On 11.09.2015 15:21, Vladimir Davydov wrote: > It is possible to disable oom killer inside a memory cgroup by writing 1 > to memory.oom_control. If a process inside such a cgroup hits the memory > limit and is unable to reclaim anything, it will wait until more memory > becomes available. > > This operation shouldn't be allowed inside container, because (a) > disabling oom in a cgroup disables it in all its ascendants and (b) it > is impossible to stop a container if there is a process waiting for > memory instead of invoking oom killer (freezer will never be able to > freeze it). > > Signed-off-by: Vladimir Davydov <[email protected]>
Reviewed-by: Kirill Tkhai <[email protected]> > --- > mm/memcontrol.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/mm/memcontrol.c b/mm/memcontrol.c > index 2b87dbc5c0cd..8747792d69b2 100644 > --- a/mm/memcontrol.c > +++ b/mm/memcontrol.c > @@ -5913,6 +5913,9 @@ static int mem_cgroup_oom_control_write(struct cgroup > *cgrp, > if (!cgrp->parent || !((val == 0) || (val == 1))) > return -EINVAL; > > + if (!ve_is_super(get_exec_env()) && val != 0) > + return -EACCES; > + > memcg->oom_kill_disable = val; > if (!val) > memcg_oom_recover(memcg); > _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
