mszywala commented 8 months ago

Required information

Distribution: Ubuntu
Distribution version: 22.04.3 LTS

The output of "snap list --all lxd core20 core22 core24 snapd":

Name    Version        Rev    Tracking       Publisher   Notes
core20  20231123       2105   latest/stable  canonical✓  base,disabled
core20  20240111       2182   latest/stable  canonical✓  base
lxd     5.0.2-d4d8da9  26741  5.0/stable     canonical✓  disabled,held
lxd     5.0.3-51452c3  26881  5.0/stable     canonical✓  held
snapd   2.61.1         20671  latest/stable  canonical✓  snapd,disabled
snapd   2.61.2         21184  latest/stable  canonical✓  snapd

The output of "lxc info" or if that fails:

config:
core.https_address: CENSORED
images.auto_update_interval: "0"
api_extensions:
- storage_zfs_remove_snapshots
- container_host_shutdown_timeout
- container_stop_priority
- container_syscall_filtering
- auth_pki
- container_last_used_at
- etag
- patch
- usb_devices
- https_allowed_credentials
- image_compression_algorithm
- directory_manipulation
- container_cpu_time
- storage_zfs_use_refquota
- storage_lvm_mount_options
- network
- profile_usedby
- container_push
- container_exec_recording
- certificate_update
- container_exec_signal_handling
- gpu_devices
- container_image_properties
- migration_progress
- id_map
- network_firewall_filtering
- network_routes
- storage
- file_delete
- file_append
- network_dhcp_expiry
- storage_lvm_vg_rename
- storage_lvm_thinpool_rename
- network_vlan
- image_create_aliases
- container_stateless_copy
- container_only_migration
- storage_zfs_clone_copy
- unix_device_rename
- storage_lvm_use_thinpool
- storage_rsync_bwlimit
- network_vxlan_interface
- storage_btrfs_mount_options
- entity_description
- image_force_refresh
- storage_lvm_lv_resizing
- id_map_base
- file_symlinks
- container_push_target
- network_vlan_physical
- storage_images_delete
- container_edit_metadata
- container_snapshot_stateful_migration
- storage_driver_ceph
- storage_ceph_user_name
- resource_limits
- storage_volatile_initial_source
- storage_ceph_force_osd_reuse
- storage_block_filesystem_btrfs
- resources
- kernel_limits
- storage_api_volume_rename
- macaroon_authentication
- network_sriov
- console
- restrict_devlxd
- migration_pre_copy
- infiniband
- maas_network
- devlxd_events
- proxy
- network_dhcp_gateway
- file_get_symlink
- network_leases
- unix_device_hotplug
- storage_api_local_volume_handling
- operation_description
- clustering
- event_lifecycle
- storage_api_remote_volume_handling
- nvidia_runtime
- container_mount_propagation
- container_backup
- devlxd_images
- container_local_cross_pool_handling
- proxy_unix
- proxy_udp
- clustering_join
- proxy_tcp_udp_multi_port_handling
- network_state
- proxy_unix_dac_properties
- container_protection_delete
- unix_priv_drop
- pprof_http
- proxy_haproxy_protocol
- network_hwaddr
- proxy_nat
- network_nat_order
- container_full
- candid_authentication
- backup_compression
- candid_config
- nvidia_runtime_config
- storage_api_volume_snapshots
- storage_unmapped
- projects
- candid_config_key
- network_vxlan_ttl
- container_incremental_copy
- usb_optional_vendorid
- snapshot_scheduling
- snapshot_schedule_aliases
- container_copy_project
- clustering_server_address
- clustering_image_replication
- container_protection_shift
- snapshot_expiry
- container_backup_override_pool
