Bug#890824: Container: unsets cgroup memory limit on user login
On 02/19/2018 02:07 PM, Maximilian Philipps wrote: On 02/19/2018 01:50 PM, Michael Biebl wrote: Am 19.02.2018 um 13:09 schrieb Maximilian Philipps: Package: systemd Version: 232-25+deb9u1 Severity: important Hi I have an issue with Systemd unsetting the memory limit for my container, whereupon programs like free and htop report having access to 8 exabyte of memory. The setup is the following: Host: Release: Debian jessie Kernel: 4.9.65-3+deb9u2~bpo8+1 (jessie backports) Container provider: libvirt 3.0.0-4~bpo8+1 (jessie backports) Systemd: 215-17+deb8u7 (jessie) cgroup hierarchy: legacy Guest: Release: Debian stretch Systemd: 232-25+deb9u1 (stretch) There are several containers running on the host, but this problem only occurs with all the Debian stretch containers. Containers running Debian jessie or older Ubuntu 12.04 aren't affected. Each container is configured to cgroup enforced memory limit in it's libvirt domain file. Example: 4194304 2097152 Steps to reproduce + observations: 1) start a container with virsh -c lxc:// container.example.com 2) virsh -c lxc:// memtune container.example.com reports a hard_limit of 2097152 3) cat "/sys/fs/cgroup/memory/machine.slice/machine-.scope/memory.limit_in_bytes" outputs 2147483648 4) nsenter -t -m -u -i -n -p free reports 2097152 kB 5) ssh container.example.com free reports 9007199254740991 kB 3) cat "/sys/fs/cgroup/memory/machine.slice/machine-.scope/memory.limit_in_bytes" outputs 9223372036854771712 6) nsenter -t -m -u -i -n -p free reports 9007199254740991 kB 7) virsh -c lxc:// memtune container.example.com reports a hard_limit of unlimited As far as I can tell it seems to be that systemd unsets the cgroup memory limit when creating the user session. However why it gets set to 9223372036854771712 instead of the 255G of the host I don't know. I'm confused: Are you saying that systemd inside the guest (i.e. running systemd v232) resets the memory limits on the host (running v215)? No, the hosts still sees the 255GB. The systemd in the guest resets the limits for the container when someone logs in. In terms of the cgroup hierarchy /sys/fs/cgroup/memory/memory.limit_in_bytes is always 9223372036854771712, which appears to be treated as no restrictions on the host. However the memory.limit_in_bytes within the machine scope does change. On a second thought, maybe you assumed that the cgroup namespace is unshared? This is not the case, cgroup namespaces are fairly new and as far as I know not supported by libvirt-lxc. ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#890824: Container: unsets cgroup memory limit on user login
On 02/19/2018 01:50 PM, Michael Biebl wrote: Am 19.02.2018 um 13:09 schrieb Maximilian Philipps: Package: systemd Version: 232-25+deb9u1 Severity: important Hi I have an issue with Systemd unsetting the memory limit for my container, whereupon programs like free and htop report having access to 8 exabyte of memory. The setup is the following: Host: Release: Debian jessie Kernel: 4.9.65-3+deb9u2~bpo8+1 (jessie backports) Container provider: libvirt 3.0.0-4~bpo8+1 (jessie backports) Systemd: 215-17+deb8u7 (jessie) cgroup hierarchy: legacy Guest: Release: Debian stretch Systemd: 232-25+deb9u1 (stretch) There are several containers running on the host, but this problem only occurs with all the Debian stretch containers. Containers running Debian jessie or older Ubuntu 12.04 aren't affected. Each container is configured to cgroup enforced memory limit in it's libvirt domain file. Example: 4194304 2097152 Steps to reproduce + observations: 1) start a container with virsh -c lxc:// container.example.com 2) virsh -c lxc:// memtune container.example.com reports a hard_limit of 2097152 3) cat "/sys/fs/cgroup/memory/machine.slice/machine-.scope/memory.limit_in_bytes" outputs 2147483648 4) nsenter -t -m -u -i -n -p free reports 2097152 kB 5) ssh container.example.com free reports 9007199254740991 kB 3) cat "/sys/fs/cgroup/memory/machine.slice/machine-.scope/memory.limit_in_bytes" outputs 9223372036854771712 6) nsenter -t -m -u -i -n -p free reports 9007199254740991 kB 7) virsh -c lxc:// memtune container.example.com reports a hard_limit of unlimited As far as I can tell it seems to be that systemd unsets the cgroup memory limit when creating the user session. However why it gets set to 9223372036854771712 instead of the 255G of the host I don't know. I'm confused: Are you saying that systemd inside the guest (i.e. running systemd v232) resets the memory limits on the host (running v215)? No, the hosts still sees the 255GB. The systemd in the guest resets the limits for the container when someone logs in. In terms of the cgroup hierarchy /sys/fs/cgroup/memory/memory.limit_in_bytes is always 9223372036854771712, which appears to be treated as no restrictions on the host. However the memory.limit_in_bytes within the machine scope does change. ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#890824: Container: unsets cgroup memory limit on user login
