Bandwidth accounting that persists through restarts

I was hoping there would be a way to somehow persist bandwidth accounting between container restarts. I’ve tried looking through the config options but I don’t see anything like it.

If there is no way to achieve this from within LXD is there perhaps a hook-system I could use to trigger certain commands before container stop/restart to store the current bandwidth usage externally?

So one approach would be to create one bridge per group of containers that you want to do accounting on together, then get the packet/byte counts off of that bridge.

I’d also like to point out that a user could likely workaround your logic by renaming eth0 in the container and putting a dummy eth0 in its place with no traffic on it. That’s unless your specific logic directly tracks down the host side veth rather than use the statistics visible in the API (which query the container’s network namespace).

The numbers can’t persist as the actual interface is deleted on restarts and we can’t reset/set the value anyway.

Other than the bridge approach I mentioned, I actually can’t think of any way to implement this in a way that can’t be bypassed root in the container. Even pulling the host side veth counters on container shutdown can be worked around by root in the container by simply deleting their eth0 device prior to reboot/shutdown which then causes the kernel to delete the host side device along with its counters.

Some kind of cgroup could be implemented in the kernel to do such tracking in a way that’s not directly tied to an interface, but it’s not something that’s been done yet nor has been proposed as far as I can tell.

Thanks for your extensive reply. Luckily the users who will be running processes inside these containers are usually not the most technical and having byte perfect counting is also not a hard requirements. As long as I can get a rough idea of the usage it should be good enough, it’s mostly to prevent abuse of fair usage resources. If I wanted I could even report strange eth devices inside the containers to make sure nobody is abusing it. I will use the lxc info accounting with some restart detection to ensure I add everything up when needed.