Linux – CGroups memory limit not working

cgroupdebiandebian-jessielinuxlxc

I am trying to limit memory usage for a LXC container using CGroups, but I can't limit the memory.

# lxc-cgroup -n maxdaniel981 memory.limit_in_bytes 134217728
lxc_container: failed to assign '134217728' value to 'memory.limit_in_bytes' for 'maxdaniel981'

Then I looked up /proc/cgroups:

# cat /proc/cgroups
#subsys_name    hierarchy       num_cgroups     enabled
cpuset  2       3       1
cpu     3       3       1
cpuacct 3       3       1
memory  0       1       0
devices 4       3       1
freezer 5       3       1
net_cls 6       3       1
blkio   7       3       1
perf_event      8       3       1
net_prio        6       3       1

It looks like cgroups_memory is disabled, but I enabled the kernel flag in /etc/default/grub and updated grub using update-grub

# cat /etc/default/grub
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="cggroup_enable=memory swapaccount=1"
GRUB_CMDLINE_LINUX="cggroup_enable=memory swapaccount=1"

CGroup is mounted in /etc/fstab like this;

cgroup        /sys/fs/cgroup  cgroup  defaults        0       0

Can somebody help me with this issue? I am using Debian Jessie, and my kernel version is 3.16.0-4-amd64.

Best Answer

There's a small typo in your GRUB configuration; cgroup not cggroup should do the trick:

GRUB_CMDLINE_LINUX_DEFAULT="cgroup_enable=memory swapaccount=1"

Related Solutions

Linux – Limit memory and cpu with lxc-execute

First of all i would like you to understand Cgroups that are a part of the LXC utility. when you have a container, you would obviously want to ensure that the various containers you have running done starve any other container or process within. With this in mind, the nice guy of the LXC project a.k.a Daniel Lezcano integrated cgroups with the container technology he was creating i.e. LXC. Now if you want to assign resource usage, you will need to look into configuring your CGROUP. Cgroups allow you to allocate resources—such as CPU time, system memory, network bandwidth, or combinations of these resources—among user-defined groups of tasks (processes) running on a system. You can monitor the cgroups you configure, deny cgroups access to certain resources, and even reconfigure your cgroups dynamically on a running system. The cgconfig ( control group config) service can be configured to start up at boot time and reestablish your predefined cgroups, thus making them persistent across reboots. Cgroups can have multiple hierarchies because each hierarchy is attached to one or more subsystems (also known as resources controllers or controllers). This will then create multiple trees which are unconnected. There are nine subsystems available.

blkio sets limits on input/output access on block devices
cpu scheduler for cgroup task access to the CPU
cpuacct generate reports for CPU use and cgroup
cpuset assign CPUs and memory to a cgroup
devices manage access to devices by tasks
freezer suspend/resume tasks
memory limit memory
net_cls tag network packets to allow Linux traffic controller to identify task traffic
ns namespace

We can list the subsystems we have in our kernel by the command :

lssubsys –am

lxc-cgroup get or set value from the control group associated with the container name. Manage the control group associated with a container. example usage:

lxc-cgroup -n foo cpuset.cpus "0,3"

assign the processors 0 and 3 to the container.

Now, i have in my opinion answered your original question. But let me add a bit of the parameters that might be useful to you for configuring your container for using lxc. there are condensed form of the documentation of resource control by redhat

BLKIO Modifiable Parameters:

    blkio.reset_stats : any int to reset the statistics of BLKIO
    blkio.weight : 100 - 1000 (relative proportion of block I/O access)
    blkio.weight_device : major, minor , weight 100 - 1000 
    blkio.time : major, minor and time (device type and node numbers and length of access in milli seconds)
    blkio.throttle.read_bps_device : major, minor specifies the upper limit on the number of read operations a device can perform. The rate of the read operations is specified in bytes per second.
    blkio.throttle.read_iops_device :major, minor and operations_per_second specifies the upper limit on the number of read operations a device can  perform
    blkio.throttle.write_bps_device : major, minor and bytes_per_second (bytes per second)
    blkio.throttle.write_iops_device : major, minor and operations_per_second

CFS Modifiable Parameters:

    cpu.cfs_period_us : specifies a period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. If tasks in a cgroup should be able to access a single CPU for 0.2 seconds out of every 1 second, set cpu.cfs_quota_us to 200000 and cpu.cfs_period_us to 1000000.
    cpu.cfs_quota_us : total amount of time in microseconds that all tasks in a cgroup can run during one period. Once limit has reached, they are not allowed to run beyond that. 
    cpu.shares : contains an integer value that specifies the relative share of CPU time available to tasks in a cgroup.


