From: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
To: kt-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org
Cc: Linux Containers
<containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
Dietmar Maurer <dietmar-YTcQvvOqK21BDgjK7y7TUQ@public.gmane.org>,
lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: [lxc-devel] Memory Resources
Date: Fri, 28 Aug 2009 11:32:56 +0200 [thread overview]
Message-ID: <4A97A448.5050506@free.fr> (raw)
In-Reply-To: <ac1c4bf20908261625g71dff96cu77190056540cbb7-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Krzysztof Taraszka wrote:
> 2009/8/26 Krzysztof Taraszka <krzysztof.taraszka-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org>
>
>
>> 2009/8/26 Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
>>
>>
>>> KAMEZAWA Hiroyuki wrote:
>>>
>>>
>>>> On Mon, 24 Aug 2009 16:11:15 +0200
>>>> Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> [ snip ]
>>>>>
>>>>>
>>>>>
>>>>>> i think that /proc/meminfo should be mounted after /proc . why? i
>>>>>>
>>>>>>>> think
>>>>>>>> that, because mounting /proc may override /proc/meminfo
>>>>>>>> Am I right? :)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Ha ! haha ! arrgh ! no way ! You are right :/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Hehe ;)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> In the case of application container, lxc mounts /proc but in the case
>>>>>>> of
>>>>>>> system container it is the system who do that so after the
>>>>>>> /proc/meminfo has
>>>>>>> been mounted.
>>>>>>>
>>>>>>> Maybe we can look at modifying fs/proc/meminfo.c instead. Let me do a
>>>>>>> small
>>>>>>> patch for the kernel...
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Okey. I am waiting for your patch :)
>>>>>>
>>>>>>
>>>>>>
>>>>> Quick and dirty patch but at least working. It is no synced on the
>>>>> latest kernel version.
>>>>> I do not really like to touch fs/proc/meminfo.c but it's an example
>>>>> here.
>>>>>
>>>>>
>>>>>
>>>>>
>>>> I'll strongly Nack to this.
>>>> plz find a way to ln -s /path_to_cgroup/memory.meminfo
>>>> /mycontainer/meminfo
>>>>
>>>>
>>>>
>>> Yep, I agree with you, I don't like this approach.
>>>
>>> We are trying to solve the problem of the userspace tools which look at
>>> the /proc/meminfo file to display memory informations. That looks weird to
>>> set a max memory usage of 256MB via the cgroup and having the 'free' command
>>> showing 4GB of total memory. More than looking weird, Dietmar explained that
>>> can puzzle applications relying on these informations for taking some
>>> decisions.
>>>
>>> If we consider having /cgroup/mycontainer/memory.meminfo with memory
>>> information in the same format than /proc/meminfo, that solves partially the
>>> problem:
>>> - we run an application container, the application won't mount /proc so
>>> the lxc tools do that for the application (at least to isolate the pids
>>> information), it is easy to mount --bind /cgroup/mycontainer/memory.meminfo
>>> to /proc/meminfo before the application takes the control, that is to say
>>> before 'exec'. Tested and verified with the memory tools (free, top, etc
>>> ...)
>>>
>>> - we run a system container, we can do this mount-bind but when the
>>> application, aka /sbin/init, takes the control, the /proc is mounted by the
>>> system services, so we lose the /proc/meminfo we previously set. Hence
>>> meminfo in the cgroup directory does not solve the problem for this use
>>> case.
>>>
>>> Any ideas ?
>>>
>>>
>>>
>> If I may... I have been thinking about that last few days and... I think
>> that mounting /proc/meminfo can be done with mounted cgrop and secured by
>> SMACK64.
>> I will test it tonight and give you raport how does it works for me.
>>
>>
>>
>
> Okey.
> I made few tests and this two ways work:
>
> First way:
> =======
> lxc. smack enabled, policy loaded. cgroup not labeled.
>
> a) start container
> b) mount cgroup inside container
> c) mount --bind /cgroup/foo/memory.meminfo /proc/meminfo
> d) secure the /cgroup on the host (ie: attr -S -s SMACK64 -V host /cgroup).
>
> this step can be done inside lxc tools ;)
>
> Second way:
> ==========
> lxc. smack enabled, policy loaded. cgroup not labeled.
>
> a) do not label whole /cgrop directory (DO NOT DO: attr -S -s SMACK64 -V
> host /cgroup). Label dedicate files only (for example: /cgroup/cpuset.cpus,
> /cgroup/vs1/cpuset.cpus, etc). Do not label the /cgrop/vs1 directory. Label
> with vs1 label only /cgroup/vs1/memory.meminfo. All other files label with
> host label to do not allow read them.
> b) start container
> c) mount cgroup inside container
> d) mount --bind /cgroup/foo/memory.meminfo /proc/meminfo
>
> steps: b, c, d can be done inside lxc tools. step a can't and it is base on
> the admin policy.
>
> I think that the first solution is more automatic and can be done by lxc
> tools (maybe command line switch? I can prepare a patch for that.
>
I do not know smack, what does smack here ? Will this solution avoid the
container to overwrite /proc/meminfo by remounting /proc ?
next prev parent reply other threads:[~2009-08-28 9:32 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <ac1c4bf20908230513q383fb338ne02e8f19f6ef18a6@mail.gmail.com>
[not found] ` <ac1c4bf20908230513q383fb338ne02e8f19f6ef18a6-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 16:18 ` [lxc-devel] Memory Resources Daniel Lezcano
[not found] ` <4A916BC9.8040905-GANU6spQydw@public.gmane.org>
2009-08-23 16:59 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908230959j4cda58cel3bcf4f3822d50bb1-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 18:00 ` Daniel Lezcano
[not found] ` <4A9183B2.7090005-GANU6spQydw@public.gmane.org>
2009-08-23 18:17 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231117sb180e78q3eed64db3573ec35-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 18:38 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231138j2ce7bb48v69a8ac8ede6bc314-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 19:22 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231222t182e6ca6u716b98e13d85cbad-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 20:05 ` Daniel Lezcano
[not found] ` <4A91A103.6020207-GANU6spQydw@public.gmane.org>
2009-08-23 20:18 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231318v1586c2ciffd3df5fe1b70c20-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 21:00 ` Daniel Lezcano
[not found] ` <4A91ADE1.9090204-GANU6spQydw@public.gmane.org>
2009-08-23 21:12 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231412m634fdf9h686f6bd24eb95a14-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 0:27 ` KAMEZAWA Hiroyuki
[not found] ` <20090824092739.70d56a5b.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-24 0:40 ` Krzysztof Taraszka
2009-08-24 6:17 ` [Devel] " Dietmar Maurer
[not found] ` <90D306BE6EBC8D428A824FBBA7A3113DE076E221-jRgWbcutxcWenyD9vqZGNUEOCMrvLtNR@public.gmane.org>
2009-08-24 6:58 ` KAMEZAWA Hiroyuki
[not found] ` <20090824155835.94f6b88f.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-24 7:17 ` Balbir Singh
[not found] ` <20090824071757.GQ29572-SINUvgVNF2CyUtPGxGje5AC/G2K4zDHf@public.gmane.org>
2009-08-24 7:18 ` KAMEZAWA Hiroyuki
[not found] ` <20090824161825.c40a85a2.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-25 9:46 ` Balbir Singh
2009-08-24 0:48 ` Krzysztof Taraszka
2009-08-24 0:58 ` Krzysztof Taraszka
[not found] ` <4A924D11.80002@free.fr>
[not found] ` <ac1c4bf20908240125q1e126cdq2d2b7659ca167d52@mail.gmail.com>
[not found] ` <4A924F5C.1000208@fr.ibm.com>
[not found] ` <ac1c4bf20908240138l67cfabfcid2bb7224a1f6ab24@mail.gmail.com>
[not found] ` <4A925794.7050808@free.fr>
[not found] ` <ac1c4bf20908240245ydbc1b9bxacfcf2398049505c@mail.gmail.com>
[not found] ` <4A92676A.1080609@free.fr>
[not found] ` <4A92676A.1080609-GANU6spQydw@public.gmane.org>
2009-08-24 10:58 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240327u424bd021t8848cf1cafb24ada@mail.gmail.com>
[not found] ` <ac1c4bf20908240327u424bd021t8848cf1cafb24ada-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 11:13 ` Daniel Lezcano
[not found] ` <4A9275CB.7030108-GANU6spQydw@public.gmane.org>
2009-08-24 11:31 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240431p1fda5a15qd26629618397696-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 14:11 ` Daniel Lezcano
[not found] ` <4A929F83.80207-GANU6spQydw@public.gmane.org>
2009-08-24 16:26 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240926j401003dft11f50d3be1466f90-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 16:30 ` Daniel Lezcano
[not found] ` <4A92C01E.5010809-GANU6spQydw@public.gmane.org>
2009-08-24 16:36 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240936t1bee38e3h9388298f435f056c-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 19:22 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908241222w127f9f7em5175213281491a8d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 23:03 ` Krzysztof Taraszka
2009-08-26 1:43 ` KAMEZAWA Hiroyuki
[not found] ` <20090826104312.97ff028f.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-26 12:11 ` Daniel Lezcano
[not found] ` <4A952689.9020704-GANU6spQydw@public.gmane.org>
2009-08-26 13:50 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908260650x3311d5d3q44631a30205089b7-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-26 23:25 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908261625g71dff96cu77190056540cbb7-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-28 9:32 ` Daniel Lezcano [this message]
[not found] ` <4A97A448.5050506-GANU6spQydw@public.gmane.org>
2009-08-30 23:56 ` KAMEZAWA Hiroyuki
[not found] ` <20090831085606.b7207a76.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-31 9:24 ` Daniel Lezcano
[not found] ` <4A9B96B7.9060009-GANU6spQydw@public.gmane.org>
2009-08-31 10:02 ` Dietmar Maurer
2009-08-31 13:40 ` Serge E. Hallyn
[not found] ` <20090831134045.GD4837-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-31 14:41 ` Daniel Lezcano
[not found] ` <4A9BE134.5040804-GANU6spQydw@public.gmane.org>
2009-08-31 14:54 ` Serge E. Hallyn
[not found] ` <20090831145423.GA8107-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-31 15:18 ` Daniel Lezcano
[not found] ` <4A9BE9A9.1080907-GANU6spQydw@public.gmane.org>
2009-08-31 15:47 ` Daniel Lezcano
2009-08-31 16:31 ` Serge E. Hallyn
[not found] ` <20090831163114.GA13896-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-09-01 18:37 ` Daniel Lezcano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A97A448.5050506@free.fr \
--to=daniel.lezcano-ganu6spqydw@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=dietmar-YTcQvvOqK21BDgjK7y7TUQ@public.gmane.org \
--cc=kt-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org \
--cc=lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.