From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Davies Subject: Re: Protection against container fork bombs [WAS: Re: memcg with kmem limit doesn't recover after disk i/o causes limit to be hit] Date: Tue, 29 Apr 2014 19:39:28 +0100 Message-ID: <20140429183928.GF29606@alpha.arachsys.com> References: <20140429072515.GB15058@dhcp22.suse.cz> <20140429130353.GA27354@ubuntumail> <20140429154345.GH15058@dhcp22.suse.cz> <20140429165114.GE6129@localhost.localdomain> <20140429170639.GA25609@dhcp22.suse.cz> <20140429133039.162d9dd7@oracle.com> <20140429180927.GB29606@alpha.arachsys.com> <20140429182742.GB25609@dhcp22.suse.cz> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20140429182742.GB25609-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Michal Hocko Cc: Vladimir Davydov , Marian Marinov , Max Kellermann , Tim Hockin , Frederic Weisbecker , containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, Serge Hallyn , Tim Hockin , Glauber Costa , Johannes Weiner , linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org, William Dauchy , David Rientjes , Tejun Heo , cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Daniel Walsh Michal Hocko wrote: > Richard Davies wrote: > > Dwight Engen wrote: > > > Is there a plan to separately account/limit stack pages vs kmem in > > > general? Richard would have to verify, but I suspect kmem is not > > > currently viable as a process limiter for him because > > > icache/dcache/stack is all accounted together. > > > > Certainly I would like to be able to limit container fork-bombs without > > limiting the amount of disk IO caching for processes in those containers. > > > > In my testing with of kmem limits, I needed a limit of 256MB or lower to > > catch fork bombs early enough. I would definitely like more than 256MB of > > disk caching. > > > > So if we go the "working kmem" route, I would like to be able to specify a > > limit excluding disk cache. > > Page cache (which is what you mean by disk cache probably) is a > userspace accounted memory with the memory cgroup controller. And you > do not have to limit that one. OK, that's helpful - thanks. As an aside, with the normal (non-kmem) cgroup controller, is there a way for me to exclude page cache and only limit the equivalent of the rss line in memory.stat? e.g. say I have a 256GB physical machine, running 200 containers, each with 1GB normal-mem limit (for running software) and 256MB kmem limit (to stop fork-bombs). The physical disk IO bandwidth is a shared resource between all the containers, so ideally I would like the kernel to used the 56GB of RAM as shared page cache however it best reduces physical IOPs, rather than having a per-container limit. Thanks, Richard.