    Note: For example, tasks in two cgroups that have cpu.shares set to 1 will receive equal CPU time, but tasks in a cgroup that has cpu.shares set to 2 receive twice the CPU time of tasks in a cgroup where cpu.shares is set to 1. Note that shares of CPU time are distributed per CPU. If one cgroup is limited to 25% of CPU and another cgroup is limited to 75% of CPU, on a multi-core system, both cgroups will use 100% of two different CPUs.

RT Modifiable Parameters:

cpu.rt_period_us : time in microseconds for how regularly a cgroups access to CPU resources should be reallocated. 
cpu.rt_runtime_us : same as above.

CPUset :

cpuset subsystem assigns individual CPUs and memory nodes to cgroups.
Note: here some parameters are mandatory
Mandatory: 


cpuset.cpus : specifies the CPUs that tasks in this cgroup are permitted to access. This is a comma-separated list in ASCII format, with dashes (" -")                 to represent ranges. For example 0-2,16 represents CPUs 0, 1, 2, and 16. 
        cpuset.mems : specifies the memory nodes that tasks in this cgroup are permitted to access. same as above format


Optional: 
        cpuset.cpu_exclusive : contains a flag ( 0 or 1) that specifies whether cpusets other than this one and its parents and children can share the CPUs specified for this cpuset. By default ( 0), CPUs are not allocated exclusively to one cpuset. 
        cpuset.mem_exclusive : contains a flag ( 0 or 1) that specifies whether other cpusets can share the memory nodes specified for this cpuset. By default ( 0), memory nodes are not allocated exclusively to one cpuset. Reserving memory nodes for the exclusive use of a cpuset ( 1) is functionally the same as enabling a memory hardwall with the cpuset.mem_hardwall parameter.
        cpuset.mem_hardwall : contains a flag ( 0 or 1) that specifies whether kernel allocations of memory page and buffer data should be restricted to the memory nodes specified for this cpuset. By default ( 0), page and buffer data is shared across processes belonging to multiple users. With a hardwall enabled ( 1), each tasks' user allocation can be kept separate.
        cpuset.memory_pressure_enabled : contains a flag ( 0 or 1) that specifies whether the system should compute the memory pressure created by the processes in this cgroup
        cpuset.memory_spread_page : contains a flag ( 0 or 1) that specifies whether file system buffers should be spread evenly across the memory nodes allocated to this cpuset. By default ( 0), no attempt is made to spread memory pages for these buffers evenly, and buffers are placed on the same node on which the process that created them is running. 
        cpuset.memory_spread_slab : contains a flag ( 0 or 1) that specifies whether kernel slab caches for file input/output operations should be spread evenly across the cpuset. By default ( 0), no attempt is made to spread kernel slab caches evenly, and slab caches are placed on the same node on which the process that created them is running.
        cpuset.sched_load_balance : contains a flag ( 0 or 1) that specifies whether the kernel will balance loads across the CPUs in this cpuset. By default ( 1), the kernel balances loads by moving processes from overloaded CPUs to less heavily used CPUs.

Devices:

The devices subsystem allows or denies access to devices by tasks in a cgroup. 
    devices.allow : specifies devices to which tasks in a cgroup have access. Each entry has four fields: type, major, minor, and access.
    type can be of following three values: 
        a - applies to all devices
        b - block devices
        c - character devices
    access is a sequence of one or more letters: 
        r read from device
        w write to device
        m create device files that do not yet exist

    devices.deny : similar syntax as above
    devices.list : reports devices for which access control has been set for tasks in this cgroup

Memory:

The memory subsystem generates automatic reports on memory resources used by the tasks in a cgroup, and sets limits on memory use by those tasks Memory modifiable parameters: memory.limit_in_bytes : sets the maximum amount of user memory. can use suffixes like K for kilo and M for mega etc. This only limits the groups lower in the heirarchy. i.e. root cgroup cannot be limited memory.memsw.limit_in_bytes : sets the maximum amount for the sum of memory and swap usage. again this cannot limit the root cgroup.

    Note: memory.limit_in_bytes should always be set before memory.memsw.limit_in_bytes because only after limit, can swp limit be set
    memory.force_empty : when set to 0, empties memory of all pages used by tasks in this cgroup
    memory.swappiness : sets the tendency of the kernel to swap out process memory used by tasks in this cgroup instead of reclaiming pages from the page cache. he default value is 60. Values lower than 60 decrease the kernel's tendency to swap out process memory, values greater than 60 increase the kernel's tendency to swap out process memory, and values greater than 100 permit the kernel to swap out pages that are part of the address space of the processes in this cgroup. 


