[CVE-2019-5736]: Runc uses more memory during start up after the fix

[Random-Liu]

We observed higher memory usage (likely during container startup) after the fix for CVE 0a8e411.

We had a test that specifies 10m container cgroup limit, which never failed before, but now the container get oom-killed a lot. For example https://gubernator.k8s.io/build/kubernetes-jenkins/logs/ci-containerd-node-e2e-1-2/2500.

kernel: runc:[2:INIT] invoked oom-killer: gfp_mask=0x24000c0, order=0, oom_score_adj=998
kernel: runc:[2:INIT] cpuset=80e651c417ebd71d83e5023ee59b281e585497468bd71ee7c7b3ae6730d9ec8f mems_allowed=0
kernel: CPU: 0 PID: 333 Comm: runc:[2:INIT] Not tainted 4.4.64+ #1
kernel: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
kernel:  0000000000000000 ffff880003e87ca8 ffffffff9f317334 ffff880003e87d88
kernel:  ffff8800bb3e8000 ffff880003e87d18 ffffffff9f1a8fb4 ffff880003e87ce0
kernel:  ffffffff9f13e780 ffff8800bb3eb500 0000000000000206 ffff880003e87cf0
kernel: Call Trace:
kernel:  [<ffffffff9f317334>] dump_stack+0x63/0x8f
kernel:  [<ffffffff9f1a8fb4>] dump_header+0x65/0x1d4
kernel:  [<ffffffff9f13e780>] ? find_lock_task_mm+0x20/0xb0
kernel:  [<ffffffff9f13ef1d>] oom_kill_process+0x28d/0x430
kernel:  [<ffffffff9f1a3e6b>] ? mem_cgroup_iter+0x1db/0x390
kernel:  [<ffffffff9f1a6374>] mem_cgroup_out_of_memory+0x284/0x2d0
kernel:  [<ffffffff9f1a6de9>] mem_cgroup_oom_synchronize+0x2f9/0x310
kernel:  [<ffffffff9f1a1ab0>] ? memory_high_write+0xc0/0xc0
kernel:  [<ffffffff9f13f5f8>] pagefault_out_of_memory+0x38/0xa0
kernel:  [<ffffffff9f045a27>] mm_fault_error+0x77/0x150
kernel:  [<ffffffff9f046264>] __do_page_fault+0x414/0x420
kernel:  [<ffffffff9f046292>] do_page_fault+0x22/0x30
kernel:  [<ffffffff9f5b1f98>] page_fault+0x28/0x30

It seems to be caused by the memory spike introduced by binary copy. Should we always enforce a minimum memory limit for runc containers in the future?

My runc binary is statically linked:

$ ls -alh usr/local/sbin/runc 
-rwxr-xr-x 1 lantaol primarygroup 7.8M Feb 12 13:46 usr/local/sbin/runc

[cyphar]

Should we always enforce a minimum memory limit for runc containers in the future?

Probably. This is something that has always been quite difficult to do sanely -- because all container limits are applied while runc is still executing. While we do get out of your way eventually, the only safe way of constraining the user process is to limit ourselves first -- so knowing what the minimum limit should be is quite difficult (very low pids limits are hard to set). You could try to do a runc update afterwards...

But yes this would definitely be caused by the copying procedure. One idea I had was to create a temporary overlayfs such that the binary would not be overwritable -- but that has a lot of other issues that made it implausible.

[Ace-Tang]

Also got the memory problem, my runc binary is 11M, one of our test set memory 10m to run, runc create will fail with error

\"process_linux.go:424: container init caused \\\"process_linux.go:390: setting cgroup config for procHooks process caused \\\\\\\"failed to write 10485760 to memory.limit_in_bytes: write /sys/fs/cgroup/memory/default/96cd18b0b87ba67c64b6fe535607c29af30119229328add6658404239a479905/memory.limit_in_bytes: device or resource busy\\\\\\\"\\\"\"

[Random-Liu]

This is a regression. I get some data with docker.

