Bug#890824: Container: unsets cgroup memory limit on user login

[Michael Biebl]

Hi Maximilian,

can you please check, if you can still reproduce the issue on bullseye, 
where cgroupv2, i.e. unified, is the default cgroup hierarchy.

Regards,
Michael

Am 25.10.2019 um 16:35 schrieb Maximilian Philipps:
> hi
> 
> I can now reliably trigger the 8 exabyte issue. When I start a
> libvirt-lxc container, libvirts sets the memory limit.
> 
> This can be seen with:
> 
> cat
> /sys/fs/cgroup/memory/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope/memory.limit_in_bytes
> 
> 2147483648
> 
> If I now call systemctl daemon-reload on the host the memory limit jumps  to
> 
> 9223372036854771712
> 
> I can prevent this with by setting MaxMemory for the scope on the host:
> 
> systemctl set-property --runtime
> "machine-lxc\x2d27166\x2dhost.domain.tld.scope" MemoryMax=2147483648
> 
> I need to know the pid used in the machine name and therefor can really
> only set it at runtime.
> 
> However this isn't enough to prevent the 8 exabyte issue. For some
> reason when I do a systemctl daemon-reload on the host systemd also
> changes cgroup membership of some processes. Prior to reloading there
> were 3 processes directly in the machine-lxc...scope. A
> /usr/lib/libvirt/libvirt_lxc process, the /sbin/init process of the
> container and other process that I can't find in /proc/. Maybe a pid
> from within the container?
> 
> After reloading only the /sbin/init process remains in the scope, the
> libvirt_lxc process gets kicked back to the libvirtd.service cgroup and
> the "ghost" task disappears.
> 
> Befor reload:
> 
> 11:blkio:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 10:freezer:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 9:perf_event:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 8:pids:/system.slice/libvirtd.service
> 7:cpu,cpuacct:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 6:rdma:/
> 5:devices:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 4:memory:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 2:cpuset:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 1:name=systemd:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 0::/system.slice/libvirtd.service
> 
> After reload:
> 
> 11:blkio:/system.slice/libvirtd.service
> 10:freezer:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 9:perf_event:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 8:pids:/system.slice/libvirtd.service
> 7:cpu,cpuacct:/system.slice/libvirtd.service
> 6:rdma:/
> 5:devices:/system.slice/libvirtd.service
> 4:memory:/system.slice/libvirtd.service
> 3:net_cls,net_prio:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 2:cpuset:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 1:name=systemd:/machine.slice/machine-lxc\x2d27166\x2dhost.domain.tld.scope
> 0::/system.slice/libvirtd.service
>