    Note: Swappiness can only be asssigned to leaf groups in the cgroups architecture. i.e if any cgroup has a child cgroup, we cannot set the swappiness for that
    memory.oom_control : contains a flag ( 0 or 1) that enables or disables the Out of Memory killer for a cgroup. If enabled ( 0), tasks that attempt to consume more memory than they are allowed are immediately killed by the OOM killer.

net_cls:

The net_cls subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller ( tc) to identify packets originating from a particular cgroup. The traffic controller can be configured to assign different priorities to packets from different cgroups.

net_cls.classid : 0XAAAABBBB AAAA = major number (hex)
                         BBBB = minor number (hex)
        net_cls.classid contains a single value that indicates a traffic control handle. The value of classid read from the net_cls.classid file is presented in the decimal format while the value to be written to the file is expected in the hexadecimal format. e.g. 0X100001 = 10:1

net_prio :

The Network Priority ( net_prio) subsystem provides a way to dynamically set the priority of network traffic per each network interface for applications within various cgroups. A network's priority is a number assigned to network traffic and used internally by the system and network devices. Network priority is used to differentiate packets that are sent, queued, or dropped. traffic controller (tc) is responsible to set the networks priority.

net_prio.ifpriomap : networkinterface , priority (/cgroup/net_prio/iscsi/net_prio.ifpriomap)
        Contents of the net_prio.ifpriomap file can be modified by echoing a string into the file using the above format, for example:

            ~]# echo "eth0 5" > /cgroup/net_prio/iscsi/net_prio.ifpriomap

Linux Cron – Why is My Crontab Not Working and How to Troubleshoot

How to fix all of your crontab related woes/problems (Linux)

This is a community wiki, if you notice anything incorrect with this answer or have additional information then please edit it.

First, basic terminology:

cron(8) is the daemon that executes scheduled commands.
crontab(1) is the program used to modify user crontab(5) files.
crontab(5) is a per user file that contains instructions for cron(8).

Next, education about cron:

Every user on a system may have their own crontab file. The location of the root and user crontab files are system dependant but they are generally below /var/spool/cron.

There is a system-wide /etc/crontab file, the /etc/cron.d directory may contain crontab fragments which are also read and actioned by cron. Some Linux distributions (eg, Red Hat) also have /etc/cron.{hourly,daily,weekly,monthly} which are directories, scripts inside which will be executed every hour/day/week/month, with root privilege.

root can always use the crontab command; regular users may or may not be granted access. When you edit the crontab file with the command crontab -e and save it, crond checks it for basic validity but does not guarantee your crontab file is correctly formed. There is a file called cron.deny which will specify which users cannot use cron. The cron.deny file location is system dependent and can be deleted which will allow all users to use cron.

If the computer is not powered on or crond daemon is not running, and the date/time for a command to run has passed, crond will not catchup and run past queries.

crontab particulars, how to formulate a command:

A crontab command is represented by a single line. You cannot use \ to extend a command over multiple lines. The hash (#) sign represents a comment which means anything on that line is ignored by cron. Leading whitespace and blank lines are ignored.

Be VERY careful when using the percent (%) sign in your command. Unless they are escaped \% they are converted into newlines and everything after the first non-escaped % is passed to your command on stdin.

There are two formats for crontab files:

User crontabs

 # Example of job definition:
 # .---------------- minute (0 - 59)
 # |  .------------- hour (0 - 23)
 # |  |  .---------- day of month (1 - 31)
 # |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
 # |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7)
 # |  |  |  |  |
 # *  *  *  *  *   command to be executed

System wide /etc/crontab and /etc/cron.d fragments

 # Example of job definition:
 # .---------------- minute (0 - 59)
 # |  .------------- hour (0 - 23)
 # |  |  .---------- day of month (1 - 31)
 # |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
 # |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7)
 # |  |  |  |  |
 # *  *  *  *  * user-name  command to be executed

Notice that the latter requires a user-name. The command will be run as the named user.

The first 5 fields of the line represent the time(s) when the command should be run. You can use numbers or where applicable day/month names in the time specification.

