[pkg-go] Bug#990263: podman sets oom_score_adj to -1000 for processes inside the container so the system breaks in OOM situations

Max Bruckner max at doo.shop
Thu Jun 24 10:37:35 BST 2021 

Package: podman
X-Debbugs-Cc: max at doo.shop
Version: 3.0.1+dfsg1-2+b2
Severity: critical
Justification: breaks the whole system
Tags: newcomer

Dear Maintainer,

when processes inside a podman container consume all the available
memory, system processes start to get killed instead of the process
inside of the container. This is because podman in this version seems to
set an oom_score_adj value of -1000 for all processes inside the
container.

Marked as critical because what would normally just result in a process
being killed by the OOM reaper now affects the entire system to the
point that it isn't accessible via SSH anymore.

This seems to be fixed at least in podman 3.2.1 (tested on Archlinux) but I haven't found a
respective entry in the upstream release notes, so I don't know what version
actually made the fix. I also don't know if the problem is in podman
itself or one of it's dependencies or if it is in the upstream version at all.

How to reproduce:

```
# podman run -it --rm debian sh
# cat /proc/$$/oom_score_adj
-1000
```

I would expect this to show 0 for the oom_score_adj value.

I tried to work around this problem, by passing --oom-score-adj=0 to the
podman command, but with no effect (this might be the same bug or
related to a different one.

```
# podman run -it --rm --oom-score-adj=0 debian sh
# cat /proc/$$/oom_score_adj
-1000
```

What DOES work however is setting a nonzero value:

```
# podman run -it --rm --oom-score-adj=1 debian sh
# cat /proc/$$/oom_score_adj
1
```

This is probably related to a typical golang programming error where 0
values are interpreted as "absence of a value" and a default fallback is
used, but this is just a guess.


-- System Information:
Debian Release: 11.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-7-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages podman depends on:
ii  conmon                           2.0.25+ds1-1
ii  containernetworking-plugins      0.9.0-1+b5
ii  crun                             0.17+dfsg-1
ii  golang-github-containers-common  0.33.4+ds1-1
ii  init-system-helpers              1.60
ii  iptables                         1.8.7-1
ii  libc6                            2.31-12
ii  libdevmapper1.02.1               2:1.02.175-2.1
ii  libgpgme11                       1.14.0-1+b2
ii  libseccomp2                      2.5.1-1

Versions of packages podman recommends:
pn  buildah                                           <none>
pn  catatonit | tini | dumb-init                      <none>
pn  fuse-overlayfs                                    <none>
pn  golang-github-containernetworking-plugin-dnsname  <none>
pn  slirp4netns                                       <none>
pn  uidmap                                            <none>

Versions of packages podman suggests:
pn  containers-storage  <none>
pn  docker-compose      <none>

-- no debconf information

More information about the Pkg-go-maintainers mailing list