Limiting the system resources inside the unprivilaged container

MTL · July 28, 2021, 10:27am

appfw@topas-dev:~$ cat /proc/self/cgroup
12:perf_event:/
11:rdma:/
10:hugetlb:/
9:freezer:/user/appfw/0
8:net_cls,net_prio:/
7:memory:/user/appfw/0
6:blkio:/user.slice
5:cpuset:/user/appfw/0
4:devices:/user/appfw/0
3:pids:/user.slice/user-1001.slice/session-3.scope
2:cpu,cpuacct:/user/appfw/0
1:name=systemd:/user/appfw/0
0::/user.slice/user-1001.slice/session-3.scope

appfw is my unprivilaged user.

**lxc.cgroup.devices.allow **
lxc.cgroup.cpuset.cpu doesnt work

Error:
lxc-start app 20210728102314.367 ERROR lxc_cgfsng - cgroups/cgfsng.c:cg_legacy_set_data:2199 - Failed to setup limits for the “cpuset” controller. The controller seems to be unused by “cgfsng” cgroup driver or not enabled on the cgroup hierarchy
lxc-start app 20210728102314.367 WARN lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2236 - Failed to set “cpuset.cpus” to “0”
lxc-start app 20210728102314.367 ERROR lxc_start - start.c:lxc_spawn:1676 - Failed to setup cgroup limits for container “app”

MTL · July 28, 2021, 10:28am

@stgraber .Could you please suggest on this topic

ruskofd · July 28, 2021, 10:48am

Have you tried to enable the security.nesting option for your container ? It’s the one of the purpose of this option, especially for nested containers such as Docker (it manipulate cgroups for setting up containers).

MTL · July 30, 2021, 9:03am

thank you for your input…
restaring the linux machine after providing write permission to the user for cgrups, it worked