- snapshot_expiry_creation
- network_leases_location
- resources_cpu_socket
- resources_gpu
- resources_numa
- kernel_features
- id_map_current
- event_location
- storage_api_remote_volume_snapshots
- network_nat_address
- container_nic_routes
- rbac
- cluster_internal_copy
- seccomp_notify
- lxc_features
- container_nic_ipvlan
- network_vlan_sriov
- storage_cephfs
- container_nic_ipfilter
- resources_v2
- container_exec_user_group_cwd
- container_syscall_intercept
- container_disk_shift
- storage_shifted
- resources_infiniband
- daemon_storage
- instances
- image_types
- resources_disk_sata
- clustering_roles
- images_expiry
- resources_network_firmware
- backup_compression_algorithm
- ceph_data_pool_name
- container_syscall_intercept_mount
- compression_squashfs
- container_raw_mount
- container_nic_routed
- container_syscall_intercept_mount_fuse
- container_disk_ceph
- virtual-machines
- image_profiles
- clustering_architecture
- resources_disk_id
- storage_lvm_stripes
- vm_boot_priority
- unix_hotplug_devices
- api_filtering
- instance_nic_network
- clustering_sizing
- firewall_driver
- projects_limits
- container_syscall_intercept_hugetlbfs
- limits_hugepages
- container_nic_routed_gateway
- projects_restrictions
- custom_volume_snapshot_expiry
- volume_snapshot_scheduling
- trust_ca_certificates
- snapshot_disk_usage
- clustering_edit_roles
- container_nic_routed_host_address
- container_nic_ipvlan_gateway
- resources_usb_pci
- resources_cpu_threads_numa
- resources_cpu_core_die
- api_os
- container_nic_routed_host_table
- container_nic_ipvlan_host_table
- container_nic_ipvlan_mode
- resources_system
- images_push_relay
- network_dns_search
- container_nic_routed_limits
- instance_nic_bridged_vlan
- network_state_bond_bridge
- usedby_consistency
- custom_block_volumes
- clustering_failure_domains
- resources_gpu_mdev
- console_vga_type
- projects_limits_disk
- network_type_macvlan
- network_type_sriov
- container_syscall_intercept_bpf_devices
- network_type_ovn
- projects_networks
- projects_networks_restricted_uplinks
- custom_volume_backup
- backup_override_name
- storage_rsync_compression
- network_type_physical
- network_ovn_external_subnets
- network_ovn_nat
- network_ovn_external_routes_remove
- tpm_device_type
- storage_zfs_clone_copy_rebase
- gpu_mdev
- resources_pci_iommu
- resources_network_usb
- resources_disk_address
- network_physical_ovn_ingress_mode
- network_ovn_dhcp
- network_physical_routes_anycast
- projects_limits_instances
- network_state_vlan
- instance_nic_bridged_port_isolation
- instance_bulk_state_change
- network_gvrp
- instance_pool_move
- gpu_sriov
- pci_device_type
- storage_volume_state
- network_acl
- migration_stateful
- disk_state_quota
- storage_ceph_features
- projects_compression
- projects_images_remote_cache_expiry
- certificate_project
- network_ovn_acl
- projects_images_auto_update
- projects_restricted_cluster_target
- images_default_architecture
- network_ovn_acl_defaults
- gpu_mig
- project_usage
- network_bridge_acl
- warnings
- projects_restricted_backups_and_snapshots
- clustering_join_token
- clustering_description
- server_trusted_proxy
- clustering_update_cert
- storage_api_project
- server_instance_driver_operational
- server_supported_storage_drivers
- event_lifecycle_requestor_address
- resources_gpu_usb
- clustering_evacuation
- network_ovn_nat_address
