Bug#890824: Container: unsets cgroup memory limit on user login
Maximilian Philipps
maximilian.philipps at saltation.com
Mon Feb 19 13:12:10 GMT 2018
On 02/19/2018 02:07 PM, Maximilian Philipps wrote:
>
>
> On 02/19/2018 01:50 PM, Michael Biebl wrote:
>> Am 19.02.2018 um 13:09 schrieb Maximilian Philipps:
>>> Package: systemd
>>> Version: 232-25+deb9u1
>>> Severity: important
>>>
>>> Hi
>>>
>>> I have an issue with Systemd unsetting the memory limit for my
>>> container,
>>> whereupon programs like free and htop report having access to 8 exabyte
>>> of memory.
>>>
>>> The setup is the following:
>>>
>>> Host:
>>> Release: Debian jessie
>>> Kernel: 4.9.65-3+deb9u2~bpo8+1 (jessie backports)
>>> Container provider: libvirt 3.0.0-4~bpo8+1 (jessie backports)
>>> Systemd: 215-17+deb8u7 (jessie)
>>> cgroup hierarchy: legacy
>>>
>>> Guest:
>>> Release: Debian stretch
>>> Systemd: 232-25+deb9u1 (stretch)
>>>
>>> There are several containers running on the host, but this problem only
>>> occurs with all the Debian stretch containers. Containers running
>>> Debian
>>> jessie or older Ubuntu 12.04 aren't affected.
>>> Each container is configured to cgroup enforced memory limit in it's
>>> libvirt domain file.
>>> Example:
>>> <memory unit='KiB'>4194304</memory>
>>> <memory unit='KiB'>2097152</memory>
>>>
>>> Steps to reproduce + observations:
>>> 1) start a container with virsh -c lxc:// container.example.com
>>> 2) virsh -c lxc:// memtune container.example.com
>>> reports a hard_limit of 2097152
>>> 3) cat
>>> "/sys/fs/cgroup/memory/machine.slice/machine-<container-name>.scope/memory.limit_in_bytes"
>>>
>>>
>>> outputs 2147483648
>>> 4) nsenter -t <pid> -m -u -i -n -p free reports 2097152 kB
>>> 5) ssh container.example.com free reports 9007199254740991 kB
>>> 3) cat
>>> "/sys/fs/cgroup/memory/machine.slice/machine-<container-name>.scope/memory.limit_in_bytes"
>>>
>>>
>>> outputs 9223372036854771712
>>> 6) nsenter -t <pid> -m -u -i -n -p free reports 9007199254740991 kB
>>> 7) virsh -c lxc:// memtune container.example.com
>>> reports a hard_limit of unlimited
>>>
>>> As far as I can tell it seems to be that systemd unsets the cgroup
>>> memory
>>> limit when creating the user session. However why it gets set to
>>> 9223372036854771712 instead of the 255G of the host I don't know.
>> I'm confused: Are you saying that systemd inside the guest (i.e. running
>> systemd v232) resets the memory limits on the host (running v215)?
>>
>>
> No, the hosts still sees the 255GB. The systemd in the guest resets
> the limits for the container when someone logs in.
> In terms of the cgroup hierarchy
> /sys/fs/cgroup/memory/memory.limit_in_bytes
> is always 9223372036854771712, which appears to be treated as no
> restrictions on the host.
> However the memory.limit_in_bytes within the machine scope does change.
On a second thought, maybe you assumed that the cgroup namespace is
unshared?
This is not the case, cgroup namespaces are fairly new and as far as I
know not supported
by libvirt-lxc.
More information about the Pkg-systemd-maintainers
mailing list