[lxc-users] Disappearing cgroups

Serge E. Hallyn serge at hallyn.com
Tue Oct 8 15:52:34 UTC 2019 

On Tue, Oct 08, 2019 at 03:41:42PM +0100, Ben Green wrote:
> Quoting "Serge E. Hallyn" <serge at hallyn.com>:
> 
> > BTW, much as I'd like to get to the bottom of this, let's get you up
> > and running first.  I'd suggest you create a systemd service which starts
> > at boot which creates and configures cgroups called
> > /sys/fs/cgroup/*/forcontainers
> > and chowns them to your userid.  Then for convenience a
> > enter-container-cgroups
> > script which just does echo $$ > /sys/fs/cgroup/*/forcontainers/tasks.  Then
> > just run enter-container-cgroups before you lxc-start -n containerX
> 
> 
> OK so if I understand correctly, I've ended up with 2 scripts:
> 
> 1.
> 
>  /usr/local/sbin/lxccgroup-add-dirs
> 
> which looks like this:
> 
>  #!/bin/bash
>  for i in $(find /sys/fs/cgroup/ -maxdepth 1 -mindepth 1 -type d); do mkdir
> -p $i/forcontainers ; echo $i/forcontainers ; chown -R lxcadmin:lxcadmin
> $i/forcontainers ; done

Actually you probably only want to chown the tasks and cgroup.procs files
to lxcadmin:, as otherwise the containers can raise their limits.

> I've make the chown recursive, so everything under there is owned by
> lxcadmin. This is run on boot.

Yeah, just from a .service file that has target multi-user.target.

> 2.
> 
>  /usr/local/bin/lxccgroup-enter-container-cgroups
> 
> which looks like this:
> 
>  #!/bin/bash
>  for i in $(find /sys/fs/cgroup/ -maxdepth 1 -mindepth 1 -type d | grep -v
> unified); do echo $PPID > $i/forcontainers/tasks ; done
> 
> I've used $PPID rather than $$ here as it's parent script (i.e. the bash
> shell I'm currently running in) which I've assumed you want moving in to the
> cgroups. I've also excluded 'unified' as it doesn't contain a 'tasks' file.
> I run this before I start a container as user 'lxcadmin'.

Yes, and it shouldn't have to run with any privilege.

> Let me know if I've got this right. Now on starting the guests I have:
> 
> /sys/fs/cgroup/memory/forcontainers/lxc.payload/ex386-jessie
> 
> Which is good in itself as it feels like I have some control now. I'll have
> to rewrite my cgroups checking script now to take note of these new
> locations.

More information about the lxc-users mailing list