Hi,

I tried to put lxc.cgroup.memory.kmem.limit_in_bytes = 4194304 in a
config file to test forkbomb prevention. The problem with this is that
kmem.limit_in_bytes (per the kernel documentation) "cannot be set if
the cgroup have children, or if there are already tasks in the cgroup".
Currently, lxc does lxc_cgroup_enter() before doing setup_cgroup() in
the lxc_spawn() flow and therefore gets -EBUSY.

Commit 544a48a0 leads me to believe that we don't want to move
setup_cgroup() earlier, so I've refactored it to create an additional
setup_cgroup_pre_enter() that gets called before lxc_cgroup_enter().
Currently it only writes kmem.limit_in_bytes, if there are other items
that need to be setup pre-enter, they could easily be added to the
list. This fixes the problem for me. I think we are trying to keep lxc
from knowing about specific cgroup control knobs, but I have not
thought of another way to do this. Thoughts?

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Reply via email to