From 2347f98003af34dd1cfd290bf0f2cc7e6ae07b03 Mon Sep 17 00:00:00 2001 From: Qiang Huang Date: Wed, 9 Dec 2015 14:26:41 +0800 Subject: [PATCH] Check minimum kernel memory limit to be 4M Fixes: #18405 Signed-off-by: Qiang Huang --- daemon/daemon_unix.go | 7 ++++++- docs/reference/api/docker_remote_api.md | 1 + docs/reference/run.md | 4 ++-- integration-cli/docker_cli_run_unix_test.go | 11 ++++++++++- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go index 1cceaa4e7e..a386535fd0 100755 --- a/daemon/daemon_unix.go +++ b/daemon/daemon_unix.go @@ -40,6 +40,8 @@ const ( linuxMinCPUShares = 2 linuxMaxCPUShares = 262144 platformSupported = true + // It's not kernel limit, we want this 4M limit to supply a reasonable functional container + linuxMinMemory = 4194304 ) func getBlkioWeightDevices(config *runconfig.HostConfig) ([]*blkiodev.WeightDevice, error) { @@ -194,7 +196,7 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *runconfig.HostC } // memory subsystem checks and adjustments - if hostConfig.Memory != 0 && hostConfig.Memory < 4194304 { + if hostConfig.Memory != 0 && hostConfig.Memory < linuxMinMemory { return warnings, fmt.Errorf("Minimum memory limit allowed is 4MB") } if hostConfig.Memory > 0 && !sysInfo.MemoryLimit { @@ -238,6 +240,9 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *runconfig.HostC logrus.Warnf("Your kernel does not support kernel memory limit capabilities. Limitation discarded.") hostConfig.KernelMemory = 0 } + if hostConfig.KernelMemory > 0 && hostConfig.KernelMemory < linuxMinMemory { + return warnings, fmt.Errorf("Minimum kernel memory limit allowed is 4MB") + } if hostConfig.KernelMemory > 0 && !checkKernelVersion(4, 0, 0) { warnings = append(warnings, "You specified a kernel memory limit on a kernel older than 4.0. Kernel memory limits are experimental on older kernels, it won't work as expected and can cause your system to be unstable.") logrus.Warnf("You specified a kernel memory limit on a kernel older than 4.0. Kernel memory limits are experimental on older kernels, it won't work as expected and can cause your system to be unstable.") diff --git a/docs/reference/api/docker_remote_api.md b/docs/reference/api/docker_remote_api.md index 50c809325b..77b9559fb3 100644 --- a/docs/reference/api/docker_remote_api.md +++ b/docs/reference/api/docker_remote_api.md @@ -102,6 +102,7 @@ This section lists each version from latest to oldest. Each listing includes a * `GET /version` now returns the `BuildTime` field in RFC3339Nano format to make it consistent with other date/time values returned by the API. * `AuthConfig` now supports a `registrytoken` for token based authentication +* `POST /containers/create` now has a 4M minimum value limit for `HostConfig.KernelMemory` ### v1.21 API changes diff --git a/docs/reference/run.md b/docs/reference/run.md index 4cbe3ec140..160ad986c7 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -619,10 +619,10 @@ container: | Option | Description | | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | -| `-m`, `--memory=""` | Memory limit (format: `[]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. | +| `-m`, `--memory=""` | Memory limit (format: `[]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. Minimum is 4M. | | `--memory-swap=""` | Total memory limit (memory + swap, format: `[]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. | | `--memory-reservation=""` | Memory soft limit (format: `[]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. | -| `--kernel-memory=""` | Kernel memory limit (format: `[]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. | +| `--kernel-memory=""` | Kernel memory limit (format: `[]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. Minimum is 4M. | | `-c`, `--cpu-shares=0` | CPU shares (relative weight) | | `--cpu-period=0` | Limit the CPU CFS (Completely Fair Scheduler) period | | `--cpuset-cpus=""` | CPUs in which to allow execution (0-3, 0,1) | diff --git a/integration-cli/docker_cli_run_unix_test.go b/integration-cli/docker_cli_run_unix_test.go index b6cd0534a5..453cc2dba3 100644 --- a/integration-cli/docker_cli_run_unix_test.go +++ b/integration-cli/docker_cli_run_unix_test.go @@ -169,10 +169,19 @@ func (s *DockerSuite) TestRunWithKernelMemory(c *check.C) { out, err := inspectField("test1", "HostConfig.KernelMemory") c.Assert(err, check.IsNil) c.Assert(out, check.Equals, "52428800") +} + +func (s *DockerSuite) TestRunWithInvalidKernelMemory(c *check.C) { + testRequires(c, kernelMemorySupport) + + out, _, err := dockerCmdWithError("run", "--kernel-memory", "2M", "busybox", "true") + c.Assert(err, check.NotNil) + expected := "Minimum kernel memory limit allowed is 4MB" + c.Assert(out, checker.Contains, expected) out, _, err = dockerCmdWithError("run", "--kernel-memory", "-16m", "--name", "test2", "busybox", "echo", "test") - expected := "invalid size" c.Assert(err, check.NotNil) + expected = "invalid size" c.Assert(out, checker.Contains, expected) }