Bug#890824: Container: unsets cgroup memory limit on user login
Maximilian Philipps
maximilian.philipps at saltation.com
Mon Feb 19 13:07:37 GMT 2018
On 02/19/2018 01:50 PM, Michael Biebl wrote:
> Am 19.02.2018 um 13:09 schrieb Maximilian Philipps:
>> Package: systemd
>> Version: 232-25+deb9u1
>> Severity: important
>>
>> Hi
>>
>> I have an issue with Systemd unsetting the memory limit for my container,
>> whereupon programs like free and htop report having access to 8 exabyte
>> of memory.
>>
>> The setup is the following:
>>
>> Host:
>> Release: Debian jessie
>> Kernel: 4.9.65-3+deb9u2~bpo8+1 (jessie backports)
>> Container provider: libvirt 3.0.0-4~bpo8+1 (jessie backports)
>> Systemd: 215-17+deb8u7 (jessie)
>> cgroup hierarchy: legacy
>>
>> Guest:
>> Release: Debian stretch
>> Systemd: 232-25+deb9u1 (stretch)
>>
>> There are several containers running on the host, but this problem only
>> occurs with all the Debian stretch containers. Containers running Debian
>> jessie or older Ubuntu 12.04 aren't affected.
>> Each container is configured to cgroup enforced memory limit in it's
>> libvirt domain file.
>> Example:
>> <memory unit='KiB'>4194304</memory>
>> <memory unit='KiB'>2097152</memory>
>>
>> Steps to reproduce + observations:
>> 1) start a container with virsh -c lxc:// container.example.com
>> 2) virsh -c lxc:// memtune container.example.com
>> reports a hard_limit of 2097152
>> 3) cat
>> "/sys/fs/cgroup/memory/machine.slice/machine-<container-name>.scope/memory.limit_in_bytes"
>>
>> outputs 2147483648
>> 4) nsenter -t <pid> -m -u -i -n -p free reports 2097152 kB
>> 5) ssh container.example.com free reports 9007199254740991 kB
>> 3) cat
>> "/sys/fs/cgroup/memory/machine.slice/machine-<container-name>.scope/memory.limit_in_bytes"
>>
>> outputs 9223372036854771712
>> 6) nsenter -t <pid> -m -u -i -n -p free reports 9007199254740991 kB
>> 7) virsh -c lxc:// memtune container.example.com
>> reports a hard_limit of unlimited
>>
>> As far as I can tell it seems to be that systemd unsets the cgroup memory
>> limit when creating the user session. However why it gets set to
>> 9223372036854771712 instead of the 255G of the host I don't know.
> I'm confused: Are you saying that systemd inside the guest (i.e. running
> systemd v232) resets the memory limits on the host (running v215)?
>
>
No, the hosts still sees the 255GB. The systemd in the guest resets
the limits for the container when someone logs in.
In terms of the cgroup hierarchy /sys/fs/cgroup/memory/memory.limit_in_bytes
is always 9223372036854771712, which appears to be treated as no
restrictions on the host.
However the memory.limit_in_bytes within the machine scope does change.
More information about the Pkg-systemd-maintainers
mailing list