Bug#890824: Container: unsets cgroup memory limit on user login

Maximilian Philipps maximilian.philipps at saltation.com
Fri Oct 25 15:35:02 BST 2019 

hi

I can now reliably trigger the 8 exabyte issue. When I start a
libvirt-lxc container, libvirts sets the memory limit.

This can be seen with:

cat
/sys/fs/cgroup/memory/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope/memory.limit_in_bytes

2147483648

If I now call systemctl daemon-reload on the host the memory limit jumpsĀ  to

9223372036854771712

I can prevent this with by setting MaxMemory for the scope on the host:

systemctl set-property --runtime
"machine-lxc\x2d27166\x2dhost.domain.tld.scope" MemoryMax=2147483648

I need to know the pid used in the machine name and therefor can really
only set it at runtime.

However this isn't enough to prevent the 8 exabyte issue. For some
reason when I do a systemctl daemon-reload on the host systemd also
changes cgroup membership of some processes. Prior to reloading there
were 3 processes directly in the machine-lxc...scope. A
/usr/lib/libvirt/libvirt_lxc process, the /sbin/init process of the
container and other process that I can't find in /proc/. Maybe a pid
from within the container?

After reloading only the /sbin/init process remains in the scope, the
libvirt_lxc process gets kicked back to the libvirtd.service cgroup and
the "ghost" task disappears.

Befor reload:

11:blkio:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
10:freezer:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
9:perf_event:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
8:pids:/system.slice/libvirtd.service
7:cpu,cpuacct:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
6:rdma:/
5:devices:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
4:memory:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
2:cpuset:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
1:name=systemd:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
0::/system.slice/libvirtd.service

After reload:

11:blkio:/system.slice/libvirtd.service
10:freezer:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
9:perf_event:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
8:pids:/system.slice/libvirtd.service
7:cpu,cpuacct:/system.slice/libvirtd.service
6:rdma:/
5:devices:/system.slice/libvirtd.service
4:memory:/system.slice/libvirtd.service
3:net_cls,net_prio:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
2:cpuset:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
1:name=systemd:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
0::/system.slice/libvirtd.service

More information about the Pkg-systemd-maintainers mailing list