How to Limit CPU and Memory Resources with lxc-execute for Process Isolation


2 views

While lxc-execute is commonly used for lightweight process isolation, many developers don't realize it can enforce resource limits through LXC configuration files. The key lies in proper cgroup configuration.

Create a configuration file (e.g., mycontainer.conf) with these resource limits:


lxc.cgroup.cpu.shares = 512
lxc.cgroup.memory.limit_in_bytes = 512M
lxc.cgroup.memory.memsw.limit_in_bytes = 1G
lxc.cgroup.blkio.throttle.read_bps_device = "8:0 1048576"
lxc.cgroup.blkio.throttle.write_bps_device = "8:0 524288"

Here's how to execute a process with these constraints:


lxc-execute -n mycontainer -f ./mycontainer.conf -- /path/to/your/application

For running containers, modify limits through the cgroup filesystem:


echo 256 > /sys/fs/cgroup/memory/lxc/mycontainer/memory.limit_in_bytes
echo 256 > /sys/fs/cgroup/cpu/lxc/mycontainer/cpu.shares

For network limitations, combine with tc (traffic control):


tc qdisc add dev eth0 root tbf rate 1mbit burst 32kbit latency 400ms

Check applied limits with:


lxc-cgroup -n mycontainer memory.limit_in_bytes
lxc-cgroup -n mycontainer cpu.shares

When working with LXC (Linux Containers), lxc-execute provides a lightweight way to run processes in isolated environments. Unlike full container launches with lxc-start, this command focuses on single-process isolation while still allowing resource limitations.

Create a configuration file (container.conf) with the following parameters:


lxc.cgroup.cpu.shares = 512
lxc.cgroup.memory.limit_in_bytes = 256M
lxc.cgroup.memory.memsw.limit_in_bytes = 512M
lxc.cgroup.blkio.throttle.read_bps_device = "8:0 1048576"
lxc.cgroup.blkio.throttle.write_bps_device = "8:0 524288"

Execute your process with resource limits:


lxc-execute -n mycontainer -f container.conf -- /path/to/command

Check applied limits through cgroup interfaces:


cat /sys/fs/cgroup/memory/lxc/mycontainer/memory.limit_in_bytes
cat /sys/fs/cgroup/cpu/lxc/mycontainer/cpu.shares

For running containers, update limits through cgroup filesystem:


echo "128M" > /sys/fs/cgroup/memory/lxc/mycontainer/memory.limit_in_bytes
echo 256 > /sys/fs/cgroup/cpu/lxc/mycontainer/cpu.shares

While lxc-execute doesn't directly handle network, you can use tc (traffic control):


tc qdisc add dev eth0 root handle 1: htb default 30
tc class add dev eth0 parent 1: classid 1:1 htb rate 1mbit ceil 1mbit
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 192.168.1.100 flowid 1:1

Remember that lxc-execute provides less isolation than full containers. For production workloads requiring strict resource controls, consider using lxc-start with complete container configurations instead.