It is possible to disable oom killer inside a memory cgroup by writing 1 to memory.oom_control. If a process inside such a cgroup hits the memory limit and is unable to reclaim anything, it will wait until more memory becomes available.
This operation shouldn't be allowed inside container, because (a) disabling oom in a cgroup disables it in all its ascendants and (b) it is impossible to stop a container if there is a process waiting for memory instead of invoking oom killer (freezer will never be able to freeze it). Signed-off-by: Vladimir Davydov <[email protected]> --- mm/memcontrol.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 2b87dbc5c0cd..8747792d69b2 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -5913,6 +5913,9 @@ static int mem_cgroup_oom_control_write(struct cgroup *cgrp, if (!cgrp->parent || !((val == 0) || (val == 1))) return -EINVAL; + if (!ve_is_super(get_exec_env()) && val != 0) + return -EACCES; + memcg->oom_kill_disable = val; if (!val) memcg_oom_recover(memcg); -- 2.1.4 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