- network_bgp
- network_forward
- custom_volume_refresh
- network_counters_errors_dropped
- metrics
- image_source_project
- clustering_config
- network_peer
- linux_sysctl
- network_dns
- ovn_nic_acceleration
- certificate_self_renewal
- instance_project_move
- storage_volume_project_move
- cloud_init
- network_dns_nat
- database_leader
- instance_all_projects
- clustering_groups
- ceph_rbd_du
- instance_get_full
- qemu_metrics
- gpu_mig_uuid
- event_project
- clustering_evacuation_live
- instance_allow_inconsistent_copy
- network_state_ovn
- storage_volume_api_filtering
- image_restrictions
- storage_zfs_export
- network_dns_records
- storage_zfs_reserve_space
- network_acl_log
- storage_zfs_blocksize
- metrics_cpu_seconds
- instance_snapshot_never
- certificate_token
- instance_nic_routed_neighbor_probe
- event_hub
- agent_nic_config
- projects_restricted_intercept
- metrics_authentication
- images_target_project
- cluster_migration_inconsistent_copy
- cluster_ovn_chassis
- container_syscall_intercept_sched_setscheduler
- storage_lvm_thinpool_metadata_size
- storage_volume_state_total
- instance_file_head
- resources_pci_vpd
- qemu_raw_conf
- storage_cephfs_fscache
- vsock_api
- storage_volumes_all_projects
- projects_networks_restricted_access
- cluster_join_token_expiry
- remote_token_expiry
- init_preseed
- cpu_hotplug
- storage_pool_source_wipe
- zfs_block_mode
- instance_generation_id
- disk_io_cache
- storage_pool_loop_resize
- migration_vm_live
- auth_user
- instances_state_total
- numa_cpu_placement
- network_allocations
- storage_api_remote_volume_snapshot_copy
- zfs_delegate
- operations_get_query_all_projects
- event_lifecycle_name_and_project
- instances_nic_limits_priority
- operation_wait
- cluster_internal_custom_volume_copy
- instance_move_config
api_status: stable
api_version: "1.0"
auth: trusted
public: false
auth_methods:
- tls
auth_user_name: root
auth_user_method: unix
environment:
addresses:
- CENSORED:8443
architectures:
- x86_64
- i686
certificate: |
CENSORED
certificate_fingerprint: CENSORED
driver: lxc | qemu
driver_version: 5.0.3 | 8.0.5
firewall: nftables
kernel: Linux
kernel_architecture: x86_64
kernel_features:
idmapped_mounts: "true"
netnsid_getifaddrs: "true"
seccomp_listener: "true"
seccomp_listener_continue: "true"
shiftfs: "true"
uevent_injection: "true"
unpriv_fscaps: "true"
kernel_version: 5.15.0-91-generic
lxc_features:
cgroup2: "true"
core_scheduling: "true"
devpts_fd: "true"
idmapped_mounts_v2: "true"
mount_injection_file: "true"
network_gateway_device_route: "true"
network_ipvlan: "true"
network_l2proxy: "true"
network_phys_macvlan_mtu: "true"
network_veth_router: "true"
pidfd: "true"
seccomp_allow_deny_syntax: "true"
seccomp_notify: "true"
seccomp_proxy_send_notify_fd: "true"
os_name: Ubuntu
os_version: "22.04"
project: default
server: lxd
server_clustered: false
server_event_mode: full-mesh
server_name: CENSORED
server_pid: 55551
server_version: 5.0.3
storage: dir
storage_version: "1"
storage_supported_drivers:
- name: ceph
version: 15.2.17
remote: true
- name: cephfs
version: 15.2.17
remote: true
- name: cephobject
version: 15.2.17
remote: true
- name: dir
version: "1"
remote: false
- name: lvm
version: 2.03.07(2) (2019-11-30) / 1.02.167 (2019-11-30) / 4.45.0
remote: false
- name: zfs
version: 2.1.5-1ubuntu6~22.04.1
remote: false
- name: btrfs
version: 5.4.1
remote: false

