[lxc-devel] Memory Resources

Daniel Lezcano daniel.lezcano at free.fr
Mon Aug 31 07:41:56 PDT 2009 

Serge E. Hallyn wrote:
> Quoting Daniel Lezcano (daniel.lezcano at free.fr):
>   
>> Krzysztof Taraszka wrote:
>>     
>>> Okey.
>>> I made few tests and this two ways work:
>>>
>>> First way:
>>> =======
>>> lxc. smack enabled, policy loaded. cgroup not labeled.
>>>
>>> a) start container
>>> b) mount cgroup inside container
>>> c) mount --bind /cgroup/foo/memory.meminfo /proc/meminfo
>>> d) secure the /cgroup on the host (ie: attr -S -s SMACK64 -V host /cgroup).
>>>
>>> this step can be done inside lxc tools ;)
>>>
>>> Second way:
>>> ==========
>>> lxc. smack enabled, policy loaded. cgroup not labeled.
>>>
>>> a) do not label whole /cgrop directory (DO NOT DO: attr -S -s SMACK64 -V
>>> host /cgroup). Label dedicate files only (for example: /cgroup/cpuset.cpus,
>>> /cgroup/vs1/cpuset.cpus, etc). Do not label the /cgrop/vs1 directory. Label
>>> with vs1 label only /cgroup/vs1/memory.meminfo. All other files label with
>>> host label to do not allow read them.
>>> b) start container
>>> c) mount cgroup inside container
>>> d) mount --bind /cgroup/foo/memory.meminfo /proc/meminfo
>>>
>>> steps: b, c, d can be done inside lxc tools. step a can't and it is base on
>>> the admin policy.
>>>
>>> I think that the first solution is more automatic and can be done by lxc
>>> tools (maybe command line switch? I can prepare a patch for that.
>>>   
>>>       
>> I do not know smack, what does smack here ? Will this solution avoid the 
>> container to overwrite /proc/meminfo by remounting /proc ?
>>     
>
> Right, in the first way he is labeling the whole cgroupfs with a label
> which prevents the container from mounting it.  In the second way,
> the specific files are labeled.
>   

Ah, got it ! :)

The idea of Kamezawa-san to use a fuse proc is maybe a good idea in this 
case. So we can address the entire /proc specific informations. For 
example, like the /proc/meminfo, there is the /proc/cpuinfo. If you 
restrict the usage to a subset of your cpus with cpuset and you look at 
/proc/cpuinfo, you see all the cpus; it is not a big problem until a 
computation application looks at this file and choose to fork(n cpus) 
and set the affinity of each process to each cpu ... AFAIR, this is the 
case for HPC applications.

More information about the Containers mailing list