container_create: Set a minimum memory limit

We set a minimum limit of 4MB. Lower values could result in container failing to start. Signed-off-by: Mrunal Patel <[email protected]>
cri-o · Aug 7, 2018 · dd46e3b · dd46e3b
1 parent 45f20dd
commit dd46e3b
Show file tree

Hide file tree

Showing 13 changed files with 35 additions and 13 deletions.
diff --git a/server/container_create.go b/server/container_create.go
@@ -47,6 +47,10 @@ const (
 	scopePrefix           = "crio"
 	defaultCgroupfsParent = "/crio"
 	defaultSystemdParent  = "system.slice"
+
+	// minMemoryLimit is the minimum memory that must be set for a container.
+	// A lower value would result in the container failing to start.
+	minMemoryLimit = 4194304
 )
 
 type orderedMounts []rspec.Mount
@@ -988,7 +992,13 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 			specgen.SetLinuxResourcesCPUPeriod(uint64(resources.GetCpuPeriod()))
 			specgen.SetLinuxResourcesCPUQuota(resources.GetCpuQuota())
 			specgen.SetLinuxResourcesCPUShares(uint64(resources.GetCpuShares()))
-			specgen.SetLinuxResourcesMemoryLimit(resources.GetMemoryLimitInBytes())
+
+			memoryLimit := resources.GetMemoryLimitInBytes()
+			if memoryLimit != 0 && memoryLimit < minMemoryLimit {
+				return nil, fmt.Errorf("set memory limit %v too low; should be at least %v", memoryLimit, minMemoryLimit)
+			}
+
+			specgen.SetLinuxResourcesMemoryLimit(memoryLimit)
 			specgen.SetProcessOOMScoreAdj(int(resources.GetOomScoreAdj()))
 			specgen.SetLinuxResourcesCPUCpus(resources.GetCpusetCpus())
 			specgen.SetLinuxResourcesCPUMems(resources.GetCpusetMems())

diff --git a/test/testdata/container_config.json b/test/testdata/container_config.json
@@ -47,7 +47,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		},
 		"security_context": {
 			"namespace_options": {

diff --git a/test/testdata/container_config_by_imageid.json b/test/testdata/container_config_by_imageid.json
@@ -48,7 +48,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		},
 		"security_context": {
 			"namespace_options": {

diff --git a/test/testdata/container_config_hostport.json b/test/testdata/container_config_hostport.json
@@ -50,7 +50,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		},
 		"security_context": {
 			"namespace_options": {

diff --git a/test/testdata/container_config_logging.json b/test/testdata/container_config_logging.json
@@ -50,7 +50,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		},
 		"security_context": {
 			"namespace_options": {

diff --git a/test/testdata/container_config_resolvconf.json b/test/testdata/container_config_resolvconf.json
@@ -49,7 +49,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		},
 		"security_context": {
 			"namespace_options": {

diff --git a/test/testdata/container_config_resolvconf_ro.json b/test/testdata/container_config_resolvconf_ro.json
@@ -49,7 +49,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		},
 		"security_context": {
 			"namespace_options": {

diff --git a/test/testdata/container_config_seccomp.json b/test/testdata/container_config_seccomp.json
@@ -48,7 +48,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		},
 		"security_context": {
 			"namespace_options": {

diff --git a/test/testdata/container_config_sleep.json b/test/testdata/container_config_sleep.json
@@ -48,7 +48,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		},
 		"security_context": {
 			"namespace_options": {

diff --git a/test/testdata/container_redis_default_mounts.json b/test/testdata/container_redis_default_mounts.json
@@ -54,7 +54,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		},
 		"security_context": {
 			"namespace_options": {

diff --git a/test/testdata/container_redis_device.json b/test/testdata/container_redis_device.json
@@ -55,7 +55,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		},
 		"security_context": {
 			"namespace_options": {

diff --git a/test/testdata/container_sleep.json b/test/testdata/container_sleep.json
@@ -36,7 +36,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		}
 	}
 }
diff --git a/test/testdata/template_container_config.json b/test/testdata/template_container_config.json
@@ -45,7 +45,8 @@
 			"cpu_period": 10000,
 			"cpu_quota": 20000,
 			"cpu_shares": 512,
-			"oom_score_adj": 30
+			"oom_score_adj": 30,
+			"memory_limit_in_bytes": 268435456
 		},
 		"security_context": {
 			"readonly_rootfs": false,