The fields are separated by spaces or tabs.
A comma (,) is used to specify a list e.g 1,4,6,8 which means run at 1,4,6,8.
Ranges are specified with a dash (-) and may be combined with lists e.g. 1-3,9-12 which means between 1 and 3 then between 9 and 12.
The / character can be used to introduce a step e.g. 2/5 which means starting at 2 then every 5 (2,7,12,17,22...). They do not wrap past the end.
An asterisk (*) in a field signifies the entire range for that field (e.g. 0-59 for the minute field).
Ranges and steps can be combined e.g. */2 signifies starting at the minimum for the relevant field then every 2 e.g. 0 for minutes( 0,2...58), 1 for months (1,3 ... 11) etc.

Debugging cron commands

Check the mail!

By default cron will mail any output from the command to the user it is running the command as. If there is no output there will be no mail. If you want cron to send mail to a different account then you can set the MAILTO environment variable in the crontab file e.g.

MAILTO=user@somehost.tld
1 2 * * * /path/to/your/command

Capture the output yourself

You can redirect stdout and stderr to a file. The exact syntax for capturing output may vary depending on what shell cron is using. Here are two examples which save all output to a file at /tmp/mycommand.log:

1 2 * * * /path/to/your/command &>/tmp/mycommand.log
1 2 * * * /path/to/your/command >/tmp/mycommand.log 2>&1

Look at the logs

Cron logs its actions via syslog, which (depending on your setup) often go to /var/log/cron or /var/log/syslog.

If required you can filter the cron statements with e.g.

grep CRON /var/log/syslog

Now that we've gone over the basics of cron, where the files are and how to use them let's look at some common problems.

Check that cron is running

If cron isn't running then your commands won't be scheduled ...

ps -ef | grep cron | grep -v grep

should get you something like

root    1224   1  0 Nov16 ?    00:00:03 cron

root    2018   1  0 Nov14 ?    00:00:06 crond

If not restart it

/sbin/service cron start

/sbin/service crond start

There may be other methods; use what your distro provides.

cron runs your command in a restricted environment.

What environment variables are available is likely to be very limited. Typically, you'll only get a few variables defined, such as $LOGNAME, $HOME, and $PATH.

Of particular note is the PATH is restricted to /bin:/usr/bin. The vast majority of "my cron script doesn't work" problems are caused by this restrictive path. If your command is in a different location you can solve this in a couple of ways:

Provide the full path to your command.
```
 1 2 * * * /path/to/your/command
```

Provide a suitable PATH in the crontab file

 PATH=/bin:/usr/bin:/path/to/something/else
 1 2 * * * command

If your command requires other environment variables you can define them in the crontab file too.

cron runs your command with cwd == $HOME

Regardless of where the program you execute resides on the filesystem, the current working directory of the program when cron runs it will be the user's home directory. If you access files in your program, you'll need to take this into account if you use relative paths, or (preferably) just use fully-qualified paths everywhere, and save everyone a whole lot of confusion.

The last command in my crontab doesn't run

Cron generally requires that commands are terminated with a new line. Edit your crontab; go to the end of the line which contains the last command and insert a new line (press enter).

Check the crontab format

You can't use a user crontab formatted crontab for /etc/crontab or the fragments in /etc/cron.d and vice versa. A user formatted crontab does not include a username in the 6th position of a row, while a system formatted crontab includes the username and runs the command as that user.

I put a file in /etc/cron.{hourly,daily,weekly,monthly} and it doesn't run

Check that the filename doesn't have an extension see run-parts
Ensure the file has execute permissions.
Tell the system what to use when executing your script (eg. put #!/bin/sh at top)

Cron date related bugs

If your date is recently changed by a user or system update, timezone or other, then crontab will start behaving erratically and exhibit bizarre bugs, sometimes working, sometimes not. This is crontab's attempt to try to "do what you want" when the time changes out from underneath it. The "minute" field will become ineffective after the hour is changed. In this scenario, only asterisks would be accepted. Restart cron and try it again without connecting to the internet (so the date doesn't have a chance to reset to one of the time servers).

Percent signs, again

To emphasise the advice about percent signs, here's an example of what cron does with them:

# cron entry
* * * * * cat >$HOME/cron.out%foo%bar%baz

will create the ~/cron.out file containing the 3 lines

foo
bar
baz

This is particularly intrusive when using the date command. Be sure to escape the percent signs

* * * * * /path/to/command --day "$(date "+\%Y\%m\%d")"

How to use `sudo` in cron jobs

when running as a non-root user,

crontab -e

will open the user's crontab, while

sudo crontab -e

will open the root user's crontab. It's not recommended to run sudo commands in a cron job, so if you're trying to run a sudo command in a user's cron, try moving that command to root's cron and remove sudo from the command.