From: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
To: kt-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org
Cc: Linux Containers
<containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: [lxc-devel] Memory Resources
Date: Mon, 24 Aug 2009 13:13:15 +0200 [thread overview]
Message-ID: <4A9275CB.7030108@free.fr> (raw)
In-Reply-To: <ac1c4bf20908240327u424bd021t8848cf1cafb24ada-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Krzysztof Taraszka wrote:
> 2009/8/24 Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
>
>
>> Krzysztof Taraszka wrote:
>>
>>
>>> 2009/8/24 Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
>>>
>>>
>>>
>>>
>>>> Krzysztof Taraszka wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> 2009/8/24 Daniel Lezcano <dlezcano-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Krzysztof Taraszka wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> 2009/8/24 Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
>>>>>>>
>>>>>>> Krzysztof Taraszka wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> 2009/8/23 Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> (...)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> With the lxc tools I did:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> lxc-execute -n foo /bin/bash
>>>>>>>>>> echo 268435456 > /cgroup/foo/memory.limit_in_bytes
>>>>>>>>>> mount --bind /cgroup/foo/memory.meminfo /proc/meminfo
>>>>>>>>>> for i in $(seq 1 100); do sleep 3600 & done
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> (...)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> :)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> hmmm... I think that access to the cgroup inside container is very
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> risk
>>>>>>>>> because I am able to manage for example memory resources (what if I
>>>>>>>>> am
>>>>>>>>> not
>>>>>>>>> the host owner and... I can give me via non-secure mounted /cgroup
>>>>>>>>> (inside
>>>>>>>>> container) all available memory resources...).
>>>>>>>>> I think that the /proc/meminfo should be pass to the container in
>>>>>>>>> the
>>>>>>>>> other
>>>>>>>>> way, but this is the topic for the other thread.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> It is not a problem, I did it in this way because it's easy to test
>>>>>>>>> but
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> in
>>>>>>>> a real use case, the memory limit is setup by the lxc configuration
>>>>>>>> file
>>>>>>>> and
>>>>>>>> the cgroup directory will be no longer accessible from the container.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> So.. how there will be another method (more secure) for giving
>>>>>>> /proc/meminfo
>>>>>>> with limits to the container, right?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Same method. The lxc tools can be configured with a fstab to mount more
>>>>>> mount points, furthermore if memory.meminfo is available I will add the
>>>>>> code
>>>>>> to mount it automatically to /proc/meminfo in the lxc tools.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Hmm... setup_fs() from lxc_init.c or another way?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> No, I was thinking in the setup_cgroup() function in conf.c.
>>>>
>>>> Something like:
>>>>
>>>> ...
>>>>
>>>> if (!access("/var/lib/lxc/mycontainer/nsgroup/memory.meminfo"), F_OK) {
>>>> mount("/var/lib/lxc/mycontainer/nsgroup/memory.meminfo",
>>>> "/proc/meminfo",
>>>> MS_BIND, ...);
>>>> }
>>>>
>>>> ...
>>>>
>>>>
>>>> but a bit more clean :)
>>>>
>>>>
>>>>
>>>>
>>> hmm... ok, got it, but don't know why does it won't work ;)
>>>
>>> @@ -999,12 +999,14 @@
>>> static int setup_cgroup(const char *name)
>>> {
>>> char filename[MAXPATHLEN];
>>> + char meminfofilename[MAXPATHLEN];
>>> char line[MAXPATHLEN];
>>> struct stat s;
>>> int ret;
>>>
>>> snprintf(filename, MAXPATHLEN, LXCPATH "/%s/cgroup", name);
>>> -
>>> + snprintf(meminfofilename, MAXPATHLEN, LXCPATH
>>> "/%s/nsgroup/memory.meminfo", name);
>>> +
>>> if (stat(filename, &s)) {
>>> SYSERROR("failed to stat '%s'", filename);
>>> return -1;
>>> @@ -1024,6 +1026,10 @@
>>>
>>> INFO("cgroup has been setup");
>>>
>>> + /* mount memory.meminfo as /proc/meminfo */
>>> + if (!access(meminfofilename, F_OK)) {
>>> + mount(meminfofilename, "/proc/meminfo", "none", MS_BIND, 0);
>>> + }
>>> return 0;
>>> }
>>>
>>>
>>> hmm... any idea Daniel? :)
>>>
>>>
>>>
>> Yep, can you check the return code of the mount call and return an error ?
