Bug#990263: marked as done (podman sets oom_score_adj to -1000 for processes inside the container so the system breaks in OOM situations)

Fri, 16 Jul 2021 06:21:19 -0700 

Your message dated Fri, 16 Jul 2021 13:18:40 +0000
with message-id <[email protected]>
and subject line Bug#990263: fixed in conmon 2.0.25+ds1-1.1
has caused the Debian Bug report #990263,
regarding podman sets oom_score_adj to -1000 for processes inside the container 
so the system breaks in OOM situations
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
990263: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990263
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: podman
X-Debbugs-Cc: [email protected]
Version: 3.0.1+dfsg1-2+b2
Severity: critical
Justification: breaks the whole system
Tags: newcomer

Dear Maintainer,

when processes inside a podman container consume all the available
memory, system processes start to get killed instead of the process
inside of the container. This is because podman in this version seems to
set an oom_score_adj value of -1000 for all processes inside the
container.

Marked as critical because what would normally just result in a process
being killed by the OOM reaper now affects the entire system to the
point that it isn't accessible via SSH anymore.

This seems to be fixed at least in podman 3.2.1 (tested on Archlinux) but I 
haven't found a
respective entry in the upstream release notes, so I don't know what version
actually made the fix. I also don't know if the problem is in podman
itself or one of it's dependencies or if it is in the upstream version at all.

How to reproduce:

```
# podman run -it --rm debian sh
# cat /proc/$$/oom_score_adj
-1000
```

I would expect this to show 0 for the oom_score_adj value.

I tried to work around this problem, by passing --oom-score-adj=0 to the
podman command, but with no effect (this might be the same bug or
related to a different one.

```
# podman run -it --rm --oom-score-adj=0 debian sh
# cat /proc/$$/oom_score_adj
-1000
```

What DOES work however is setting a nonzero value:

```
# podman run -it --rm --oom-score-adj=1 debian sh
# cat /proc/$$/oom_score_adj
1
```

This is probably related to a typical golang programming error where 0
values are interpreted as "absence of a value" and a default fallback is
used, but this is just a guess.


-- System Information:
Debian Release: 11.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-7-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages podman depends on:
ii  conmon                           2.0.25+ds1-1
ii  containernetworking-plugins      0.9.0-1+b5
ii  crun                             0.17+dfsg-1
ii  golang-github-containers-common  0.33.4+ds1-1
ii  init-system-helpers              1.60
ii  iptables                         1.8.7-1
ii  libc6                            2.31-12
ii  libdevmapper1.02.1               2:1.02.175-2.1
ii  libgpgme11                       1.14.0-1+b2
ii  libseccomp2                      2.5.1-1

Versions of packages podman recommends:
pn  buildah                                           <none>
pn  catatonit | tini | dumb-init                      <none>
pn  fuse-overlayfs                                    <none>
pn  golang-github-containernetworking-plugin-dnsname  <none>
pn  slirp4netns                                       <none>
pn  uidmap                                            <none>

Versions of packages podman suggests:
pn  containers-storage  <none>
pn  docker-compose      <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: conmon
Source-Version: 2.0.25+ds1-1.1
Done: Adrian Bunk <[email protected]>

We believe that the bug you reported is fixed in the latest version of
conmon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated conmon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 14 Jul 2021 20:46:07 +0300
Source: conmon
Architecture: source
Version: 2.0.25+ds1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Podman Packaging Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 990263
Changes:
 conmon (2.0.25+ds1-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Add upstream fix to not make container runtime processes
     unkillable. (Closes: #990263)
Checksums-Sha1:
 f17843bd88540fa2fba9ff5bfbb375b49816299d 2129 conmon_2.0.25+ds1-1.1.dsc
 ab3e12702fe0abc550cacdcaeac6a85efc780055 4188 
conmon_2.0.25+ds1-1.1.debian.tar.xz
Checksums-Sha256:
 608c98489d8ca9611e3a1d991eef5d59f77a28f49b022bdfecfe708ed4a8b735 2129 
conmon_2.0.25+ds1-1.1.dsc
 d7667caf42575531fb52f290acf3ecc4aeb01a949fc5c682006dd566aeb1e761 4188 
conmon_2.0.25+ds1-1.1.debian.tar.xz
Files:
 c06a9792cc9420985a5f327993ea0013 2129 admin optional conmon_2.0.25+ds1-1.1.dsc
 f8fc7d5cfc0e6409d74e4933d89b7a9c 4188 admin optional 
conmon_2.0.25+ds1-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmDvKUAACgkQiNJCh6LY
mLGtjBAAvw11wo2QUN9sKQ3MfxuHJdpYuzPwo5KxzyLFetEblr/5099XeRYNyvlx
1wMhl3BVSTrs9NaCGt8DcsP9iYt3/FIJvxGK9NJGkaYMhGAeYxBEJBX+qIN8rCcB
RRtr9/kSsCtWgvgQVtThgwC0itRxBGhl8Pu+T6L1YkIo2tnCTnO5DFE8ySBq0sxC
AP1LmGuf98JcWtgbL19SDP7xzB2f+JQg4Kf85t3aWqpC8FZkfoVdO/jCTFBGg/4q
3bq3Nk/IhGxUulRCL61Ndk8O1NeI5UWwBk4QpPZ7HdHqCAKQ/gDwUhoV7xygOqPf
R8P2txqlazdjqZVCGf35zi8P8pcGozWiO7g+yYY7yL3lCU+GTMsQOxRSQToaFCFI
NWZX6Ablgo3rmDhGd+S8zIEtg1RQZHl2/6UREGU/+Apl7vJpYTTgpre0rogT4g3u
/vTg0HVClWRpdwGFDYJ1oWqiQ0CPX8O+B9RjMpo/zrYES7DLG9VpL6PYSNA7lTQh
rzz5TB1FMA0g4YrwSQ3sGFCcKPWWVMOLEb4STN4ieTI7tJmnQCE+ZwbE0hhTZ0/J
wUu9DJ5E1fnsqxpfXc9NveeZuFJYscWmAiUxrHTyhgGaRhVKpk0boKpK38Kq8Ax5
Be5QzbaXWvB+/psi4L2qabBAkHHACxd3l0r5NIYhNv9kBfeC0UY=
=MxVb
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to