[lxc-users] using cgroups
rob e
redgerhoo at yahoo.com.au
Sat Jul 2 03:24:44 UTC 2016
On 02/07/16 12:41, Serge E. Hallyn wrote:
> Quoting rob e (redgerhoo at yahoo.com.au):
>> On 02/07/16 12:14, Serge E. Hallyn wrote:
>>>> hi Serge,
>>>> with JUST those clauses (and no cgroup set clauses) ... it sort of
>>>> works. Initial messages are cleared from the console(?) leaving just
>>>> the shutdown messages. But it does get to a login prompt
>>> D'oh. Thanks for your patience. I see the bug. I'll post a
>>> PR for a fix. I'm surprised so few people run into this. But
>>> as a workaround just add ",devices" to the end of the pam_cgfs
>>> line in /etc/pam.d/common-session.
>>>
>> sorry about this ... didn't work. Tried 2 forms of Pam clause & 2
>> forms of config
>>
>> ------------------------------------------------------
>> PAM line
>> session optional pam_cgfs.so -c
>> freezer,memory,name=systemd,cpuset,devices
> Jus to make sure, did you log back in after this? what does /proc/self/cgroup
> look like?
>
>
hmmm ... Now I tried the TAP TUN device (for openvpn & proxy server)
.... FAILED .. on CPUSET
------------------------------------------------------------------------
Config
# Template used to create this container:
/usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r trusty -a amd64
# For additional config options, please look at lxc.container.conf(5)
# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64
# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /mnt/lxc_images/containers/trusty_unp_ibvpn/rootfs
lxc.utsname = trusty_unp_ibvpn
# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.hwaddr = 00:16:3e:2e:b3:54
#
## Allow Tap / Tun Devices ----- Cause problems in Xenial
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.pts = 1024
lxc.kmsg = 0
## Set resource limits
lxc.cgroup.cpuset.cpus = 1-3
lxc.cgroup.cpu.shares = 256
lxc.cgroup.memory.limit_in_bytes = 4G
lxc.cgroup.blkio.weight = 500
------------------------------------------------------------------------
$ lxc-start -n trusty_unp_ibvpn -F -o lxc_test_taptun__160702a.log -l debug
lxc-start: cgfsng.c: cgfsng_setup_limits: 1662 No such file or directory
- Error setting cpuset.cpus to 1-3 for trusty_unp_ibvpn
lxc-start: start.c: lxc_spawn: 1180 failed to setup the cgroup limits
for 'trusty_unp_ibvpn'
lxc-start: start.c: __lxc_start: 1353 failed to spawn 'trusty_unp_ibvpn'
lxc-start:
lxc_start.c: main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained
by setting the --logfile and --logpriority options.
logfile attached
------------------------------------------------------------------------
So then I added back the CPUSET clause to PAM, logged out, back in and
tried again with my test container ...
session optional pam_cgfs.so -c
freezer,memory,name=systemd,cpuset,devices
------------------------------------------------------------------------
Config
# Template used to create this container:
/usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r trusty -a amd64
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64
# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /mnt/lxc_images/containers/xenial_test_01/rootfs
lxc.rootfs.backend = dir
lxc.utsname = xenial_test_01
# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:19:3c:15
## Set resource limits ----- Cause problems in Xenial
lxc.cgroup.cpuset.cpus = 1-3
lxc.cgroup.cpu.shares = 256
lxc.cgroup.memory.limit_in_bytes = 4G
lxc.cgroup.blkio.weight = 500
------------------------------------------------------------------------
$ lxc-start -n xenial_test_01 -F -o lxc_test_cpu_160702a.log -l debug
lxc-start: cgfsng.c: cgfsng_setup_limits: 1662 No such file or directory
- Error setting cpu.shares to 256 for xenial_test_01
lxc-start: start.c: lxc_spawn: 1180 failed to setup the cgroup limits
for 'xenial_test_01'
lxc-start: start.c: __lxc_start: 1353 failed to spawn 'xenial_test_01'
lxc-start: lxc_start.c:
main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained
by setting the --logfile and --logpriority options.
Log attached
------------------------------------------------------------------------
So, Memory constraint worked after adding "Devices" ... but CPU didn't.
Not sure about access to devices .....
Sorry about this ...
R
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lxc_test_taptun_cpu_160702a.zip
Type: application/zip
Size: 2800 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160702/5de2e54f/attachment.zip>
More information about the lxc-users
mailing list