[systemd-devel] [PATCH] [RFC] Ignore OOMScoreAdjust in Linux containers

Tom Gundersen teg at jklm.no
Wed Apr 9 10:19:01 PDT 2014 

On Mon, Apr 7, 2014 at 9:47 PM, Richard Weinberger <richard at nod.at> wrote:
> At least LXC does not allow the container root to change
> the OOM Score adjust value.
>
> Signed-off-by: Richard Weinberger <richard at nod.at>
> ---
> Hi!
>
> Within Linux containers we cannot use OOMScoreAdjust nor CapabilityBoundingSet (and maybe
> more related settings).
> This patch tells systemd to ignore OOMScoreAdjust if it detects
> a container.
>
> Are you fine with such a change?
> Otherweise regular distros need a lot of changes in their .service file
> to make them work within LXC.
>
> As detect_virtualization() detects more than LXC we have to find out
> whether OOMScoreAdjust cannot be used on OpenVZ and other container as well.
>
> I'd volunteer to identify all settings and sending patches...

Hm, is there a fundamental reason why this is not possible in
containers in general, or is it simply an LXC restriction? Regardless,
would it not be best to simply degrade gracefully and ignore the
setting with a warning if it fails? See the comment Lennart just
posted on the recent PrivateNetwork= patch. This sounds like a very
similar situation.

Cheers,

Tom

>  src/core/load-fragment.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
> index c604f90..13f6107 100644
> --- a/src/core/load-fragment.c
> +++ b/src/core/load-fragment.c
> @@ -59,6 +59,7 @@
>  #include "bus-error.h"
>  #include "errno-list.h"
>  #include "af-list.h"
> +#include "virt.h"
>
>  #ifdef HAVE_SECCOMP
>  #include "seccomp-util.h"
> @@ -423,6 +424,12 @@ int config_parse_exec_oom_score_adjust(const char* unit,
>          assert(rvalue);
>          assert(data);
>
> +        if (detect_virtualization(NULL) == VIRTUALIZATION_CONTAINER) {
> +                log_syntax(unit, LOG_ERR, filename, line, EPERM,
> +                           "Setting the OOM score adjust value is not allowed within containers");
> +                return 0;
> +        }
> +
>          r = safe_atoi(rvalue, &oa);
>          if (r < 0) {
>                  log_syntax(unit, LOG_ERR, filename, line, -r,
> --
> 1.8.4.2
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel

More information about the systemd-devel mailing list