* Don't mount /dev/cgroup with the "ns" subsystem. If it's mounted,

then every unshare(CLONE_NEWNS) system call causes a new entry to be created in /dev/cgroup/<pid>, which is not removed automatically. This can cause subsequent calls to unshare() to fail if the PID has wrapped around. Worse, a large number of entries in /dev/cgroup causes a very substantial system slowdown: doing 10,000 fork()/unshare(CLONE_NEWNS)/exit() calls took 21s without the "ns" subsystem, but 2m43s with it, and the system slows down permanently until the entries in /dev/cgroup are removed (going to a load of > 6 on my laptop). This is particularly important for Nix because its chroot feature uses unshare(CLONE_NEWNS). (http://yellowgrass.org/issue/Nix/219) svn path=/nixos/trunk/; revision=27216
2011-05-11 09:33:24 +00:00 · 2011-05-11 09:33:24 +00:00 · 7579933824
parent 6bc3a76439
commit 7579933824
1 changed files with 1 additions and 1 deletions
--- a/modules/system/activation/activation-script.nix
+++ b/modules/system/activation/activation-script.nix
@ -133,7 +133,7 @@ in
      ''
        if ! ${pkgs.sysvtools}/bin/mountpoint -q /dev/cgroup; then
            mkdir -p /dev/cgroup
-            ${pkgs.utillinux}/bin/mount -t cgroup none /dev/cgroup
+            ${pkgs.utillinux}/bin/mount -t cgroup -o freezer,cpuacct,cpu,cpuset none /dev/cgroup
        fi
      '';