> Quoting rob e (redgerhoo at yahoo.com.au):
>> On 02/07/16 12:14, Serge E. Hallyn wrote:
>>>> hi Serge,
>>>> with JUST those clauses (and no cgroup set clauses) ... it sort of
>>>> works. Initial messages are cleared from the console(?) leaving just
>>>> the shutdown messages. But it does get to a login prompt
>>> D'oh.  Thanks for your patience.  I see the bug.  I'll post a
>>> PR for a fix.  I'm surprised so few people run into this.  But
>>> as a workaround just add ",devices" to the end of the pam_cgfs
>>> line in /etc/pam.d/common-session.
>>>
>> sorry about this ... didn't work. Tried 2 forms of Pam clause & 2
>> forms of config
>>
>> ------------------------------------------------------
>> PAM line
>> session optional        pam_cgfs.so -c
>> freezer,memory,name=systemd,cpuset,devices
> Jus to make sure, did you log back in after this?  what does /proc/self/cgroup
> look like?
>
>

hmmm ... Now I tried the TAP TUN device (for openvpn & proxy server) 
.... FAILED .. on CPUSET

------------------------------------------------------------------------
Config

# Template used to create this container: 
/usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r trusty -a amd64
# For additional config options, please look at lxc.container.conf(5)

# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /mnt/lxc_images/containers/trusty_unp_ibvpn/rootfs
lxc.utsname = trusty_unp_ibvpn

# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.hwaddr = 00:16:3e:2e:b3:54
#
## Allow Tap / Tun Devices  ----- Cause problems in Xenial
lxc.cgroup.devices.allow = c 10:200 rwm

lxc.pts = 1024
lxc.kmsg = 0

## Set resource limits
lxc.cgroup.cpuset.cpus = 1-3
lxc.cgroup.cpu.shares = 256
lxc.cgroup.memory.limit_in_bytes = 4G
lxc.cgroup.blkio.weight = 500


------------------------------------------------------------------------
$ lxc-start -n trusty_unp_ibvpn -F -o lxc_test_taptun__160702a.log -l debug
lxc-start: cgfsng.c: cgfsng_setup_limits: 1662 No such file or directory 
- Error setting cpuset.cpus to 1-3 for trusty_unp_ibvpn
lxc-start: start.c: lxc_spawn: 1180 failed to setup the cgroup limits 
for 'trusty_unp_ibvpn'
lxc-start: start.c: __lxc_start: 1353 failed to spawn 'trusty_unp_ibvpn'
                                                      lxc-start: 
lxc_start.c: main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained 
by setting the --logfile and --logpriority options.

logfile attached
------------------------------------------------------------------------

So then I added back the CPUSET clause to PAM, logged out, back in and 
tried again with my test container ...

session optional        pam_cgfs.so -c 
freezer,memory,name=systemd,cpuset,devices
------------------------------------------------------------------------
Config

# Template used to create this container: 
/usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r trusty -a amd64
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /mnt/lxc_images/containers/xenial_test_01/rootfs
lxc.rootfs.backend = dir
lxc.utsname = xenial_test_01

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:19:3c:15

## Set resource limits   ----- Cause problems in Xenial
lxc.cgroup.cpuset.cpus = 1-3
lxc.cgroup.cpu.shares = 256
lxc.cgroup.memory.limit_in_bytes = 4G
lxc.cgroup.blkio.weight = 500

------------------------------------------------------------------------
$ lxc-start -n xenial_test_01 -F -o lxc_test_cpu_160702a.log -l debug
lxc-start: cgfsng.c: cgfsng_setup_limits: 1662 No such file or directory 
- Error setting cpu.shares to 256 for xenial_test_01
lxc-start: start.c: lxc_spawn: 1180 failed to setup the cgroup limits 
for 'xenial_test_01'
lxc-start: start.c: __lxc_start: 1353 failed to spawn 'xenial_test_01'
                                               lxc-start: lxc_start.c: 
main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained 
by setting the --logfile and --logpriority options.

Log attached
------------------------------------------------------------------------

So, Memory constraint worked after adding "Devices" ... but CPU didn't. 
Not sure about access to devices .....

Sorry about this ...

R
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lxc_test_taptun_cpu_160702a.zip
Type: application/zip
Size: 2800 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160702/5de2e54f/attachment.zip>

More information about the lxc-users mailing list