Re: [lxc-users] processes escaped from memory cgroup in container, but CPU group is OK
On 11/22/2014 06:10 AM, Fajar A. Nugraha wrote: On Fri, Nov 21, 2014 at 2:45 PM, Michael R. Hines mailto:mrhi...@linux.vnet.ibm.com>> wrote: Hi All, I am using LXC 1.0.5, and I have container running Redhat 7.0 on a Power7 processor. My host kernel version is 3.10.42. The cgroup for this container located at /cgroup/cpu works very well - I can manually echo different shares and control resource usage as expected. But, to my surprise, I set the "memory.limit_in_bytes" option of the container in /cgroup/memory/lxc/../container/memory.limit to a low number (like 2G in bytes), and the container was still able to consume all the memory in the system. So, digging deeper I printed the output of "cgroup.procs" and found that *only* systemd inside the container was properly joined into the group, whereas all the other child processes of the container were missing. How did you create the RH7 container? Thank you for your response: I directly copied it from KVM. was that a bad idea? From my past experience with fedora templates, systemd on the container tried to create its own cgroup, OUTSIDE of the normal container cgroup path. I suspect in your case it works (as in, container started) because there's nothing limiting the container from mounting cgroupfs and creating its own cgroup. That wouldn't have worked on an Ubuntu host with default apparmor settings active. Wow. Ok. So, I need to setup apparmor correctly on host-side of RH? I ended up using the default apparmor profile (to keep it secure), but manually creating and bind-mount the cgroups that systemd needs. See https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html , search "snippet" Excellent - I will give that a try. - Michael ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] processes escaped from memory cgroup in container, but CPU group is OK
On Fri, Nov 21, 2014 at 2:45 PM, Michael R. Hines < mrhi...@linux.vnet.ibm.com> wrote: > Hi All, > > I am using LXC 1.0.5, and I have container running Redhat 7.0 on a Power7 > processor. My host kernel version is 3.10.42. > > The cgroup for this container located at /cgroup/cpu works very well - I > can manually echo > different shares and control resource usage as expected. > > But, to my surprise, I set the "memory.limit_in_bytes" option of the > container in /cgroup/memory/lxc/../container/memory.limit > to a low number (like 2G in bytes), and the container was still able to > consume all the memory in the system. > > So, digging deeper I printed the output of "cgroup.procs" and found that > *only* systemd inside the container > was properly joined into the group, whereas all the other child processes > of the container were missing. > > How did you create the RH7 container? >From my past experience with fedora templates, systemd on the container tried to create its own cgroup, OUTSIDE of the normal container cgroup path. I suspect in your case it works (as in, container started) because there's nothing limiting the container from mounting cgroupfs and creating its own cgroup. That wouldn't have worked on an Ubuntu host with default apparmor settings active. I ended up using the default apparmor profile (to keep it secure), but manually creating and bind-mount the cgroups that systemd needs. See https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html , search "snippet" -- Fajar ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] processes escaped from memory cgroup in container, but CPU group is OK
forgot to cc the list On Fri, Nov 21, 2014 at 11:25 AM, brian mullan wrote: > systemd was one of the topics discussed at last weeks Ubuntu Developer's > Summit > Systemd transition - 2014-11-14 18:00..18:55 in Platform 1 > <http://summit.ubuntu.com/uos-1411/meeting/22401/systemd-transition/> > The various developers discussed the current status and planning for the > coming > releases in regards to systemd. They also discuss some of the blocking > factors. > > You might want to check it out. > > brian > > > -- Forwarded message -- > From: "Michael R. Hines" > To: lxc-users@lists.linuxcontainers.org > Cc: > Date: Fri, 21 Nov 2014 15:45:47 +0800 > Subject: [lxc-users] processes escaped from memory cgroup in container, > but CPU group is OK > Hi All, > > I am using LXC 1.0.5, and I have container running Redhat 7.0 on a Power7 > processor. My host kernel version is 3.10.42. > > The cgroup for this container located at /cgroup/cpu works very well - I > can manually echo > different shares and control resource usage as expected. > > But, to my surprise, I set the "memory.limit_in_bytes" option of the > container in /cgroup/memory/lxc/../containe > r/memory.limit > to a low number (like 2G in bytes), and the container was still able to > consume all the memory in the system. > > So, digging deeper I printed the output of "cgroup.procs" and found that > *only* systemd inside the container > was properly joined into the group, whereas all the other child processes > of the container were missing. > > As a further test, I repeated the same procedure with a Ubuntu 14 guest > (which does not appear to use systemd), > and the cgroup memory limit worked as expected - all the child processes > were correctly added to "cgroup.procs" > without any problems. When I try to set memory.limit_in_bytes, the control > works very well. > > So, what gives? Any ideas? > > - Michael > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] processes escaped from memory cgroup in container, but CPU group is OK
Hi All, I am using LXC 1.0.5, and I have container running Redhat 7.0 on a Power7 processor. My host kernel version is 3.10.42. The cgroup for this container located at /cgroup/cpu works very well - I can manually echo different shares and control resource usage as expected. But, to my surprise, I set the "memory.limit_in_bytes" option of the container in /cgroup/memory/lxc/../container/memory.limit to a low number (like 2G in bytes), and the container was still able to consume all the memory in the system. So, digging deeper I printed the output of "cgroup.procs" and found that *only* systemd inside the container was properly joined into the group, whereas all the other child processes of the container were missing. As a further test, I repeated the same procedure with a Ubuntu 14 guest (which does not appear to use systemd), and the cgroup memory limit worked as expected - all the child processes were correctly added to "cgroup.procs" without any problems. When I try to set memory.limit_in_bytes, the control works very well. So, what gives? Any ideas? - Michael ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
