Hi, I need to limit the network bandwidth available to each LXC container using cgroup's net_cls.classid feature. Each LXC container would have its own classid value in such a way that all packets from containers would be tagged with the classid and afterwards classified in the correct host configured traffic class where the bandwidht limit applies.
To achieve this, I followed these steps: 1. Configure traffic control: # tc qdisc del dev eno54 root # tc qdisc add dev eno54 root handle 10: htb # tc class add dev eno54 parent 10: classid 10:1 htb rate 10mbit # tc class add dev eno54 parent 10: classid 10:2 htb rate 50mbit # tc filter add dev eno54 parent 10: protocol ip handle 1: cgroup The device eno54 is the physical network interface that connect the host with the network. It's part of the bridge where container virtual network interfaces are added. # brctl show br0 bridge name bridge id STP enabled interfaces br0 8000.00163ee2fda2 no eno54 2. Set the classid value in container config file. lxctest1 container config file has: lxc.cgroup.net_cls.classid = 0x00100001 lxctest2 container config file has: lxc.cgroup.net_cls.classid = 0x00100002 3. Start both containers. Check that classid is correct and that they belong to the bridge. # lxc-start -n lxctest1 # lxc-start -n lxctest2 # cat /sys/fs/cgroup/net_cls/lxc/lxctest1/net_cls.classid 1048577 # cat /sys/fs/cgroup/net_cls/lxc/lxctest2/net_cls.classid 1048578 # brctl show br0 bridge name bridge id STP enabled interfaces br0 8000.00163ee2fda2 no eno54 veth0-lxctest1 veth0-lxctest2 4. Start iperf in both containers. Expected behaviour: iperf running on container lxctest1 being limited to 10 Mbps and iperf running on lxctest2 container being limited to 50 Mbps. What I get: both iperf running unconstrained at maximum speed. 5. I took the iperf process running on lxctest1 container and checked that it was in the tasks of the cgroup # pstree -c -p 37108 lxc-start(37108)───systemd(37118)─┬─agetty(37167) ├─agetty(37168) ├─dbus-daemon(37157) ├─rsyslogd(37156)─┬─{rsyslogd}(37161) │ └─{rsyslogd}(37162) ├─sshd(37336)───sshd(41156)─── bash(41167)───iperf3(41523) ├─systemd-journal(37131) └─systemd-logind(37153) # cat /sys/fs/cgroup/net_cls/lxc/lxctest1/tasks 37118 37131 37153 37156 37157 37161 37162 37167 37168 37336 39618 41156 41167 41523 # cat /proc/41523/cgroup 10:memory:/lxc/lxctest1 9:hugetlb:/lxc/lxctest1 8:perf_event:/lxc/lxctest1 7:cpuset:/lxc/lxctest1 6:devices:/lxc/lxctest1 5:net_cls,net_prio:/lxc/lxctest1 4:blkio:/lxc/lxctest1 3:cpu,cpuacct:/lxc/lxctest1 2:freezer:/lxc/lxctest1 1:name=systemd:/user.slice/user-0.slice/session-1288.scope/ user.slice/user-0.slice/session-1288.scope 6. I don't know how to check that packets going out the container are actually being tagged with the classid value, but the reality is that packets are not filtered acording this value on the host and are not going to the correct class, where bandwidth limit is applied. 7. I'm using Oracle Linux 7 and the standard lxc package delivered in this distribution. Versions: # uname -a Linux exapru-aa.dit.aeat 4.1.12-112.14.15.el7uek.x86_64 #2 SMP Thu Feb 8 09:58:19 PST 2018 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/oracle-release Oracle Linux Server release 7.4 # yum info lxc Loaded plugins: ulninfo Installed Packages Name : lxc Arch : x86_64 Version : 1.1.5 Release : 2.0.9.el7 Size : 725 k Repo : installed >From repo : ol7_latest Summary : Linux Containers userspace tools URL : http://linuxcontainers.org License : LGPLv2+ Description : Containers are insulated areas inside a system, which have their own namespace : for filesystem, network, PID, IPC, CPU and memory allocation and which can be : created using the Control Group and Namespace features included in the Linux : kernel. : : This package provides the lxc-* tools, which can be used to start a single : daemon in a container, or to boot an entire "containerized" system, and to : manage and debug your containers. 8. What is wrong here? Anything wrong with this LXC version? Anything wrong with the setup? Thanks! -- Angel Lopez http://futur3.com/ ... the geeks shall inherit the Earth
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users