>> if (mount(....)) {
>> SYSERROR("failed to mount '%s' to '/proc/meminfo'", meminfofilename);
>> return -1;
>> }
>> at least to verify if this does not fail.
>> and maybe add an INFO trace if the mount is successful saying
>> "/proc/meminfo" is setup with the cgroup.
>>
>> ps : you should launch the command with the "-l INFO" to see the message.
>>
>>
>
>
>
>
> Hmmm....
> i think that I know where the problem might be:
>
> look here:
>
> lxc1:~# cat debin.log
> lxc-start 1251109397.922 INFO lxc_conf - tty's configured
> lxc-start 1251109397.922 INFO lxc_start - 'debian' is initialized
> lxc-start 1251109397.974 INFO lxc_conf - 'debian' hostname has
> been setup
> lxc-start 1251109397.975 INFO lxc_conf - network has been setup
> lxc-start 1251109397.976 INFO lxc_conf - cgroup has been setup
> lxc-start 1251109397.976 INFO lxc_conf - /proc/meminfo is setup
> with the cgroup
> lxc-start 1251109397.976 INFO lxc_conf - mount points have been
> setup
> lxc-start 1251109397.976 INFO lxc_conf - console '/dev/pts/1'
> mounted to '/usr/local/var/lib/lxc/debian/rootfs/dev/console'
> lxc-start 1251109397.977 INFO lxc_conf - 4 tty(s) has been setup
> lxc-start 1251109397.977 INFO lxc_conf - chrooted to
> '/usr/local/var/lib/lxc/debian/rootfs'
> lxc-start 1251109397.977 INFO lxc_conf - created new pts instance
> lxc-start 1251109397.977 NOTICE lxc_conf - 'debian' is setup.
> lxc-start 1251109397.977 NOTICE lxc_start - exec'ing '/sbin/init'
> lxc-start 1251109397.978 NOTICE lxc_start - '/sbin/init' started
> with pid '24339'
>
> i think that /proc/meminfo should be mounted after /proc . why? i think
> that, because mounting /proc may override /proc/meminfo
> Am I right? :)
>
Ha ! haha ! arrgh ! no way ! You are right :/
In the case of application container, lxc mounts /proc but in the case
of system container it is the system who do that so after the
/proc/meminfo has been mounted.
Maybe we can look at modifying fs/proc/meminfo.c instead. Let me do a
small patch for the kernel...
next prev parent reply other threads:[~2009-08-24 11:13 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <ac1c4bf20908230513q383fb338ne02e8f19f6ef18a6@mail.gmail.com>
[not found] ` <ac1c4bf20908230513q383fb338ne02e8f19f6ef18a6-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 16:18 ` [lxc-devel] Memory Resources Daniel Lezcano
[not found] ` <4A916BC9.8040905-GANU6spQydw@public.gmane.org>
2009-08-23 16:59 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908230959j4cda58cel3bcf4f3822d50bb1-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 18:00 ` Daniel Lezcano
[not found] ` <4A9183B2.7090005-GANU6spQydw@public.gmane.org>
2009-08-23 18:17 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231117sb180e78q3eed64db3573ec35-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 18:38 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231138j2ce7bb48v69a8ac8ede6bc314-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 19:22 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231222t182e6ca6u716b98e13d85cbad-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 20:05 ` Daniel Lezcano
[not found] ` <4A91A103.6020207-GANU6spQydw@public.gmane.org>
2009-08-23 20:18 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231318v1586c2ciffd3df5fe1b70c20-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 21:00 ` Daniel Lezcano
[not found] ` <4A91ADE1.9090204-GANU6spQydw@public.gmane.org>
2009-08-23 21:12 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231412m634fdf9h686f6bd24eb95a14-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 0:27 ` KAMEZAWA Hiroyuki
[not found] ` <20090824092739.70d56a5b.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-24 0:40 ` Krzysztof Taraszka
2009-08-24 6:17 ` [Devel] " Dietmar Maurer
[not found] ` <90D306BE6EBC8D428A824FBBA7A3113DE076E221-jRgWbcutxcWenyD9vqZGNUEOCMrvLtNR@public.gmane.org>