Test Environment

• Machine type: GCE n1-standard-1 (1 vCPU, 3.75 GB memory)
• Docker version:

$ docker version
Client:
 Version:           18.09.0
 API version:       1.39
 Go version:        go1.11.2
 Git commit:        4d60db4
 Built:             Wed Jan 23 19:35:04 2019
 OS/Arch:           linux/amd64
 Experimental:      false
Server:
 Engine:
  Version:          18.09.0
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.11.2
  Git commit:       4d60db4
  Built:            Wed Jan 23 19:34:06 2019
  OS/Arch:          linux/amd64
  Experimental:     false

• runc binaries:

$ ls -alh
total 37M
drwxr-xr-x 2 lantaol lantaol 4.0K Feb 13 10:12 .
drwxr-xr-x 4 lantaol lantaol 4.0K Feb 13 10:11 ..
-rwxr-xr-x 1 lantaol lantaol  11M Feb 13 10:11 runc-dynamic-12f6a991
-rwxr-xr-x 1 lantaol lantaol  11M Feb 13 10:10 runc-dynamic-6635b4f0
-rwxr-xr-x 1 lantaol lantaol 7.7M Feb 13 10:05 runc-static-12f6a991
-rwxr-xr-x 1 lantaol lantaol 7.8M Feb 13 09:57 runc-static-6635b4f0

Dynamically linked binaries are built with make BUILDTAGS="seccomp apparmor".
Statically linked binaries are built with make static BUILDTAGS="seccomp apparmor".
12f6a99 is the last runc version we use in containerd.
6635b4f is the new runc version with the CVE fix.

• Golang version:

$ go version
go version go1.11.2 linux/amd64

Test Result

• runc-dynamic-12f6a991:

# Memory limit too low, can't even create the container.
$ docker run -m=4m busybox ls
docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "process_linux.go:424: container init caused \"process_linux.go:390: setting cgroup config for procHooks process caused \\\"failed to write 4194304 to memory.limit_in_bytes: write /sys/fs/cgroup/memory/docker/5031f5b2cf99b84da41e24836524fb4ae736d6bc4886ce2e0e75c1f43820803f/memory.limit_in_bytes: device or resource busy\\\"\"": unknown.

# Memory limit is high enough to create the container, but the init process gets OOM killed right away.
$ docker run -m=5m busybox ls
docker: Error response from daemon: cannot start a stopped process: unknown.

# Memory limit is enough to run the container.
$ docker run -m=6m busybox ls
# ok

• runc-dynamic-6635b4f0:

$ docker run -m=15m busybox ls
docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "process_linux.go:424: container init caused \"process_linux.go:390: setting cgroup config for procHooks process caused \\\"failed to write 15938355 to memory.limit_in_bytes: write /sys/fs/cgroup/memory/docker/6650dbb7f2a8fc8ae58b3ce3d365be8c716321d253d8d29f140e1d45e0dfa818/memory.limit_in_bytes: device or resource busy\\\"\"": unknown.

$ docker run -m=15.5m busybox ls
docker: Error response from daemon: cannot start a stopped process: unknown.

$ docker run -m=16m busybox ls
# ok

• runc-static-12f6a991:

$ docker run -m=4m busybox ls
# ok

• runc-static-6635b4f0:

$ docker run -m=9.2m busybox ls
docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "process_linux.go:424: container init caused \"process_linux.go:390: setting cgroup config for procHooks process caused \\\"failed to write 9646899 to memory.limit_in_bytes: write /sys/fs/cgroup/memory/docker/bf1ec70dc29ee0a823ba6aebf2a88633cd875e08715f12651451073e86437fc3/memory.limit_in_bytes: device or resource busy\\\"\"": unknown.

$ docker run -m=9.3m busybox ls
docker: Error response from daemon: cannot start a stopped process: unknown.

$ docker run -m=10m busybox ls
# ok

Conclusion

We need to set higher memory limit for the container to run, and the minimum limit is larger than the runc binary size
Before 6635b4f, the minimum limit is not that high, and much lower than the runc binary size.
This is a regression to users, their existing workloads may not run without tweaking memory limit.

[crosbymichael]

A good long term fix is to move all the runc init code to C. This should be fairly simple as most of it is system level syscalls. cgroups can remain implemented in Go as it is set by the calling process.

[giuseppe]

A good long term fix is to move all the runc init code to C. This should be fairly simple as most of it is system level syscalls. cgroups can remain implemented in Go as it is set by the calling process.

would that be a separate binary?

[crosbymichael]

@giuseppe I was thinking same binary, we just never allow it to exec into the go runtime. Maybe that is not possible and we will have the same issue, it's something we would have to look into.

I know you have a C implementation, it would be interesting to see where we can combine the two as there are still some areas that are easier to write and maintain in Go and others where C makes more sense, like the init.

[giuseppe]

I know you have a C implementation, it would be interesting to see where we can combine the two as there are still some areas that are easier to write and maintain in Go and others where C makes more sense, like the init.

that would be great. If there is anything I can do to help out, just let me know :-)