Thread (38 messages) 38 messages, 12 authors, 2014-06-10

Re: Protection against container fork bombs [WAS: Re: memcg with kmem limit doesn't recover after disk i/o causes limit to be hit]

From: Dwight Engen <hidden>
Date: 2014-05-07 17:15:41
Also in: linux-mm

On Tue, 06 May 2014 14:40:55 +0300
Marian Marinov [off-list ref] wrote:
On 04/23/2014 03:49 PM, Dwight Engen wrote:
quoted
On Wed, 23 Apr 2014 09:07:28 +0300
Marian Marinov [off-list ref] wrote:
quoted
On 04/22/2014 11:05 PM, Richard Davies wrote:
quoted
Dwight Engen wrote:
quoted
Richard Davies wrote:
quoted
Vladimir Davydov wrote:
quoted
In short, kmem limiting for memory cgroups is currently broken.
Do not use it. We are working on making it usable though.
...
quoted
quoted
What is the best mechanism available today, until kmem limits
mature?

RLIMIT_NPROC exists but is per-user, not per-container.

Perhaps there is an up-to-date task counter patchset or similar?
I updated Frederic's task counter patches and included Max
Kellermann's fork limiter here:

http://thread.gmane.org/gmane.linux.kernel.containers/27212

I can send you a more recent patchset (against 3.13.10) if you
would find it useful.
Yes please, I would be interested in that. Ideally even against
3.14.1 if you have that too.
Dwight, do you have these patches in any public repo?

I would like to test them also.
Hi Marian, I put the patches against 3.13.11 and 3.14.1 up at:

git://github.com/dwengen/linux.git cpuacct-task-limit-3.13
git://github.com/dwengen/linux.git cpuacct-task-limit-3.14
Guys I tested the patches with 3.12.16. However I see a problem with
them.

Trying to set the limit to a cgroup which already have processes in
it does not work:
This is a similar check/limitation to the one for kmem in memcg, and is
done here to keep the res_counters consistent and from going negative.
It could probably be relaxed slightly by using res_counter_set_limit()
instead, but you would still need to initially set a limit before
adding tasks to the group.
[root@sp2 lxc]# echo 50 > cpuacct.task_limit
-bash: echo: write error: Device or resource busy
[root@sp2 lxc]# echo 0 > cpuacct.task_limit
-bash: echo: write error: Device or resource busy
[root@sp2 lxc]#

I have even tried to remove this check:
+               if (cgroup_task_count(cgrp)
|| !list_empty(&cgrp->children))
+                       return -EBUSY;
But still give me 'Device or resource busy'.

Any pointers of why is this happening ?

Marian
quoted
quoted
Marian
quoted
Thanks,

Richard.
--
To unsubscribe from this list: send the line "unsubscribe cgroups"
in the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe cgroups"
in the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help