2009-08-24 6:58 ` KAMEZAWA Hiroyuki
[not found] ` <20090824155835.94f6b88f.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-24 7:17 ` Balbir Singh
[not found] ` <20090824071757.GQ29572-SINUvgVNF2CyUtPGxGje5AC/G2K4zDHf@public.gmane.org>
2009-08-24 7:18 ` KAMEZAWA Hiroyuki
[not found] ` <20090824161825.c40a85a2.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-25 9:46 ` Balbir Singh
2009-08-24 0:48 ` Krzysztof Taraszka
2009-08-24 0:58 ` Krzysztof Taraszka
[not found] ` <4A924D11.80002@free.fr>
[not found] ` <ac1c4bf20908240125q1e126cdq2d2b7659ca167d52@mail.gmail.com>
[not found] ` <4A924F5C.1000208@fr.ibm.com>
[not found] ` <ac1c4bf20908240138l67cfabfcid2bb7224a1f6ab24@mail.gmail.com>
[not found] ` <4A925794.7050808@free.fr>
[not found] ` <ac1c4bf20908240245ydbc1b9bxacfcf2398049505c@mail.gmail.com>
[not found] ` <4A92676A.1080609@free.fr>
[not found] ` <4A92676A.1080609-GANU6spQydw@public.gmane.org>
2009-08-24 10:58 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240327u424bd021t8848cf1cafb24ada@mail.gmail.com>
[not found] ` <ac1c4bf20908240327u424bd021t8848cf1cafb24ada-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 11:13 ` Daniel Lezcano [this message]
[not found] ` <4A9275CB.7030108-GANU6spQydw@public.gmane.org>
2009-08-24 11:31 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240431p1fda5a15qd26629618397696-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 14:11 ` Daniel Lezcano
[not found] ` <4A929F83.80207-GANU6spQydw@public.gmane.org>
2009-08-24 16:26 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240926j401003dft11f50d3be1466f90-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 16:30 ` Daniel Lezcano
[not found] ` <4A92C01E.5010809-GANU6spQydw@public.gmane.org>
2009-08-24 16:36 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240936t1bee38e3h9388298f435f056c-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 19:22 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908241222w127f9f7em5175213281491a8d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 23:03 ` Krzysztof Taraszka
2009-08-26 1:43 ` KAMEZAWA Hiroyuki
[not found] ` <20090826104312.97ff028f.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-26 12:11 ` Daniel Lezcano
[not found] ` <4A952689.9020704-GANU6spQydw@public.gmane.org>
2009-08-26 13:50 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908260650x3311d5d3q44631a30205089b7-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-26 23:25 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908261625g71dff96cu77190056540cbb7-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-28 9:32 ` Daniel Lezcano
[not found] ` <4A97A448.5050506-GANU6spQydw@public.gmane.org>
2009-08-30 23:56 ` KAMEZAWA Hiroyuki
[not found] ` <20090831085606.b7207a76.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-31 9:24 ` Daniel Lezcano
[not found] ` <4A9B96B7.9060009-GANU6spQydw@public.gmane.org>
2009-08-31 10:02 ` Dietmar Maurer
2009-08-31 13:40 ` Serge E. Hallyn
[not found] ` <20090831134045.GD4837-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-31 14:41 ` Daniel Lezcano
[not found] ` <4A9BE134.5040804-GANU6spQydw@public.gmane.org>
2009-08-31 14:54 ` Serge E. Hallyn
[not found] ` <20090831145423.GA8107-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-31 15:18 ` Daniel Lezcano
[not found] ` <4A9BE9A9.1080907-GANU6spQydw@public.gmane.org>
2009-08-31 15:47 ` Daniel Lezcano
2009-08-31 16:31 ` Serge E. Hallyn
[not found] ` <20090831163114.GA13896-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-09-01 18:37 ` Daniel Lezcano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A9275CB.7030108@free.fr \
--to=daniel.lezcano-ganu6spqydw@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=kt-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org \
--cc=lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.