On 11/22/2014 06:10 AM, Fajar A. Nugraha wrote:
On Fri, Nov 21, 2014 at 2:45 PM, Michael R. Hines
<[email protected] <mailto:[email protected]>> wrote:
Hi All,
I am using LXC 1.0.5, and I have container running Redhat 7.0 on a
Power7 processor. My host kernel version is 3.10.42.
The cgroup for this container located at /cgroup/cpu works very
well - I can manually echo
different shares and control resource usage as expected.
But, to my surprise, I set the "memory.limit_in_bytes" option of
the container in /cgroup/memory/lxc/../container/memory.limit
to a low number (like 2G in bytes), and the container was still
able to consume all the memory in the system.
So, digging deeper I printed the output of "cgroup.procs" and
found that *only* systemd inside the container
was properly joined into the group, whereas all the other child
processes of the container were missing.
How did you create the RH7 container?
Thank you for your response: I directly copied it from KVM..... was that
a bad idea?
From my past experience with fedora templates, systemd on the
container tried to create its own cgroup, OUTSIDE of the normal
container cgroup path. I suspect in your case it works (as in,
container started) because there's nothing limiting the container from
mounting cgroupfs and creating its own cgroup. That wouldn't have
worked on an Ubuntu host with default apparmor settings active.
Wow. Ok. So, I need to setup apparmor correctly on host-side of RH?
I ended up using the default apparmor profile (to keep it secure), but
manually creating and bind-mount the cgroups that systemd needs. See
https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html
, search "snippet"
Excellent - I will give that a try.....
- Michael
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
