From: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
To: kt-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org
Cc: Linux Containers
<containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
Dietmar Maurer <dietmar-YTcQvvOqK21BDgjK7y7TUQ@public.gmane.org>,
lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: [lxc-devel] Memory Resources
Date: Fri, 28 Aug 2009 11:32:56 +0200 [thread overview]
Message-ID: <4A97A448.5050506@free.fr> (raw)
In-Reply-To: <ac1c4bf20908261625g71dff96cu77190056540cbb7-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Krzysztof Taraszka wrote:
> 2009/8/26 Krzysztof Taraszka <krzysztof.taraszka-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org>
>
>
>> 2009/8/26 Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
>>
>>
>>> KAMEZAWA Hiroyuki wrote:
>>>
>>>
>>>> On Mon, 24 Aug 2009 16:11:15 +0200
>>>> Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> [ snip ]
>>>>>
>>>>>
>>>>>
>>>>>> i think that /proc/meminfo should be mounted after /proc . why? i
>>>>>>
>>>>>>>> think
>>>>>>>> that, because mounting /proc may override /proc/meminfo
>>>>>>>> Am I right? :)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Ha ! haha ! arrgh ! no way ! You are right :/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Hehe ;)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> In the case of application container, lxc mounts /proc but in the case
>>>>>>> of
>>>>>>> system container it is the system who do that so after the
>>>>>>> /proc/meminfo has
>>>>>>> been mounted.
>>>>>>>
>>>>>>> Maybe we can look at modifying fs/proc/meminfo.c instead. Let me do a
>>>>>>> small
>>>>>>> patch for the kernel...
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Okey. I am waiting for your patch :)
>>>>>>
>>>>>>
>>>>>>
>>>>> Quick and dirty patch but at least working. It is no synced on the
>>>>> latest kernel version.
>>>>> I do not really like to touch fs/proc/meminfo.c but it's an example
>>>>> here.
>>>>>
>>>>>
>>>>>
>>>>>
>>>> I'll strongly Nack to this.
>>>> plz find a way to ln -s /path_to_cgroup/memory.meminfo
>>>> /mycontainer/meminfo
>>>>
>>>>
>>>>
>>> Yep, I agree with you, I don't like this approach.
>>>
>>> We are trying to solve the problem of the userspace tools which look at
>>> the /proc/meminfo file to display memory informations. That looks weird to
>>> set a max memory usage of 256MB via the cgroup and having the 'free' command
>>> showing 4GB of total memory. More than looking weird, Dietmar explained that
>>> can puzzle applications relying on these informations for taking some
>>> decisions.
>>>
>>> If we consider having /cgroup/mycontainer/memory.meminfo with memory
>>> information in the same format than /proc/meminfo, that solves partially the
>>> problem:
>>> - we run an application container, the application won't mount /proc so
>>> the lxc tools do that for the application (at least to isolate the pids
>>> information), it is easy to mount --bind /cgroup/mycontainer/memory.meminfo
>>> to /proc/meminfo before the application takes the control, that is to say
>>> before 'exec'. Tested and verified with the memory tools (free, top, etc
>>> ...)
>>>
>>> - we run a system container, we can do this mount-bind but when the
>>> application, aka /sbin/init, takes the control, the /proc is mounted by the
>>> system services, so we lose the /proc/meminfo we previously set. Hence
>>> meminfo in the cgroup directory does not solve the problem for this use
>>> case.
>>>
>>> Any ideas ?
>>>
>>>
>>>
>> If I may... I have been thinking about that last few days and... I think
>> that mounting /proc/meminfo can be done with mounted cgrop and secured by
>> SMACK64.
>> I will test it tonight and give you raport how does it works for me.
>>
>>
>>
>
> Okey.
> I made few tests and this two ways work:
>
> First way:
> =======
> lxc. smack enabled, policy loaded. cgroup not labeled.
>
> a) start container
> b) mount cgroup inside container
> c) mount --bind /cgroup/foo/memory.meminfo /proc/meminfo
> d) secure the /cgroup on the host (ie: attr -S -s SMACK64 -V host /cgroup).
>
> this step can be done inside lxc tools ;)
>
> Second way:
> ==========
> lxc. smack enabled, policy loaded. cgroup not labeled.
>
> a) do not label whole /cgrop directory (DO NOT DO: attr -S -s SMACK64 -V
> host /cgroup). Label dedicate files only (for example: /cgroup/cpuset.cpus,
> /cgroup/vs1/cpuset.cpus, etc). Do not label the /cgrop/vs1 directory. Label
> with vs1 label only /cgroup/vs1/memory.meminfo. All other files label with
> host label to do not allow read them.
> b) start container
> c) mount cgroup inside container
> d) mount --bind /cgroup/foo/memory.meminfo /proc/meminfo
>
> steps: b, c, d can be done inside lxc tools. step a can't and it is base on
> the admin policy.
>
> I think that the first solution is more automatic and can be done by lxc
> tools (maybe command line switch? I can prepare a patch for that.