Am 19.02.2018 um 13:09 schrieb Maximilian Philipps: > Package: systemd > Version: 232-25+deb9u1 > Severity: important > > Hi > > I have an issue with Systemd unsetting the memory limit for my container, > whereupon programs like free and htop report having access to 8 exabyte > of memory. > > The setup is the following: > > Host: > Release: Debian jessie > Kernel: 4.9.65-3+deb9u2~bpo8+1 (jessie backports) > Container provider: libvirt 3.0.0-4~bpo8+1 (jessie backports) > Systemd: 215-17+deb8u7 (jessie) > cgroup hierarchy: legacy > > Guest: > Release: Debian stretch > Systemd: 232-25+deb9u1 (stretch) > > There are several containers running on the host, but this problem only > occurs with all the Debian stretch containers. Containers running Debian > jessie or older Ubuntu 12.04 aren't affected. > Each container is configured to cgroup enforced memory limit in it's > libvirt domain file. > Example: > 4194304 > 2097152 > > Steps to reproduce + observations: > 1) start a container with virsh -c lxc:// container.example.com > 2) virsh -c lxc:// memtune container.example.com > reports a hard_limit of 2097152 > 3) cat > "/sys/fs/cgroup/memory/machine.slice/machine-.scope/memory.limit_in_bytes" > > outputs 2147483648 > 4) nsenter -t -m -u -i -n -p free reports 2097152 kB > 5) ssh container.example.com free reports 9007199254740991 kB > 3) cat > "/sys/fs/cgroup/memory/machine.slice/machine-.scope/memory.limit_in_bytes" > > outputs 9223372036854771712 > 6) nsenter -t -m -u -i -n -p free reports 9007199254740991 kB > 7) virsh -c lxc:// memtune container.example.com > reports a hard_limit of unlimited > > As far as I can tell it seems to be that systemd unsets the cgroup memory > limit when creating the user session. However why it gets set to > 9223372036854771712 instead of the 255G of the host I don't know. I'm confused: Are you saying that systemd inside the guest (i.e. running systemd v232) resets the memory limits on the host (running v215)? -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#890824: Container: unsets cgroup memory limit on user login
Package: systemd Version: 232-25+deb9u1 Severity: important Hi I have an issue with Systemd unsetting the memory limit for my container, whereupon programs like free and htop report having access to 8 exabyte of memory. The setup is the following: Host: Release: Debian jessie Kernel: 4.9.65-3+deb9u2~bpo8+1 (jessie backports) Container provider: libvirt 3.0.0-4~bpo8+1 (jessie backports) Systemd: 215-17+deb8u7 (jessie) cgroup hierarchy: legacy Guest: Release: Debian stretch Systemd: 232-25+deb9u1 (stretch) There are several containers running on the host, but this problem only occurs with all the Debian stretch containers. Containers running Debian jessie or older Ubuntu 12.04 aren't affected. Each container is configured to cgroup enforced memory limit in it's libvirt domain file. Example: 4194304 2097152 Steps to reproduce + observations: 1) start a container with virsh -c lxc:// container.example.com 2) virsh -c lxc:// memtune container.example.com reports a hard_limit of 2097152 3) cat "/sys/fs/cgroup/memory/machine.slice/machine-.scope/memory.limit_in_bytes" outputs 2147483648 4) nsenter -t -m -u -i -n -p free reports 2097152 kB 5) ssh container.example.com free reports 9007199254740991 kB 3) cat "/sys/fs/cgroup/memory/machine.slice/machine-.scope/memory.limit_in_bytes" outputs 9223372036854771712 6) nsenter -t -m -u -i -n -p free reports 9007199254740991 kB 7) virsh -c lxc:// memtune container.example.com reports a hard_limit of unlimited As far as I can tell it seems to be that systemd unsets the cgroup memory limit when creating the user session. However why it gets set to 9223372036854771712 instead of the 255G of the host I don't know. In any case I am looking forward to a better solution than resetting the limits through cron every minute. -- Package-specific info: -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-0.bpo.5-amd64 (SMP w/32 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages systemd depends on: ii adduser 3.115 ii libacl1 2.2.52-3+b1 ii libapparmor1 2.11.0-3 ii libaudit1 1:2.6.7-2 ii libblkid1 2.29.2-1 ii libc6 2.24-11+deb9u1 ii libcap2 1:2.25-1 ii libcryptsetup4 2:1.7.3-4 ii libgcrypt20 1.7.6-2+deb9u2 ii libgpg-error0 1.26-2 ii libidn11 1.33-1 ii libip4tc0 1.6.0+snapshot20161117-6 ii libkmod2 23-2 ii liblz4-1 0.0~r131-2+b1 ii liblzma5 5.2.2-1.2+b1 ii libmount1 2.29.2-1 ii libpam0g 1.1.8-3.6 ii libseccomp2 2.3.1-2.1 ii libselinux1 2.6-3+b3 ii libsystemd0 232-25+deb9u1 ii mount 2.29.2-1 ii procps 2:3.3.12-3 ii util-linux 2.29.2-1 Versions of packages systemd recommends: ii dbus 1.10.24-0+deb9u1 ii libpam-systemd 232-25+deb9u1 Versions of packages systemd suggests: pn policykit-1 pn systemd-container pn systemd-ui Versions of packages systemd is related to: pn dracut pn initramfs-tools ii udev 232-25+deb9u1 -- no debconf information ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
