Enabling kmem accounting can break applications on CentOS7

[TvdW]

After upgrading from Docker (CE) 17.05.0 to 17.12.0, these kernel messages started showing up on my machines:

[43073.004575] SLUB: Unable to allocate memory on node -1 (gfp=0x8020)
[43073.022211]   cache: ip6_dst_cache(0:18479a49f76b66461d8fedd17a6eba407f08cc8960bd0246d39df8eb21f20b4f), object size: 448, buffer size: 448, default order: 2, min order: 0
[43073.061420]   node 0: slabs: 74, objs: 2610, free: 0
[43073.077875]   node 1: slabs: 88, objs: 3141, free: 0

I was able to reproduce this on Docker 17.06.0, and eventually traced it to the commit introduced by #1350 which enables kmem accounting for all containers. But as Docker helpfully suggests, kmemcg are experimental before linux 4.0:

$ sudo docker update --kernel-memory 1000g 18479a49f76b
You specified a kernel memory limit on a kernel older than 4.0. Kernel memory limits are experimental on older kernels, it won't work as expected and can cause your system to be unstable.

After a few more tests I was able to reproduce the issue on 17.05.0, by passing --kernel-memory 1000g to docker run. The kernel log slowly fills up (10 messages per hour?) with SLUB warnings, and containers seem far less stable than normal (i.e. they crash).

Steps to reproduce

1. CentOS 7, latest kernel (3.10.0-693.17.1.el7.x86_64)
2. Docker 17.06.0+ or runc with equivalent settings
3. kmem limit unset, mem limit 40G, with 80G free memory left for page caches
4. An application that very heavily uses the local disk to cause caches to build up (in my case Apache Cassandra)

Eventually, these messages will start popping up in the kernel logs, and in rare cases it leads to an application getting killed/crashed.

---

With all of the above said, I'm 99% sure this is a kernel bug related to running an ancient kernel, and runc's patch would at best be a workaround. If only I had a way to get redhat's attention so they can fix it 😃

[hqhq]

@TvdW The root cause is there are kernel memory limit bugs in 3.10, if you don't want to use kernel memory limit because it's not stable on your kernel, the best solution would be to disable kernel memory limit on your kernel.

I can't think of a way to workaround this on runc side without causing issues like #1083 and #1347 , unless we add some ugly logic like do different things for different kernel versions, I'm afraid that won't be an option.

[cizixs]

@hqhq Is there any document on how to disable kernel memory limit?

We're using CentOS 7, and run into a similar problem. It seems CentOS enables kernel memory limit by default even though it's a experimental feature(not sure why), and RunC uses this feature without checking.

[pmoust]

@hqhq cgroup.memory=nokmem is not available on RHEL/CentOS 3.10 (kmem accounting is active in the legacy cgroup hierarchy)

[hqhq]

@cizixs You need to disable CONFIG_MEMCG_KMEM in kernel config and recompile the kernel, or you can help to add an option in runc and other tools on top of runc to disable kmem accounting as I suggested in kubernetes/kubernetes#61937 (comment) .

[jieyu]

I got a bit confused by this ticket. I tested with docker 17.09.0-ce and CentOS 7:

[jie@core-dev memory]$ docker info | grep Version
Server Version: 17.09.0-ce
Kernel Version: 3.10.0-693.5.2.el7.x86_64
[jie@core-dev memory]$ find /sys/fs/cgroup/memory -name memory.limit_in_bytes -type f -print -exec cat {} \; | grep -A 1 docker                                                                                                                                                                                               
/sys/fs/cgroup/memory/docker/c02dfa0697e198453e1f352a4f794dbcd8bda0dbc851fc27031b5395201a5b6e/memory.limit_in_bytes
1073741824
/sys/fs/cgroup/memory/docker/memory.limit_in_bytes
9223372036854771712
[jie@core-dev memory]$ find /sys/fs/cgroup/memory -name memory.kmem.limit_in_bytes -type f -print -exec cat {} \; | grep -A 1 docker
/sys/fs/cgroup/memory/docker/c02dfa0697e198453e1f352a4f794dbcd8bda0dbc851fc27031b5395201a5b6e/memory.kmem.limit_in_bytes
9223372036854771712
/sys/fs/cgroup/memory/docker/memory.kmem.limit_in_bytes
9223372036854771712
[jie@core-dev memory]$ docker inspect c02dfa0697e1 | grep Memory
            "Memory": 1073741824,
            "KernelMemory": 0,
            "MemoryReservation": 0,
            "MemorySwap": 2147483648,
            "MemorySwappiness": null,

I don't see kmem accounting being turned on by default in docker 17.09.0-ce. Am I missing something?

[jieyu]

Ok, I think I get it now because runc will enable the accounting by setting it to 1 first and set it to -1 to just enable the accounting feature
https://github.com/opencontainers/runc/pull/1350/files#diff-b56f02f0dc51a436b542c6d80bdef7e8R68