Merge pull request #19843 from giuseppe/clamp-oom-score-adj

linux, rootless: clamp oom_score_adj if it is too low
2025-06-24 11:28:24 +08:00 · 2023-09-05 01:27:22 +02:00
parent 203c2b815a 8b4a79a744
commit 8914caf476
3 changed files with 42 additions and 1 deletions
--- a/docs/source/markdown/options/oom-score-adj.md
+++ b/docs/source/markdown/options/oom-score-adj.md
@ -5,3 +5,7 @@
 #### **--oom-score-adj**=*num*

 Tune the host's OOM preferences for containers (accepts values from **-1000** to **1000**).
+
+When running in rootless mode, the specified value can't be lower than
+the oom_score_adj for the current process. In this case, the
+oom-score-adj is clamped to the current process value.
--- a/pkg/specgen/generate/oci_linux.go
+++ b/pkg/specgen/generate/oci_linux.go
@ -4,7 +4,9 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"os"
 	"path"
+	"strconv"
 	"strings"

 	"github.com/containers/common/libimage"
@ -16,6 +18,7 @@ import (
 	"github.com/containers/podman/v4/pkg/specgen"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )

@ -78,6 +81,25 @@ func getCgroupPermissions(unmask []string) string {
 	return ro
 }

+func maybeClampOOMScoreAdj(oomScoreValue int, isRootless bool) (int, error) {
+	if !isRootless {
+		return oomScoreValue, nil
+	}
+	v, err := os.ReadFile("/proc/self/oom_score_adj")
+	if err != nil {
+		return oomScoreValue, err
+	}
+	currentValue, err := strconv.Atoi(strings.TrimRight(string(v), "\n"))
+	if err != nil {
+		return oomScoreValue, err
+	}
+	if currentValue > oomScoreValue {
+		logrus.Warnf("Requested oom_score_adj=%d is lower than the current one, changing to %d", oomScoreValue, currentValue)
+		return currentValue, nil
+	}
+	return oomScoreValue, nil
+}
+
 // SpecGenToOCI returns the base configuration for the container.
 func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *libimage.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string, compatibleOptions *libpod.InfraInherit) (*spec.Spec, error) {
 	cgroupPerm := getCgroupPermissions(s.Unmask)
@ -321,7 +343,11 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 	}

 	if s.OOMScoreAdj != nil {
-		g.SetProcessOOMScoreAdj(*s.OOMScoreAdj)
+		score, err := maybeClampOOMScoreAdj(*s.OOMScoreAdj, isRootless)
+		if err != nil {
+			return nil, err
+		}
+		g.SetProcessOOMScoreAdj(score)
 	}
 	setProcOpts(s, &g)
 	if s.ReadOnlyFilesystem && !s.ReadWriteTmpfs {
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@ -939,6 +939,17 @@ EOF
    is "$output" "$oomscore" "--oom-score-adj should override containers.conf"
 }

+# issue 19829
+@test "rootless podman clamps oom-score-adj if it is lower than the current one" {
+    skip_if_not_rootless
+    skip_if_remote
+    if grep -- -1000 /proc/self/oom_score_adj; then
+        skip "the current oom-score-adj is already -1000"
+    fi
+    run_podman run --oom-score-adj=-1000 --rm $IMAGE true
+    is "$output" ".*Requested oom_score_adj=.* is lower than the current one, changing to .*"
+}
+
 # CVE-2022-1227 : podman top joins container mount NS and uses nsenter from image
@test "podman top does not use nsenter from image" {
    keepid="--userns=keep-id"