Package: docker.io
Version: 20.10.5+dfsg1-1+deb11u1
Severity: normal
Hello,
https://docs.docker.com/config/containers/resource_constraints/#limit-a-containers-access-to-memory
--memory-swap imparts no effect.
--memory does impart an effect, but is useless without --memory-swap.
Anon pages will begin to overflow into swap once a workload approaches
its --memory limit. Instead of a quick OOM and workload restart,
the workload will bring down all system perf with swap thrashing.
Docker is using the systemd cgroup driver.
README.Debian includes a note about swapaccount,
but I don't think this caveat applies to cgroups v2 and linux 5.10.
As shown below, swap accounting does appear to work OK.
--- 8< ---
$ docker info
[...]
Server Version: 20.10.5+dfsg1
[...]
Cgroup Driver: systemd
Cgroup Version: 2
--- >8 ---
Here are the relevant bits of the Docker container configuration:
--- 8< ---
$ docker inspect container | jq '.[0].HostConfig.Memory'
25165824
$ docker inspect container | jq '.[0].HostConfig.MemorySwap'
25165824
--- >8 ---
The configuration is faithfully sent to containerd:
--- 8< ---
# ctr --namespace moby c info container-id | jq .Spec.linux.resources.memory
{
"limit": 25165824,
"swap": 25165824
}
--- >8 ---
The swap limit goes missing somewhere between containerd and systemd:
--- 8< ---
# systemctl show docker-container-id.scope | awk -F = '$1 ~ /Memory.*Max/'
MemoryMax=25165824
MemorySwapMax=infinity
--- >8 ---
From the cgroup:
--- 8< ---
# cat memory.swap.max
max
# cat memory.current memory.swap.current
22798336
218423296
--- >8 ---
I would expect memory.swap.max to read zero (swap - limit),
and likewise for memory.swap.current.
I tried to find the missing puzzle piece,
but there are many pieces in this puzzle.
(Is this a runc problem?)
--- 8< ---
$ docker version
Client:
Version: 20.10.5+dfsg1
API version: 1.41
Go version:go1.15.15
Git commit:55c4c88
Built: Sat Dec 4 10:53:03 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.5+dfsg1
API version: 1.41 (minimum version 1.12)
Go version: go1.15.15
Git commit: 363e9a8
Built:Sat Dec 4 10:53:03 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.13~ds1
GitCommit:1.4.13~ds1-1~deb11u2
runc:
Version: 1.0.0~rc93+ds1
GitCommit:1.0.0~rc93+ds1-5+deb11u2
docker-init:
Version: 0.19.0
GitCommit:
--- >8 ---
-- System Information:
Debian Release: 11.6
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-14-cloud-amd64 (SMP w/8 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages docker.io depends on:
ii adduser 3.118
ii containerd 1.4.13~ds1-1~deb11u2
ii init-system-helpers 1.60
ii iptables 1.8.7-1
ii libc62.31-13+deb11u5
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libsystemd0 247.3-7+deb11u1
ii lsb-base 11.1.0
ii runc 1.0.0~rc93+ds1-5+deb11u2
ii tini 0.19.0-1
Versions of packages docker.io recommends:
pn apparmor
ii ca-certificates 20210119
pn cgroupfs-mount
ii git 1:2.30.2-1
pn needrestart
ii xz-utils 5.2.5-2.1~deb11u1
Versions of packages docker.io suggests:
pn aufs-tools
pn btrfs-progs
pn debootstrap
pn docker-doc
ii e2fsprogs 1.46.2-2
pn rinse
pn rootlesskit
pn xfsprogs
pn zfs-fuse | zfsutils-linux
-- Configuration Files:
/etc/default/docker changed:
DOCKER_OPTS="--bip 172.17.0.1/16 --log-opt max-size=1m --log-opt max-file=2
--live-restore=true --raw-logs --insecure-registry=REDACTED:5000
--insecure-registry=REDACTED:5000"
-- no debconf information