>
I do not know smack, what does smack here ? Will this solution avoid the
container to overwrite /proc/meminfo by remounting /proc ?
next prev parent reply other threads:[~2009-08-28 9:32 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <ac1c4bf20908230513q383fb338ne02e8f19f6ef18a6@mail.gmail.com>
[not found] ` <ac1c4bf20908230513q383fb338ne02e8f19f6ef18a6-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 16:18 ` [lxc-devel] Memory Resources Daniel Lezcano
[not found] ` <4A916BC9.8040905-GANU6spQydw@public.gmane.org>
2009-08-23 16:59 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908230959j4cda58cel3bcf4f3822d50bb1-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 18:00 ` Daniel Lezcano
[not found] ` <4A9183B2.7090005-GANU6spQydw@public.gmane.org>
2009-08-23 18:17 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231117sb180e78q3eed64db3573ec35-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 18:38 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231138j2ce7bb48v69a8ac8ede6bc314-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 19:22 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231222t182e6ca6u716b98e13d85cbad-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 20:05 ` Daniel Lezcano
[not found] ` <4A91A103.6020207-GANU6spQydw@public.gmane.org>
2009-08-23 20:18 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231318v1586c2ciffd3df5fe1b70c20-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 21:00 ` Daniel Lezcano
[not found] ` <4A91ADE1.9090204-GANU6spQydw@public.gmane.org>
2009-08-23 21:12 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231412m634fdf9h686f6bd24eb95a14-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 0:27 ` KAMEZAWA Hiroyuki
[not found] ` <20090824092739.70d56a5b.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-24 0:40 ` Krzysztof Taraszka
2009-08-24 6:17 ` [Devel] " Dietmar Maurer
[not found] ` <90D306BE6EBC8D428A824FBBA7A3113DE076E221-jRgWbcutxcWenyD9vqZGNUEOCMrvLtNR@public.gmane.org>
2009-08-24 6:58 ` KAMEZAWA Hiroyuki
[not found] ` <20090824155835.94f6b88f.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-24 7:17 ` Balbir Singh
[not found] ` <20090824071757.GQ29572-SINUvgVNF2CyUtPGxGje5AC/G2K4zDHf@public.gmane.org>
2009-08-24 7:18 ` KAMEZAWA Hiroyuki
[not found] ` <20090824161825.c40a85a2.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-25 9:46 ` Balbir Singh
2009-08-24 0:48 ` Krzysztof Taraszka
2009-08-24 0:58 ` Krzysztof Taraszka
[not found] ` <4A924D11.80002@free.fr>
[not found] ` <ac1c4bf20908240125q1e126cdq2d2b7659ca167d52@mail.gmail.com>
[not found] ` <4A924F5C.1000208@fr.ibm.com>
[not found] ` <ac1c4bf20908240138l67cfabfcid2bb7224a1f6ab24@mail.gmail.com>
[not found] ` <4A925794.7050808@free.fr>
[not found] ` <ac1c4bf20908240245ydbc1b9bxacfcf2398049505c@mail.gmail.com>
[not found] ` <4A92676A.1080609@free.fr>
[not found] ` <4A92676A.1080609-GANU6spQydw@public.gmane.org>
2009-08-24 10:58 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240327u424bd021t8848cf1cafb24ada@mail.gmail.com>
[not found] ` <ac1c4bf20908240327u424bd021t8848cf1cafb24ada-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 11:13 ` Daniel Lezcano
[not found] ` <4A9275CB.7030108-GANU6spQydw@public.gmane.org>
2009-08-24 11:31 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240431p1fda5a15qd26629618397696-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 14:11 ` Daniel Lezcano
[not found] ` <4A929F83.80207-GANU6spQydw@public.gmane.org>
2009-08-24 16:26 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240926j401003dft11f50d3be1466f90-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 16:30 ` Daniel Lezcano
[not found] ` <4A92C01E.5010809-GANU6spQydw@public.gmane.org>
2009-08-24 16:36 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240936t1bee38e3h9388298f435f056c-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 19:22 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908241222w127f9f7em5175213281491a8d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 23:03 ` Krzysztof Taraszka
2009-08-26 1:43 ` KAMEZAWA Hiroyuki
[not found] ` <20090826104312.97ff028f.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-26 12:11 ` Daniel Lezcano
[not found] ` <4A952689.9020704-GANU6spQydw@public.gmane.org>
2009-08-26 13:50 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908260650x3311d5d3q44631a30205089b7-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-26 23:25 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908261625g71dff96cu77190056540cbb7-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-28 9:32 ` Daniel Lezcano [this message]
[not found] ` <4A97A448.5050506-GANU6spQydw@public.gmane.org>
2009-08-30 23:56 ` KAMEZAWA Hiroyuki
[not found] ` <20090831085606.b7207a76.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-31 9:24 ` Daniel Lezcano
[not found] ` <4A9B96B7.9060009-GANU6spQydw@public.gmane.org>
2009-08-31 10:02 ` Dietmar Maurer
2009-08-31 13:40 ` Serge E. Hallyn
[not found] ` <20090831134045.GD4837-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-31 14:41 ` Daniel Lezcano
[not found] ` <4A9BE134.5040804-GANU6spQydw@public.gmane.org>
2009-08-31 14:54 ` Serge E. Hallyn
[not found] ` <20090831145423.GA8107-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-31 15:18 ` Daniel Lezcano
[not found] ` <4A9BE9A9.1080907-GANU6spQydw@public.gmane.org>
2009-08-31 15:47 ` Daniel Lezcano
2009-08-31 16:31 ` Serge E. Hallyn
[not found] ` <20090831163114.GA13896-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-09-01 18:37 ` Daniel Lezcano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A97A448.5050506@free.fr \
--to=daniel.lezcano-ganu6spqydw@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=dietmar-YTcQvvOqK21BDgjK7y7TUQ@public.gmane.org \
--cc=kt-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org \
--cc=lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox