diff options
| author | Sebastiaan van Stijn <github@gone.nl> | 2018-12-17 11:23:41 +0100 |
|---|---|---|
| committer | Sebastiaan van Stijn <github@gone.nl> | 2018-12-18 22:30:56 +0100 |
| commit | 57f1305e749cbf909238b407b3437d5859a747e2 (patch) | |
| tree | 41eda7fb4d8f2dea85c4fa183dbdc49bb6755389 /daemon/daemon_unix_test.go | |
| parent | 419972a71460dd751ddcf882d3fb633a4d09c20f (diff) | |
| download | docker-57f1305e749cbf909238b407b3437d5859a747e2.tar.gz | |
Move "OOM Kill disable" warning to the daemon
Disabling the oom-killer for a container without setting a memory limit
is dangerous, as it can result in the container consuming unlimited memory,
without the kernel being able to kill it. A check for this situation is curently
done in the CLI, but other consumers of the API won't receive this warning.
This patch adds a check for this situation to the daemon, so that all consumers
of the API will receive this warning.
This patch will have one side-effect; docker cli's that also perform this check
client-side will print the warning twice; this can be addressed by disabling
the cli-side check for newer API versions, but will generate a bit of extra
noise when using an older CLI.
With this patch applied (and a cli that does not take the new warning into account);
```
docker create --oom-kill-disable busybox
WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources.
669933b9b237fa27da699483b5cf15355a9027050825146587a0e5be0d848adf
docker run --rm --oom-kill-disable busybox
WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.
WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources.
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Diffstat (limited to 'daemon/daemon_unix_test.go')
| -rw-r--r-- | daemon/daemon_unix_test.go | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/daemon/daemon_unix_test.go b/daemon/daemon_unix_test.go index 36c6030988..fed00207a5 100644 --- a/daemon/daemon_unix_test.go +++ b/daemon/daemon_unix_test.go @@ -11,6 +11,9 @@ import ( containertypes "github.com/docker/docker/api/types/container" "github.com/docker/docker/container" "github.com/docker/docker/daemon/config" + "github.com/docker/docker/pkg/sysinfo" + "gotest.tools/assert" + is "gotest.tools/assert/cmp" ) type fakeContainerGetter struct { @@ -266,3 +269,110 @@ func TestNetworkOptions(t *testing.T) { t.Fatal("Expected networkOptions error, got nil") } } + +func TestVerifyContainerResources(t *testing.T) { + t.Parallel() + var ( + no = false + yes = true + ) + + withMemoryLimit := func(si *sysinfo.SysInfo) { + si.MemoryLimit = true + } + withSwapLimit := func(si *sysinfo.SysInfo) { + si.SwapLimit = true + } + withOomKillDisable := func(si *sysinfo.SysInfo) { + si.OomKillDisable = true + } + + tests := []struct { + name string + resources containertypes.Resources + sysInfo sysinfo.SysInfo + update bool + expectedWarnings []string + }{ + { + name: "no-oom-kill-disable", + resources: containertypes.Resources{}, + sysInfo: sysInfo(t, withMemoryLimit), + expectedWarnings: []string{}, + }, + { + name: "oom-kill-disable-disabled", + resources: containertypes.Resources{ + OomKillDisable: &no, + }, + sysInfo: sysInfo(t, withMemoryLimit), + expectedWarnings: []string{}, + }, + { + name: "oom-kill-disable-not-supported", + resources: containertypes.Resources{ + OomKillDisable: &yes, + }, + sysInfo: sysInfo(t, withMemoryLimit), + expectedWarnings: []string{ + "Your kernel does not support OomKillDisable. OomKillDisable discarded.", + }, + }, + { + name: "oom-kill-disable-without-memory-constraints", + resources: containertypes.Resources{ + OomKillDisable: &yes, + Memory: 0, + }, + sysInfo: sysInfo(t, withMemoryLimit, withOomKillDisable, withSwapLimit), + expectedWarnings: []string{ + "OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources.", + }, + }, + { + name: "oom-kill-disable-with-memory-constraints-but-no-memory-limit-support", + resources: containertypes.Resources{ + OomKillDisable: &yes, + Memory: linuxMinMemory, + }, + sysInfo: sysInfo(t, withOomKillDisable), + expectedWarnings: []string{ + "Your kernel does not support memory limit capabilities or the cgroup is not mounted. Limitation discarded.", + "OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources.", + }, + }, + { + name: "oom-kill-disable-with-memory-constraints", + resources: containertypes.Resources{ + OomKillDisable: &yes, + Memory: linuxMinMemory, + }, + sysInfo: sysInfo(t, withMemoryLimit, withOomKillDisable, withSwapLimit), + expectedWarnings: []string{}, + }, + } + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + warnings, err := verifyContainerResources(&tc.resources, &tc.sysInfo, tc.update) + assert.NilError(t, err) + for _, w := range tc.expectedWarnings { + assert.Assert(t, is.Contains(warnings, w)) + } + }) + } +} + +func sysInfo(t *testing.T, opts ...func(*sysinfo.SysInfo)) sysinfo.SysInfo { + t.Helper() + si := sysinfo.SysInfo{} + + for _, opt := range opts { + opt(&si) + } + + if si.OomKillDisable { + t.Log(t.Name(), "OOM disable supported") + } + return si +} |