Quoting Fajar A. Nugraha ([email protected]): > On Wed, Sep 9, 2015 at 10:32 PM, tapczan <[email protected]> wrote: > > Increasing memory limit from inside the container: > > > > # echo 32212254720 > > > /sys/fs/cgroup/memory/lxc/dev-c10/memory.memsw.limit_in_bytes > > # cat /sys/fs/cgroup/memory/lxc/dev-c10/memory.memsw.limit_in_bytes > > 32212254720 > > > > So I can modify memory limit from inside the container. > > > > What's interesting I can also modify those values via cgmanager: > > > > # cgm getvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes > > method return sender=(null sender) -> dest=(null destination) reply_serial=1 > > string "32212254720" > > > > # cgm setvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes 3221225472 > > method return sender=(null sender) -> dest=(null destination) reply_serial=1 > > > > # cgm getvalue memory '/lxc/dev-c10' memory.memsw.limit_in_bytes > > method return sender=(null sender) -> dest=(null destination) reply_serial=1 > > string "3221225472" > > > > > > I've tried a couple of different lxc versions like: 1.07, 1.12, 1.13 > > with the same result. > > > > The question is how to prevent changing values like memory limits from > > inside the container? > > > I think this is one of the consequences of privileged container. > unprivileged containers correctly prevents that. From inside the > container (I use memory.soft_limit_in_bytes as an example because my > kernel doesn't have memsw.limit_in_bytes): > > root@trusty:/# cat /proc/self/cgroup > 12:name=systemd:/user/1000.user/193.session/lxc/trusty > 11:perf_event:/user/1000.user/193.session/lxc/trusty > 10:net_prio:/user/1000.user/193.session/lxc/trusty > 9:net_cls:/user/1000.user/193.session/lxc/trusty > 8:memory:/user/1000.user/193.session/lxc/trusty > 7:hugetlb:/user/1000.user/193.session/lxc/trusty > 6:freezer:/user/1000.user/193.session/lxc/trusty > 5:devices:/user/1000.user/193.session/lxc/trusty > 4:cpuset:/user/1000.user/193.session/lxc/trusty > 3:cpuacct:/user/1000.user/193.session/lxc/trusty > 2:cpu:/user/1000.user/193.session/lxc/trusty > 1:blkio:/user/1000.user/193.session/lxc/trusty > > root@trusty:/# cgm getvalue memory . memory.soft_limit_in_bytes > 1073741824 > > root@trusty:/# cgm setvalue memory . memory.soft_limit_in_bytes 2147483648 > call to cgmanager_set_value_sync failed: invalid request > > This is with lxc-1.1.3, cgmanager 0.37
Right, the way to prevent it would be to exploit the hierarchy. So you can either set a limit on /lxc, or create /lxc/dev-c10 with the limits you want and use /lxc/dev-c10/dev-c10.real as the actual container cgroup. At one point we did that automatically, but it does have a performance penalty to have an extra cgroup depth. -serge _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
