LXC and cset/cpuset quirk - all apparmor processes unconfined

bladenj

New Member
Nov 20, 2020
2
0
1
21
Hi

I'm using proxmox to host multiple LXC's and VM's, in order to get good gaming performance on my windows VM I am using cset and taskset to pin the windows cores to the last 8c/16t of my cpu. I have run into an issue with cset and lxc containers where if I define a slice for the windows VM LXC containers get access to all of the cores on the system slice and then apparmor runs everything in unconfined mode.

I run this command at boot as I don't mind losing 8c/16t as long as they get pinned:
cset set -c 0-31 -s machine.slice && cset shield --kthread on --cpu 8-15,24-31 && cset proc --move --fromset=root --toset=system --threads --kthread --force

This is the cset command that is run at launch with hookscripts:
cset proc --move --pid "$CPU_TASK" --toset=user --force

I have attached a few screenshots of what the lxc slices should look like compared to what they look like if I define my own cgroups.

Any help would be appreciated and thanks in advance.
 

Attachments

  • proxmox1.png
    proxmox1.png
    26.8 KB · Views: 2
  • proxmox2.png
    proxmox2.png
    27.7 KB · Views: 2
  • proxmox3.png
    proxmox3.png
    118.3 KB · Views: 2

bladenj

New Member
Nov 20, 2020
2
0
1
21
Also a note to add if I don't add this as a hookscript to every container I can only start the container once and otherwise would get an error
Code:
#!/bin/bash
VMID="$1"
VM_ACTION="$2"
if [[ "$VM_ACTION" == "post-stop" ]]; then
    sleep 1s
    cset set -d "$VMID" -r --force
    sleep 1s
fi

Code:
cg_hybrid_get_controllers: 657 Found hierarchy not under /sys/fs/cgroup: "/cpusets rw,relatime master:130 - cgroup none rw,cpuset"
cgfsng_monitor_create: 1365 Numerical result out of range - Failed to create monitor cgroup
__lxc_start: 1911 Failed to create monitor cgroup
TASK ERROR: startup for container '300' failed
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!