Kernel version: 5.15.0-91-generic
LXC version: 5.0.3
LXD version: 5.0.3
Storage backend in use: dir with XFS

Issue description

We are running multiple system containers and recently experienced freezing of whole containers, when they were reaching/exceeding memory.high. After reading through: https://docs.kernel.org/admin-guide/cgroup-v2.html. I noticed the following:

memory.high A read-write single value file which exists on non-root cgroups. The default is "max".

Memory usage throttle limit. If a cgroup's usage goes over the high boundary, the processes of the cgroup are throttled and put under heavy reclaim pressure.

Going over the high limit never invokes the OOM killer and under extreme conditions the limit may be breached. The high limit should be used in scenarios where an external process monitors the limited cgroup to alleviate heavy reclaim pressure.

Because the OOM killer is never invoked, containers start to freeze.

There was an issue that caused a change to using memory.high instead of memory.low: https://github.com/canonical/lxd/issues/11239 The changes from using memory.low to using memory.high seem not to be a great default. https://github.com/canonical/lxd/commit/d573ae013cdad459204eb60314be7b67b8f62bcd As far as I understand, regarding the issue above, it should be implemented differently than it currently is. Maybe another approach could also solve the issue.

# cat /sys/fs/cgroup/lxc.payload.s-c-1-srv-a/memory.max
2147483648
# cat /sys/fs/cgroup/lxc.payload.s-c-1-srv-a/memory.high
1932734464

As I understand, the issue above (https://github.com/canonical/lxd/issues/11239) wanted to archive the following for limits.memory.enforce=hard (the default):

# cat /sys/fs/cgroup/lxc.payload.s-c-1-srv-a/memory.low
1932734464
# cat /sys/fs/cgroup/lxc.payload.s-c-1-srv-a/memory.high
max
# cat /sys/fs/cgroup/lxc.payload.s-c-1-srv-a/memory.max
2147483648

And for limits.memory.enfoce=soft this:

# cat /sys/fs/cgroup/lxc.payload.s-c-1-srv-a/memory.low
2147483648
# cat /sys/fs/cgroup/lxc.payload.s-c-1-srv-a/memory.high
max
# cat /sys/fs/cgroup/lxc.payload.s-c-1-srv-a/memory.max
max

Steps to reproduce

Create an Ubuntu 22.04 Container
Run an application that consumes so much RAM that it exceeds the limit of memory.high (For example, a Java application)
The container becomes slow/unresponsive and freezes after a few seconds/minutes. Depending on the workload.

Information to attach

[X] Any relevant kernel output (dmesg) Nothing relevant
[X] Container log (lxc info NAME --show-log) Nothing relevant

[X] Container configuration (lxc config show NAME --expanded)

architecture: x86_64
config:
boot.autostart: "false"
environment.TZ: Europe/Berlin
image.architecture: amd64
image.description: Ubuntu jammy amd64 (20230904_16:43)
image.name: ubuntu-jammy-amd64-default-20230904_16:43
image.os: ubuntu
image.release: jammy
image.serial: "20230904_16:43"
image.variant: default
limits.cpu: 0-0
limits.memory: 2048MiB
limits.memory.swap: "false"
limits.processes: "3000"
raw.lxc: lxc.apparmor.profile=unconfined
security.devlxd: "false"
security.nesting: "false"
security.privileged: "false"
user.backup.server: enabled
user.disabled: "false"
user.modus: server
user.type: server
volatile.base_image: bd5696be7d1afe1de73ce1b4e963398eac3daff8c90c1f6f57d6ee6055cd4968
volatile.cloud-init.instance-id: 9499dd97-a760-4fa5-afbd-20880de37cee
volatile.eth0.host_name: veth53266a36
volatile.eth0.hwaddr: 00:16:3e:29:b5:fd
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.idmap: '[]'
volatile.last_state.power: RUNNING
volatile.uuid: b9e780be-f7d4-45b9-ad86-9be03910d83f
volatile.uuid.generation: b9e780be-f7d4-45b9-ad86-9be03910d83f
devices:
eth0:
ipv4.address: 10.20.72.51
ipv4.neighbor_probe: "false"
ipv6.address: fd00::72:51:10
name: eth0
nictype: routed
parent: br0
type: nic
root:
path: /
pool: default
size: 25600MiB
type: disk
tun:
path: /dev/net/tun
type: unix-char
volume-1-/var/lib/mysql:
path: /var/lib/mysql
source: /mnt/container/containers-volumes/s-c-1-srv-a/volume-1
type: disk
ephemeral: false
profiles: []
stateful: false
description: ""

