Issue
I'm a fresh man of cgroup and I'm trying to use it control two C++ processes on my Linux server.
I set mem_limit of each process to 1G, which means it can consume at most 1GB memory, right?
But I think cgroup does not guarantee real isolation like VM, for example, one process can still read (or write) the memory of another process. There's also competition between the two processes to grap free memory block as cgroup does not allocate anything to them.
- Am I right?
- What about the case in the cpu_set?
- What's the difference between cgroup vs VM considering the isolation?
I Googled it but only got a lot of "docker vs vm", which is really not what I want.
Any tips from implementation of cgroups is really helpful.
Solution
First of all, you misunderstood what cgroups is. It is not an isolation tool, it is resource limiting tool that could limit memory, CPU, I/O consumption like mem_limit.
However, each process has its own, unique address space, so when process 1 is running on CPU, process 2 page tables are not used, so process 1 cannot get process 2 variable by simply dereferencing pointer. Virtual Memory is already an isolation technique.
There are some ways (used usually by debuggers) to access other's process memory in Linux:
/proc/PID/mem. If you check permissions on that file, you will see that only same user or root may access it.process_vm_{readv,writev}system calls. They check if user has capability CAP_SYS_PTRACE.
So there are several options to forbid other processes to access others memory:
- Run processes from different users that do not have CAP_SYS_PTRACE. Android does that.
- Use Kernel Namespaces - process will not know if other exists - protection is performed on pid level. LXC uses this and Docker probably too.
- Bare-Metal Virtualization: Xen, KVM, etc. Not only process page tables are isolated, but also a kernel too.
IMHO (1) is quite enough and (3) is for paranoics ;)
Answered By - myaut