On 02/19/2018 02:07 PM, Maximilian Philipps wrote:
On a second thought, maybe you assumed that the cgroup namespace is
This is not the case, cgroup namespaces are fairly new and as far as I
know not supported
On 02/19/2018 01:50 PM, Michael Biebl wrote:
Am 19.02.2018 um 13:09 schrieb Maximilian Philipps:
I have an issue with Systemd unsetting the memory limit for my
whereupon programs like free and htop report having access to 8 exabyte
The setup is the following:
Release: Debian jessie
Kernel: 4.9.65-3+deb9u2~bpo8+1 (jessie backports)
Container provider: libvirt 3.0.0-4~bpo8+1 (jessie backports)
Systemd: 215-17+deb8u7 (jessie)
cgroup hierarchy: legacy
Release: Debian stretch
Systemd: 232-25+deb9u1 (stretch)
There are several containers running on the host, but this problem only
occurs with all the Debian stretch containers. Containers running
jessie or older Ubuntu 12.04 aren't affected.
Each container is configured to cgroup enforced memory limit in it's
libvirt domain file.
Steps to reproduce + observations:
1) start a container with virsh -c lxc:// container.example.com
2) virsh -c lxc:// memtune container.example.com
reports a hard_limit of 2097152
4) nsenter -t <pid> -m -u -i -n -p free reports 2097152 kB
5) ssh container.example.com free reports 9007199254740991 kB
6) nsenter -t <pid> -m -u -i -n -p free reports 9007199254740991 kB
7) virsh -c lxc:// memtune container.example.com
reports a hard_limit of unlimited
As far as I can tell it seems to be that systemd unsets the cgroup
limit when creating the user session. However why it gets set to
9223372036854771712 instead of the 255G of the host I don't know.
I'm confused: Are you saying that systemd inside the guest (i.e. running
systemd v232) resets the memory limits on the host (running v215)?
No, the hosts still sees the 255GB. The systemd in the guest resets
the limits for the container when someone logs in.
In terms of the cgroup hierarchy
is always 9223372036854771712, which appears to be treated as no
restrictions on the host.
However the memory.limit_in_bytes within the machine scope does change.