LXC unprivileged containers resource limit issues

FireLXC · April 27, 2020, 7:55pm

Hey,

I recently started using LXC with unprivileged containers on ubuntu 20.04.
But I ran into problems with resource limits via cgroup.

lxc-start container 20200427171713.527 ERROR    cgfsng - cgroups/cgfsng.c:cg_legacy_set_data:2687 - No such file or directory - Failed to setup limits for the "cpuset" controller. The controller seems to be unused by "cgfsng" cgroup driver or not enabled on the cgroup hierarchy
lxc-start container 20200427171713.527 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2731 - No such file or directory - Failed to set "cpuset.cpus" to "1"

the memory limit “works” but it can be exceed anytime, the cpus limitation does not work and it runs into a fatal error.

Anyone got an idea on this?

stgraber · April 27, 2020, 8:00pm

@brauner

brauner · April 29, 2020, 3:27pm

Your cpuset cgroup isn’t writable for fully unprivileged containers. By default Ubuntu only enables freezer, memory, and name=systemd controllers. You can change that setting by editing:

/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive

and appending cpuset to the comma-separated controller list on the pam_cgfs.so line.

FireLXC · April 29, 2020, 3:40pm

@brauner thanks for the response.
But how is it possible, that I set a memory limit and it gets exceeded, maybe there is also a different problem?

Anyway, I will try what you said and let you know when it works.

brauner · April 29, 2020, 3:55pm

Can you show how you exceed it? I.e. what limit do you set and how do you determine it is exceeded?

FireLXC · May 5, 2020, 1:51pm

@brauner I am switching the stuff to LXD now, so should be solved.