I'm totally confused about the status of cgroups in VZ. People seem to have been talking about them in general ways back as far as 2008 but then it all goes quiet after 2012. But I'm sure I read something about them again in relation to the upcoming 3.x-based VZ kernels though.
Anyway, I would count them out within the container.
Going back to VZ's built-in network limiting support, I have re-read the docs and rate limiting is supported in VZ4.7. With the GUI this is easy to set up - you just tick a box. It is ever so slightly more complex at the command line, but I think I've worked it out.
If you refer back to http://download.swsoft.com/virtuozzo/vi ... UG/300.htm
you'll see that it actually uses "tc" to do this under the hood
And if I've read this correctly then:
1) /etc/vz/vz.conf should have
Code: Select all
## Network traffic parameters
The first line enables support for it.
The second line defines the speed of the ethernet adapter
The third line confuses me but won't matter as it will shortly be ignored. I *think* this is the upper limit speed for traffic going to all IPs in the default network class (1) which is everywhere. But forget this for now. It isn't what we are interested in.
The fourth line is the default minimum guaranteed rate, 8Kbit/sec.
Then you activate it:
Code: Select all
# /etc/init.d/vz shaperon
Starting Virtuozzo shaping: Ok
Set shaping on running Container :
vz WARNING: Can't get tc class for Container(101).
vz WARNING: Can't access file /var/run/vz_tc_classes. \
Creating new one.
vz WARNING: Can't get tc class for Container(1).
(your error messages may differ)
Use /etc/init.d/vz shaperoff to disable it if things go wrong
Next we need to add to or edit /etc/vz/conf/[CTID].conf
And here is where it gets interesting.
In line 1, we override the default 8Kbit/sec default minimum and make it 512Kbit/sec.
Then in line 2, we turn this into an upper limit, not a minimum.
By doing this, we limit the container to 512kbit/sec and hopefully your problem is solved.
You don't need to read any further. But if you are bored, lets go back to TOTALRATE="eth0:1:4096" in vz.conf
If we had RATEBOUND="no" in [ctid].conf, then all containers that have traffic shaping enabled would share a virtual network pipe limited to 4096kbit/sec when communicating to IPs in network class 1 (defined as everywhere).
Why the default is 4096 is completely beyond me and led to a great deal of confusion on my part. Surely a more logical default would be 102400? Anyway, as an alternative way to get your containers to behave, you might consider setting it to 512 or 1024 in vz.conf and setting RATEBOUND="no" in [ctid].conf
And finally....what's this network class 1 (everywhere) I keep going on about?
VZ can have up to 15 network address classes, allowing you to set different rates/limits on different IP address ranges. By default, class 1 is 0.0.0.0 = all IP addresses. I have not figured out which configuration file this is defined in, I'm afraid, but in this situation it doesn't matter as we want the shaping to apply to all external IP addresses. EDIT: found it: /etc/vz/conf/networks_classes
As usual, I may have got all of this wrong or some small but crucial thing wrong, but I'm pretty certain I'm right. Nevertheless, keep in mind that you might encounter unexpected problems if you follow my advice - every change can be dangerous.