From 9e658bcd717c0c5431ee5275f32f468f94b5ac29 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Mon, 29 Aug 2022 10:48:45 -0700
Subject: [PATCH] config-linux: add memory.checkBeforeUpdate

This setting can be used to mimic cgroup v1 behavior on cgroup v2,
when setting the new memory limit during update operation.

In cgroup v1, a limit which is lower than the current usage is rejected.

In cgroup v2, such a low limit is causing an OOM kill.

Ref: https://github.com/opencontainers/runc/issues/3509

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 config-linux.md                           | 5 +++++
 schema/config-linux.json                  | 3 +++
 schema/test/config/good/spec-example.json | 3 ++-
 specs-go/config.go                        | 4 ++++
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/config-linux.md b/config-linux.md
index 178361f34..575a4e308 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -336,6 +336,11 @@ The following properties do not specify memory limits, but are covered by the `m
     To disable it, specify a value of `true`.
 * **`useHierarchy`** *(bool, OPTIONAL)* - enables or disables hierarchical memory accounting.
     If enabled (`true`), child cgroups will share the memory limits of this cgroup.
+* **`checkBeforeUpdate`** *(bool, OPTIONAL)* - enables container memory usage check before setting a new limit.
+    If enabled (`true`), runtime MAY check if a new memory limit is lower than the current usage, and MUST
+    reject the new limit. Practically, when cgroup v1 is used, the kernel rejects the limit lower than the
+    current usage, and when cgroup v2 is used, an OOM killer is invoked. This setting can be used on
+    cgroup v2 to mimic the cgroup v1 behavior.
 
 #### Example
 
diff --git a/schema/config-linux.json b/schema/config-linux.json
index d551afb26..e57a5a8e5 100644
--- a/schema/config-linux.json
+++ b/schema/config-linux.json
@@ -169,6 +169,9 @@
                             },
                             "useHierarchy": {
                                 "type": "boolean"
+                            },
+                            "checkBeforeUpdate": {
+                                "type": "boolean"
                             }
                         }
                     },
diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json
index 83e91dcd2..9425ba8ff 100644
--- a/schema/test/config/good/spec-example.json
+++ b/schema/test/config/good/spec-example.json
@@ -270,7 +270,8 @@
                 "kernelTCP": -1,
                 "swappiness": 0,
                 "disableOOMKiller": false,
-                "useHierarchy": false
+                "useHierarchy": false,
+                "checkBeforeUpdate": false
             },
             "cpu": {
                 "shares": 1024,
diff --git a/specs-go/config.go b/specs-go/config.go
index 7e9122103..e58ec0a58 100644
--- a/specs-go/config.go
+++ b/specs-go/config.go
@@ -319,6 +319,10 @@ type LinuxMemory struct {
 	DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`
 	// Enables hierarchical memory accounting
 	UseHierarchy *bool `json:"useHierarchy,omitempty"`
+	// CheckBeforeUpdate enables checking if a new memory limit is lower
+	// than the current usage during update, and if so, rejecting the new
+	// limit.
+	CheckBeforeUpdate *bool `json:"checkBeforeUpdate,omitempty"`
 }
 
 // LinuxCPU for Linux cgroup 'cpu' resource management