Hi, I tried to put lxc.cgroup.memory.kmem.limit_in_bytes = 4194304 in a config file to test forkbomb prevention. The problem with this is that kmem.limit_in_bytes (per the kernel documentation) "cannot be set if the cgroup have children, or if there are already tasks in the cgroup". Currently, lxc does lxc_cgroup_enter() before doing setup_cgroup() in the lxc_spawn() flow and therefore gets -EBUSY.
Commit 544a48a0 leads me to believe that we don't want to move setup_cgroup() earlier, so I've refactored it to create an additional setup_cgroup_pre_enter() that gets called before lxc_cgroup_enter(). Currently it only writes kmem.limit_in_bytes, if there are other items that need to be setup pre-enter, they could easily be added to the list. This fixes the problem for me. I think we are trying to keep lxc from knowing about specific cgroup control knobs, but I have not thought of another way to do this. Thoughts? ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
