5

I am trying to restrict bandwidth inside my containers. I have tried using the following commands , But I think it is not getting effective.

cd /sys/fs/cgroup/net_cls/
echo 0x1001 > A/net_cls.classid   # 10:1
echo 0x1002 > B/net_cls.classid   # 10:2
tc qdisc add dev eth0 root \
           handle 10: htb
tc class add dev eth0 parent 10: \
           classid 10:1 htb rate 40mbit
tc class add dev eth0 parent 10: \
           classid 10:2 htb rate 30mbit
tc filter add dev eth0 parent 10: \
           protocol ip prio 10 \
           handle 1: cgroup

Here A and B are containers created with this command.

lxc-execute -n A -f configfile /bin/bash
lxc-execute -n B -f configfile /bin/bash

Whereas configfile contains only this entry:

lxc.utsname = test_lxc

AFter starting the container , I have started vsftpd inside container A and try to access the files using the ftp client from another machine. Then I killed vsftpd in container A and started vsftpd in container B and try to access the files using ftp client from another machine.

I cannot observe any difference in performance, for that matter it is nowhere nearer to 40mbit/30mbit.

Please correct me whether anything wrong here.

Sven
  • 97,248
  • 13
  • 177
  • 225
kumar
  • 423
  • 2
  • 9
  • 23

2 Answers2

5

The problem here is not well documented but I've experienced it before. On 64 bit systems, the value you echo is not represented as a 16bit integer but a 32bit integer.

Try replacing:

echo 0x1001 > A/net_cls.classid   # 10:1
echo 0x1002 > B/net_cls.classid   # 10:2

With

echo 0x00100001 > A/net_cls.classid   # 10:1
echo 0x00100002 > B/net_cls.classid   # 10:2

This should fix your problem.

Note: Its not actually necessary to provide the leading zeroes at the start but for clarity I added them.

Matthew Ife
  • 22,927
  • 2
  • 54
  • 71
2

Many of the non-hypervisor containers (lxc, jails) tend to have dodgy/incomplete metering (disk iops, net) that impacts other containers. If limiting external transit is the main concern, stick a transparent firewall (i.e., ArmorLogic, Barracuda, etc.) in front of these first.

In any case, definitely load test to see if it makes a difference.

(ProTip: Heroku runs LXC. heroku run bash)