[X] Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log) Nothing relevant
[X] Output of the client with --debug Nothing relevant
[X] Output of the daemon with --debug (alternatively output of lxc monitor while reproducing the issue) Nothing relevant from lxc monitor

tomponline commented 8 months ago

@mihalicyn please can you investigate this and confirm if its an issue in the latest/edge and 5.0/edge channels? Thanks

mihalicyn commented 7 months ago

Hi @mszywala

Thanks for your report!

Do I understand correctly, that you using limits.memory.enforce=soft for your containers?

Because the OOM killer is never invoked, containers start to freeze.

If you want OOM to be invoked, you need to use limits.memory.enforce=hard which will set memory.max limit.

Speaking about setting memory.low we just ignore this knob completely in LXD and it is not about soft limits at all. This soft/hard limit semantics comes from cgroup-v1 era, where we had explicit soft and hard limit knobs (memory.soft_limit_in_bytes (https://github.com/torvalds/linux/blob/a4145ce1e7bc247fd6f2846e8699473448717b37/mm/memcontrol.c#L4087) and memory.limit_in_bytes). In cgroup-v2 we don't have an explicit analog of soft limit at all. So, it looks reasonable to use memory.high as a soft limit, so your process won't be killed by OOM but will be forced to reclaim every time when pagefault occurs on allocation. At the same time, for hard limit we just use memory.max (https://github.com/torvalds/linux/blob/a4145ce1e7bc247fd6f2846e8699473448717b37/mm/memcontrol.c#L6822) which is a clear analog of memory.limit_in_bytes (https://github.com/torvalds/linux/blob/a4145ce1e7bc247fd6f2846e8699473448717b37/mm/memcontrol.c#L3699).

mszywala commented 7 months ago

Hi @mihalicyn,

Thanks for your detailed response.

Actually, we do not set limits.memory.enforce, so the default (https://documentation.ubuntu.com/lxd/en/latest/reference/instance_options/#resource-limits) should be used, which is limits.memory.enforce=hard.

I am expecting that the OOM-Killer will be triggered when the container reaches limits.memory. But instead, the container begins to freeze. It gets throttled because memory.high is also set, which causes the container to freeze.

I tried both configurations. limits.memory.enforce=hard seems to set memory.high=<value below memory.max> and memory.max=<limits.memory of container>.

limits.memory.enforce=soft as I understand, seems to work as intended and sets memory.high=<limits.memory of container> and memoy.max=max.

When I understand you correctly, then limits.memory.enforce=hard (the default) should only set memory.max, but this is not the case. I would expect that memory.high is set to the cgroup2 default: max

tomponline commented 7 months ago

@mihalicyn do you think this is a bug? Thanks

mihalicyn commented 7 months ago

Actually, we do not set limits.memory.enforce, so the default (https://documentation.ubuntu.com/lxd/en/latest/reference/instance_options/#resource-limits) should be used, which is limits.memory.enforce=hard.

yes, it means that you effectively have limits.memory.enforce=hard

I am expecting that the OOM-Killer will be triggered when the container reaches limits.memory.

when hard is set it should invoke OOM-killer, that's right

I would expect that memory.high is set to the cgroup2 default: max

You are right. I'll fix it.

Upd: comment was edited by me.

mszywala commented 7 months ago

Thank you @mihalicyn. In which LXD LTS version will the bug be fixed? In the new 5.21.0 LTS Release?

tomponline commented 7 months ago

Yes ill include this when we move 5.21 into stable.

canonical / lxd

`limits.memory` are not set correctly in cgroup2 #13147

Required information

Issue description

Steps to reproduce

Information to attach