Re: [lxc-users] Limit network bandwidth to LXC containers

[Fajar A. Nugraha]

On Thu, Mar 15, 2018 at 3:06 AM, Angel Lopez  wrote:
> Hi,
>
> I need to limit the network bandwidth available to each LXC container using
> cgroup's net_cls.classid feature. Each LXC container would have its own
> classid value in such a way that all packets from containers would be tagged
> with the classid and afterwards classified in the correct host configured
> traffic class where the bandwidht limit applies.
>
> To achieve this, I followed these steps:
>
> 1. Configure traffic control:
>
> # tc qdisc del dev eno54 root

Asking the obvious, have you used tc (directly, not via wrapper) in
another setup (e.g. VMs, physical server) where it successfully works
as expected?



> Expected behaviour: iperf running on container lxctest1 being limited to 10
> Mbps and iperf running on lxctest2 container being limited to 50 Mbps.
> What I get: both iperf running unconstrained at maximum speed.


What I've tested and works, is use fireqos
(https://github.com/firehol/firehol/wiki/FireQOS-Tutorial). One of the
things that might make it different compared to using tc directly is
the presence of ifb interfaces.

Be careful with 'upload' and 'download', it might be reversed in your setup.

In my case I use IPs to limit BW. In your case it might be easier to
use persistent veth names on host side instead (or, as the wiki
mentioned, iptables' classify and mark targets).

-- 
Fajar
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] Limit network bandwidth to LXC containers

[Angel Lopez]

Hi,

I need to limit the network bandwidth available to each LXC container using
cgroup's net_cls.classid feature. Each LXC container would have its own
classid value in such a way that all packets from containers would be
tagged with the classid and afterwards classified in the correct host
configured traffic class where the bandwidht limit applies.

To achieve this, I followed these steps:

1. Configure traffic control:

# tc qdisc del dev eno54 root
# tc qdisc add dev eno54 root handle 10: htb
# tc class add dev eno54 parent 10: classid 10:1 htb rate 10mbit
# tc class add dev eno54 parent 10: classid 10:2 htb rate 50mbit
# tc filter add dev eno54 parent 10: protocol ip handle 1: cgroup

The device eno54 is the physical network interface that connect the host
with the network. It's part of the bridge where container virtual network
interfaces are added.

# brctl show br0
bridge name bridge id   STP enabled interfaces
br0 8000.00163ee2fda2   no  eno54

2. Set the classid value in container config file.

lxctest1 container config file has: lxc.cgroup.net_cls.classid = 0x0011
lxctest2 container config file has: lxc.cgroup.net_cls.classid = 0x0012

3. Start both containers. Check that classid is correct and that they
belong to the bridge.

# lxc-start -n lxctest1
# lxc-start -n lxctest2

# cat /sys/fs/cgroup/net_cls/lxc/lxctest1/net_cls.classid
1048577
# cat /sys/fs/cgroup/net_cls/lxc/lxctest2/net_cls.classid
1048578

# brctl show br0
bridge name bridge id   STP enabled interfaces
br0 8000.00163ee2fda2   no  eno54
veth0-lxctest1
veth0-lxctest2
4. Start iperf in both containers.

Expected behaviour: iperf running on container lxctest1 being limited to 10
Mbps and iperf running on lxctest2 container being limited to 50 Mbps.
What I get: both iperf running unconstrained at maximum speed.

5. I took the iperf process running on lxctest1 container and checked that
it was in the tasks of the cgroup

# pstree -c -p 37108
lxc-start(37108)───systemd(37118)─┬─agetty(37167)
  ├─agetty(37168)
  ├─dbus-daemon(37157)
  ├─rsyslogd(37156)─┬─{rsyslogd}(37161)
  │ └─{rsyslogd}(37162)
  ├─sshd(37336)───sshd(41156)───
bash(41167)───iperf3(41523)
  ├─systemd-journal(37131)
  └─systemd-logind(37153)

# cat /sys/fs/cgroup/net_cls/lxc/lxctest1/tasks
37118
37131
37153
37156
37157
37161
37162
37167
37168
37336
39618
41156
41167
41523

# cat /proc/41523/cgroup
10:memory:/lxc/lxctest1
9:hugetlb:/lxc/lxctest1
8:perf_event:/lxc/lxctest1
7:cpuset:/lxc/lxctest1
6:devices:/lxc/lxctest1
5:net_cls,net_prio:/lxc/lxctest1
4:blkio:/lxc/lxctest1
3:cpu,cpuacct:/lxc/lxctest1
2:freezer:/lxc/lxctest1
1:name=systemd:/user.slice/user-0.slice/session-1288.scope/
user.slice/user-0.slice/session-1288.scope

6. I don't know how to check that packets going out the container are
actually being tagged with the classid value, but the reality is that
packets are not filtered acording this value on the host and are not going
to the correct class, where bandwidth limit is applied.

7. I'm using Oracle Linux 7 and the standard lxc package delivered in this
distribution. Versions:

# uname -a
Linux exapru-aa.dit.aeat 4.1.12-112.14.15.el7uek.x86_64 #2 SMP Thu Feb 8
09:58:19 PST 2018 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/oracle-release
Oracle Linux Server release 7.4

# yum info lxc
Loaded plugins: ulninfo
Installed Packages
Name: lxc
Arch: x86_64
Version : 1.1.5
Release : 2.0.9.el7
Size: 725 k
Repo: installed
>From repo   : ol7_latest
Summary : Linux Containers userspace tools
URL : http://linuxcontainers.org
License : LGPLv2+
Description : Containers are insulated areas inside a system, which have
their own namespace
: for filesystem, network, PID, IPC, CPU and memory allocation
and which can be
: created using the Control Group and Namespace features
included in the Linux
: kernel.
:
: This package provides the lxc-* tools, which can be used to
start a single
: daemon in a container, or to boot an entire "containerized"
system, and to
: manage and debug your containers.


8. What is wrong here? Anything wrong with this LXC version? Anything wrong
with the setup?

Thanks!


-- 
Angel Lopez
http://futur3.com/
... the geeks shall inherit the Earth
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] Is it possible to use realtime processing in a lxd container ?

[Pierre Couderc]

When I try to start freeswitcth in freeswitch.service with :

IOSchedulingClass=realtime

it fails, but seems to start when I comment it.

So my question is : is it possible ?

And if yes, how to parametrize the container ?

Is there some howto ?

Thank you in advance

Pierre Couderc


___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users