Move "OOM Kill disable" warning to the daemon

Disabling the oom-killer for a container without setting a memory limit is dangerous, as it can result in the container consuming unlimited memory, without the kernel being able to kill it. A check for this situation is curently done in the CLI, but other consumers of the API won't receive this warning. This patch adds a check for this situation to the daemon, so that all consumers of the API will receive this warning. This patch will have one side-effect; docker cli's that also perform this check client-side will print the warning twice; this can be addressed by disabling the cli-side check for newer API versions, but will generate a bit of extra noise when using an older CLI. With this patch applied (and a cli that does not take the new warning into account); ``` docker create --oom-kill-disable busybox WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources. 669933b9b237fa27da699483b5cf15355a9027050825146587a0e5be0d848adf docker run --rm --oom-kill-disable busybox WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous. WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources. ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-09 12:21:53 -05:00 · 2018-12-17 11:23:41 +01:00 · 2018-12-17 11:23:41 +01:00 · 57f1305e74
commit 57f1305e74
parent 419972a714
2 changed files with 114 additions and 1 deletions
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@ -422,7 +422,10 @@ func verifyContainerResources(resources *containertypes.Resources, sysInfo *sysi
 		}
 		resources.OomKillDisable = nil
 	}
-
+	if resources.OomKillDisable != nil && *resources.OomKillDisable && resources.Memory == 0 {
+		warnings = append(warnings, "OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources.")
+		logrus.Warn("OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources.")
+	}
 	if resources.PidsLimit != 0 && !sysInfo.PidsLimit {
 		warnings = append(warnings, "Your kernel does not support pids limit capabilities or the cgroup is not mounted. PIDs limit discarded.")
 		logrus.Warn("Your kernel does not support pids limit capabilities or the cgroup is not mounted. PIDs limit discarded.")
--- a/daemon/daemon_unix_test.go
+++ b/daemon/daemon_unix_test.go
@ -11,6 +11,9 @@ import (
 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/pkg/sysinfo"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )

 type fakeContainerGetter struct {
@ -266,3 +269,110 @@ func TestNetworkOptions(t *testing.T) {
 		t.Fatal("Expected networkOptions error, got nil")
 	}
 }
+
+func TestVerifyContainerResources(t *testing.T) {
+	t.Parallel()
+	var (
+		no  = false
+		yes = true
+	)
+
+	withMemoryLimit := func(si *sysinfo.SysInfo) {
+		si.MemoryLimit = true
+	}
+	withSwapLimit := func(si *sysinfo.SysInfo) {
+		si.SwapLimit = true
+	}
+	withOomKillDisable := func(si *sysinfo.SysInfo) {
+		si.OomKillDisable = true
+	}
+
+	tests := []struct {
+		name             string
+		resources        containertypes.Resources
+		sysInfo          sysinfo.SysInfo
+		update           bool
+		expectedWarnings []string
+	}{
+		{
+			name:             "no-oom-kill-disable",
+			resources:        containertypes.Resources{},
+			sysInfo:          sysInfo(t, withMemoryLimit),
+			expectedWarnings: []string{},
+		},
+		{
+			name: "oom-kill-disable-disabled",
+			resources: containertypes.Resources{
+				OomKillDisable: &no,
+			},
+			sysInfo:          sysInfo(t, withMemoryLimit),
+			expectedWarnings: []string{},
+		},
+		{
+			name: "oom-kill-disable-not-supported",
+			resources: containertypes.Resources{
+				OomKillDisable: &yes,
+			},
+			sysInfo: sysInfo(t, withMemoryLimit),
+			expectedWarnings: []string{
+				"Your kernel does not support OomKillDisable. OomKillDisable discarded.",
+			},
+		},
+		{
+			name: "oom-kill-disable-without-memory-constraints",
+			resources: containertypes.Resources{
+				OomKillDisable: &yes,
+				Memory:         0,
+			},
+			sysInfo: sysInfo(t, withMemoryLimit, withOomKillDisable, withSwapLimit),
+			expectedWarnings: []string{
+				"OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources.",
+			},
+		},
+		{
+			name: "oom-kill-disable-with-memory-constraints-but-no-memory-limit-support",
+			resources: containertypes.Resources{
+				OomKillDisable: &yes,
+				Memory:         linuxMinMemory,
+			},
+			sysInfo: sysInfo(t, withOomKillDisable),
+			expectedWarnings: []string{
+				"Your kernel does not support memory limit capabilities or the cgroup is not mounted. Limitation discarded.",
+				"OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources.",
+			},
+		},
+		{
+			name: "oom-kill-disable-with-memory-constraints",
+			resources: containertypes.Resources{
+				OomKillDisable: &yes,
+				Memory:         linuxMinMemory,
+			},
+			sysInfo:          sysInfo(t, withMemoryLimit, withOomKillDisable, withSwapLimit),
+			expectedWarnings: []string{},
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			warnings, err := verifyContainerResources(&tc.resources, &tc.sysInfo, tc.update)
+			assert.NilError(t, err)
+			for _, w := range tc.expectedWarnings {
+				assert.Assert(t, is.Contains(warnings, w))
+			}
+		})
+	}
+}
+
+func sysInfo(t *testing.T, opts ...func(*sysinfo.SysInfo)) sysinfo.SysInfo {
+	t.Helper()
+	si := sysinfo.SysInfo{}
+
+	for _, opt := range opts {
+		opt(&si)
+	}
+
+	if si.OomKillDisable {
+		t.Log(t.Name(), "OOM disable supported")
+	}
+	return si
+}