Limiting the processes in the lxc container [fork bomb]

[BelCloud]

I'm periodically having issues with the lxc containers crashing the host node.

The errors on the node are the classic nmi_watchdog stuck and i believe so far i was treating the symptom instead of the cause.

Today, i had a very interesting "customer". His container was using 100% of his cpu (1 core), the node crashed.
I moved him to a fresh node (thinking the initial node was overloaded) and surprise, the new node crashed with the same error. I could see he was forking a lot of apache2 processes and i'm assuming that's what is causing the issues i'm continously having with lxc.

Can i prevent in any way the number of processes he can spwan? Or other ideas how to limit it?
All suggestions are welcome!

Thank you

 

[hec]

Should work with ulimit. I think the apache config is wrong or having real heavy load.

Maybe an attack on the apache?

 

[wbumiller]

There's also a pids cgroup around for a while now. You could try something like this in /etc/pve/lxc/$VMID.conf:

lxc.cgroup.pids.max: 5000

(Can be hot-applied on the CLI via `# lxc-cgroup -n $VMID pids.max 5000`)

 

[BelCloud]

Thank you very much guys. Works like a charm.

 

[alexskysilk]

@wbumiller and team, is it possible to set a global pids.max that is used if not specified in the $vmid.conf?

 

[wbumiller]

All our containers include /usr/share/lxc/config/common.conf which in turn includes all .conf files in /usr/share/lxc/config/common.conf.d/ - You can add eg. a file 99-pid-limit.conf to that directory and add the above cgroup line to it.