[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Resource limits

Resource limits

Posted Mar 7, 2013 11:36 UTC (Thu) by lyda (subscriber, #7429)
In reply to: Resource limits by ebiederm
Parent article: Namespaces in operation, part 6: more on user namespaces

What options exist or interact with this? I worked on a system that doled out memory, cpu and disk usage to a subtree of processes in a container. That was mainly handled in userland; is there work being done to manage this within the kernel or is the feeling that userland is the correct place for this?

to post comments

Resource limits

Posted Mar 8, 2013 0:52 UTC (Fri) by ebiederm (subscriber, #35028) [Link]

At a very basic level I don't see anything in any of the namespaces really being any different from any other process. The big differences are is that it is now possible to allocate kinds of resources that no one has added rlimits for, and that if /etc/subuid is setup and your users have multiple uids per user limits go from mostly useless to totally useless.

To my knowledge there is not much in the control groups that is namespace or container specific. Although I seem to remember a network memory controller that had a connection with the network namespace.

Beyond that it all depends on how heavy a sandbox you want to run. Certainly with ptrace and a firm hand you can implement very fine control on processes.

When done well I think the lightest weight solutions will live in the kernel. Certainly the cpu controller seems to live up to that notion.

But honestly whatever works and whatever is easiest.

If there is any consensus of feeling on the matter it is that cgroups are ugly but they are the best general solution we have to the problem so far.

Beyond that it looks like most of the time resource consumption is not a problem for most people. With the result that technology to implement and enforce resource limits are frequently neglected.

I hope that helps a little.

Eric

Resource limits

Posted Mar 11, 2013 18:05 UTC (Mon) by BernardB (subscriber, #47903) [Link] (1 responses)

I'm also interested in having cgroup management supported within namespaces. I've seen a couple of patchsets posted to LKML to attempt to achieve this - most recently from Gao Feng. It seemed to get strong opposition from Tejun Heo though, who was pushing for a userland solution: http://article.gmane.org/gmane.linux.kernel.containers/24825

I haven't seen anything more recent though.

Resource limits

Posted Mar 11, 2013 21:05 UTC (Mon) by ebiederm (subscriber, #35028) [Link]

I don't know if userland vs kernel is the appropriate way to characterize the debate.

But yes there is a question of how unprivileged users can take advantage of the facilities cgroups offer, and how we can integrate cgroup support cleanly into containers.

Last I heard mount --bind /cgroupfs/my/group /path/to/container/cgroupfs
worked as a good approximation to what many people want.

I have not had a chance to look at it in any detail beyond that. It is nothing fundamentally hard it is just something that someone familiar with all the details needs to spend some time and to iron out.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds