[Pkg-libvirt-maintainers] Bug#905350: libvirt-daemon: LXC Memory limit dosent work

m.raps m.raps at rapsplace.de
Fri Aug 3 13:57:44 BST 2018 

Package: libvirt-daemon
Version: 3.0.0-4+deb9u3
Severity: normal

Dear Maintainer,

if you wawnt to limit the memory of an LXC Contianer via libvirt.
the limit gets not enforced.

the container cann see and allocate the full Host memory.



# Steps to reproduce.

# Install Debian Stretch minimal

# Install basic libvirt with kvm and lxc support
apt install qemu-kvm libvirt-clients libvirt-daemon-system virtinst libosinfo-bin debootstrap lxcfs


# create root fs for the container

mkdir -p /var/lxc/
cd /var/lxc/
debootstrap --arch=amd64 stretch ct1

# define the container in virsh wich has lower memory than your host
cd ~

echo "<domain type='lxc'>
  <name>ct1</name>
  <uuid>b1981e50-3bbc-40bf-b145-4a50e927eb7d</uuid>
  <memory unit='KiB'>4000000</memory>
  <currentMemory unit='KiB'>4000000</currentMemory>
  <memtune>
    <swap_hard_limit unit='KiB'>4000000</swap_hard_limit>
  </memtune>
  <vcpu placement='static' cpuset='0-1'>2</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/sbin/init</init>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/var/lxc/ct1'/>
      <target dir='/'/>
    </filesystem>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/var/lib/lxcfs/proc/cpuinfo'/>
      <target dir='/proc/cpuinfo'/>
    </filesystem>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/var/lib/lxcfs/proc/diskstats'/>
      <target dir='/proc/diskstats'/>
    </filesystem>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/var/lib/lxcfs/proc/meminfo'/>
      <target dir='/proc/meminfo'/>
    </filesystem>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/var/lib/lxcfs/proc/stat'/>
      <target dir='/proc/stat'/>
    </filesystem>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/var/lib/lxcfs/proc/swaps'/>
      <target dir='/proc/swaps'/>
    </filesystem>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/var/lib/lxcfs/proc/uptime'/>
      <target dir='/proc/uptime'/>
    </filesystem>
    <interface type='bridge'>
      <mac address='52:54:00:34:28:f3'/>
      <source bridge='br0'/>
      <guest dev='eth0'/>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
  <seclabel type='none' model='none'/>
</domain>" > ct1.xml

virsh -c lxc:// define ct1.xml

# start up
virsh -c lxc:// start ct1

# go in
virsh -c lxc:// console ct1

# check the memory
free -m < more than defined in the xml



so far i see the processes (all whats comes after init) that the container spawens are leaving/bypassing the cgroup/namespace
but i havent found something how to prevent this. So i think its a bug.


-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-7-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libvirt-daemon depends on:
ii  libapparmor1        2.11.0-3+deb9u2
ii  libaudit1           1:2.6.7-2
ii  libavahi-client3    0.6.32-2
ii  libavahi-common3    0.6.32-2
ii  libblkid1           2.29.2-1+deb9u1
ii  libc6               2.24-11+deb9u3
ii  libcap-ng0          0.7.7-3+b1
ii  libdbus-1-3         1.10.26-0+deb9u1
ii  libdevmapper1.02.1  2:1.02.137-2
ii  libfuse2            2.9.7-1+deb9u1
ii  libgnutls30         3.5.8-5+deb9u3
ii  libnetcf1           1:0.2.8-1+b2
ii  libnl-3-200         3.2.27-2
ii  libnl-route-3-200   3.2.27-2
ii  libnuma1            2.0.11-2.1
ii  libparted2          3.2-17
ii  libpcap0.8          1.8.1-3
ii  libpciaccess0       0.13.4-1+b2
ii  librados2           10.2.5-7.2
ii  librbd1             10.2.5-7.2
ii  libsasl2-2          2.1.27~101-g0780600+dfsg-3
ii  libselinux1         2.6-3+b3
ii  libssh2-1           1.7.0-1
ii  libudev1            232-25+deb9u4
ii  libvirt0            3.0.0-4+deb9u3
ii  libxen-4.8          4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9
ii  libxenstore3.0      4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9
ii  libxml2             2.9.4+dfsg1-2.2+deb9u2
ii  libyajl2            2.1.0-2+b3

Versions of packages libvirt-daemon recommends:
ii  libxml2-utils   2.9.4+dfsg1-2.2+deb9u2
ii  netcat-openbsd  1.130-3
ii  qemu-kvm        1:2.8+dfsg-6+deb9u4

Versions of packages libvirt-daemon suggests:
ii  libvirt-daemon-system  3.0.0-4+deb9u3
pn  numad                  <none>

-- no debconf information

More information about the Pkg-libvirt-maintainers mailing list