I've submitted a patch-set a few days before, but i didn't get any feedback yet.
The reason for this patch is, by using "lxc-attach" to enter the namespaces of
a container, the "lxc-attach" process and its child processes are not added to
the cgroup task-files of the container.
That means, that the cgroup based restrictions for these processes would not
be applied!
I think that should be fixed. The patches are again attached to this mail.
It can be reproduced by starting a container, attach to it and execute a
command like "top" inside. Execute "ps -ejH" from the outside and identify the
pids of "lxc-attach" an "top".
Then look at the task-file of the containers cgroup and search the pids of the
"lxc-attach" and "top" process. They will not be there.
I demonstrate this by two examples:
Fist example, running a process by lxc-attach without the patch:
1373 1373 1373 ? 00:00:00 sshd
1496 1496 1496 ? 00:00:00 sshd
1568 1568 1568 pts/0 00:00:00 bash
1769 1769 1568 pts/0 00:00:00 lxc-attach
1770 1770 1568 pts/0 00:00:00 bash
1780 1780 1568 pts/0 00:00:00 top
1781 1781 1781 ? 00:00:00 sshd
1852 1852 1852 pts/6 00:00:00 bash
1910 1910 1852 pts/6 00:00:00 ps
1389 1308 1308 ? 00:00:00 gvfsd
1402 863 863 ? 00:00:00 upowerd
1406 1406 1406 ? 00:00:00 pulseaudio
1489 1406 1406 ? 00:00:00 gconf-helper
1408 863 863 ? 00:00:00 rtkit-daemon
1686 1686 1686 ? 00:00:00 lxc-start
1688 1688 1688 ? 00:00:00 init
cat /cgroup/lxc_tty1/tasks
1688
1731
1736
Now run it after patching:
1373 1373 1373 ? 00:00:00 sshd
1496 1496 1496 ? 00:00:00 sshd
1568 1568 1568 pts/0 00:00:00 bash
5576 5576 1568 pts/0 00:00:00 lxc-attach
5577 5577 1568 pts/0 00:00:00 bash
5587 5587 1568 pts/0 00:00:00 top
1781 1781 1781 ? 00:00:00 sshd
1852 1852 1852 pts/6 00:00:00 bash
5588 5588 1852 pts/6 00:00:00 ps
1389 1308 1308 ? 00:00:00 gvfsd
1402 863 863 ? 00:00:00 upowerd
1406 1406 1406 ? 00:00:00 pulseaudio
1489 1406 1406 ? 00:00:00 gconf-helper
1408 863 863 ? 00:00:00 rtkit-daemon
5496 5496 5496 ? 00:00:00 lxc-start
5499 5499 5499 ? 00:00:00 init
cat /cgroup/lxc_tty1/tasks
5499
5541
5545
5576
5577
5587
The second example demonstrates that the cgroup restriction doesn't work
without the patch.
In the configuration of a container I set "lxc.cgroup.cpuset.cpus = 0", then i
test it by launching cpuburn two times, here are the results:
Without the patch:
ps -aux | grep burn
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 14818 100 0.0 148 4 pts/1 R 18:02 0:28 burnP6
root 14819 100 0.0 148 4 pts/1 R+ 18:02 0:26 burnP6
With the patch:
lxc.cgroup.cpuset.cpus = 0
ps -aux | grep burn
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 19223 52.7 0.0 148 4 pts/1 R 18:05 0:19 burnP6
root 19224 49.9 0.0 148 4 pts/1 R+ 18:05 0:17 burnP6
Background:
I'm using "lxc-attach" by PAM to login a user into an adhoc created container,
console based an graphical. We intend to make the source code publicly
available in the near future.
Axel Schöner
diff --git a/src/lxc/namespace.c b/src/lxc/namespace.c
index aca29d4..86d1e53 100644
--- a/src/lxc/namespace.c
+++ b/src/lxc/namespace.c
@@ -82,7 +82,7 @@ pid_t lxc_clone(int (*fn)(void *), void *arg, int flags)
return ret;
}
-int lxc_attach(pid_t pid)
+int lxc_attach(pid_t pid, const char* cgname)
{
char path[MAXPATHLEN];
char *ns[] = { "pid", "mnt", "net", "ipc", "uts" };
@@ -104,6 +104,13 @@ int lxc_attach(pid_t pid)
return -1;
}
}
+ pid_t cpid = getpid();
+
+ /* Let's add the pid to the 'tasks' file */
+ if (lxc_cgroup_append_task(cgname, cpid)) {
+ SYSERROR("failed to attach pid '%d' to '%s'", cpid, cgname);
+ return -1;
+ }
for (i = 0; i < size; i++) {
if (setns(fd[i], 0)) {
diff --git a/src/lxc/namespace.h b/src/lxc/namespace.h
index 9c6b7ec..cda6c50 100644
--- a/src/lxc/namespace.h
+++ b/src/lxc/namespace.h
@@ -49,6 +49,7 @@
#endif
extern pid_t lxc_clone(int (*fn)(void *), void *arg, int flags);
-extern int lxc_attach(pid_t pid);
+extern int lxc_attach(pid_t pid, const char* cgname);
+extern int lxc_cgroup_append_task(const char *name, pid_t pid);
#endif
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index a2b823e..d86891b 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -265,6 +265,43 @@ out:
return err;
}
+/*
+ * for each mounted cgroup, get the cgroup for the container to append a task
+ */
+int lxc_cgroup_append_task(const char *name, pid_t pid)
+{
+ struct mntent *mntent;
+ FILE *file = NULL;
+ int err = -1;
+ char cgname[MAXPATHLEN];
+
+ file = setmntent(MTAB, "r");
+ if (!file) {
+ SYSERROR("failed to open %s", MTAB);
+ return -1;
+ }
+
+ while ((mntent = getmntent(file))) {
+
+ DEBUG("checking '%s' (%s)", mntent->mnt_dir, mntent->mnt_type);
+
+ if (!strcmp(mntent->mnt_type, "cgroup")) {
+
+ INFO("found cgroup mounted at '%s'", mntent->mnt_dir);
+ snprintf(cgname, MAXPATHLEN, "%s/%s", mntent->mnt_dir, name);
+ /* Let's add the pid to the 'tasks' file */
+ err = cgroup_attach(cgname, pid);
+ if (err) {
+ SYSERROR("failed to attach pid '%d' to '%s'", pid, cgname);
+ endmntent(file);
+ return err;
+ }
+ }
+ }
+ endmntent(file);
+ return err;
+}
+
int lxc_one_cgroup_destroy(const char *cgmnt, const char *name)
{
diff --git a/src/lxc/cgroup.h b/src/lxc/cgroup.h
index 188d948..6669815 100644
--- a/src/lxc/cgroup.h
+++ b/src/lxc/cgroup.h
@@ -31,4 +31,5 @@ int lxc_cgroup_destroy(const char *name);
int lxc_cgroup_path_get(char **path, const char *subsystem, const char *name);
int lxc_cgroup_nrtasks(const char *name);
int lxc_ns_is_mounted(void);
+int lxc_cgroup_append_task(const char *name, pid_t pid);
#endif
diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
index ed3d5a4..65cb101 100644
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -85,7 +85,7 @@ int main(int argc, char *argv[], char *envp[])
curdir = get_current_dir_name();
- ret = lxc_attach(pid);
+ ret = lxc_attach(pid, my_args.name);
if (ret < 0) {
ERROR("failed to enter the namespace");
return -1;
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
