Limitations not applied inside of containers

airween · June 20, 2021, 2:04pm

Hi there,

may be this is not the LXC issue directly…

I’m using Debian 11 Bullseye (this is a testing release yet), which uses LXC 4 (4.0.6) and kernel 5.10.0. The system is a simple default installation.

I’ve created a container with these (relevant) settings:

lxc.cgroup.cpuset.cpus = 0-3
lxc.cgroup.memory.soft_limit_in_bytes = 4294967296
lxc.cgroup.memory.limit_in_bytes = 4294967296

The physical machine has 8 CPU and 16GB RAM.

But when I started the container and checked the limitations, I realized those are not applied:

# cat /proc/cpuinfo
processor	: 0
....
processor	: 7

(as you can see, all 8 CPU’s visible)

# free
               total        used        free      shared  buff/cache   available
Mem:        16341404       86856    16210724           0       43824    16254548
Swap:              0           0           0

Well, there are the total amount of memory.

This is the output of lxc-checkconfig:

Cgroup v1 systemd controller: missing
Cgroup v1 freezer controller: missing
Cgroup namespace: required

May be these is the problem? If not, what would be it?

Thanks for your help,

a.

stgraber · June 20, 2021, 4:18pm

It’s quite possible that this Debian release is using cgroup2 in which case you’re going to have to use lxc.cgroup2 config keys (some of the key names will differ too).

airween · June 20, 2021, 5:27pm

First, thanks for quick reply.

You mean about these:

lxc.cgroup2.cpuset.cpus = 0-3
lxc.cgroup2.memory.soft_limit_in_bytes = 4294967296
lxc.cgroup2.memory.limit_in_bytes = 4294967296

With these parameters the container can’t start:

WARN     cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2852 - Invalid argument - Ignoring legacy cgroup limits on pure cgroup2 system
ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits:2951 - No such file or directory - Failed to set "memory.soft_limit_in_bytes" to "4294967296"

Any idea?

Edit: this is what I see in the “old” (Debian 10) systems:

# mount | grep cgroup
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup2 on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset,clone_children)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)

and this is the output on Debian 11:

# mount | grep cgroup
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)

Edit2: also note, that I can set the limit to CPU’s with this command:

lxc-cgroup -n mycontainer cpuset.cpus 0-3

But only the CPU’s, and only after the container has started.

stgraber · June 20, 2021, 7:49pm

As I said earlier, config keys under cgroup2 may have different names than under cgroup1.

I don’t have access to a cgroup2 system right now so can’t easily check, but lxc.cgroup and lxc.cgroup2 are just thin wrappers around the filesystem, the key names are derived from what’s available within /sys/fs/cgroup/…

For soft memory limits, I believe it’s something like cgroup2.memory.low whereas the hard limit would be cgroup2.memory.max.

airween · June 20, 2021, 8:06pm

Hi @stgraber,

many thanks again - the cgroup2.memory.max solved the memory issue.

I think I’m going to review the cgroup2 keys.

Thanks,

a.

airween · June 20, 2021, 8:11pm

Just for the record: these keywords sets the necessary parameters:

lxc.cgroup2.memory.max = 4G
lxc.cgroup2.memory.high = 4G
lxc.cgroup2.cpuset.cpus = 0-3

I have to find the blkio.throttle.(read|write)_bps_device equivalent parameter .

airween · June 29, 2021, 5:21am

Just for the record, this line sets the limit for the I/O:

lxc.cgroup2.io.max="8:0 rbps=67108864 wbps=67108864"