Check minimum kernel memory limit to be 4M

Fixes: #18405

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>

daemon/daemon_unix.go

@@ -40,6 +40,8 @@ const (
 	linuxMinCPUShares = 2
 	linuxMaxCPUShares = 262144
 	platformSupported = true
+	// It's not kernel limit, we want this 4M limit to supply a reasonable functional container
+	linuxMinMemory = 4194304
 )
 
 func getBlkioWeightDevices(config *runconfig.HostConfig) ([]*blkiodev.WeightDevice, error) {
@@ -194,7 +196,7 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *runconfig.HostC
 	}
 
 	// memory subsystem checks and adjustments
-	if hostConfig.Memory != 0 && hostConfig.Memory < 4194304 {
+	if hostConfig.Memory != 0 && hostConfig.Memory < linuxMinMemory {
 		return warnings, fmt.Errorf("Minimum memory limit allowed is 4MB")
 	}
 	if hostConfig.Memory > 0 && !sysInfo.MemoryLimit {
@@ -238,6 +240,9 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *runconfig.HostC
 		logrus.Warnf("Your kernel does not support kernel memory limit capabilities. Limitation discarded.")
 		hostConfig.KernelMemory = 0
 	}
+	if hostConfig.KernelMemory > 0 && hostConfig.KernelMemory < linuxMinMemory {
+		return warnings, fmt.Errorf("Minimum kernel memory limit allowed is 4MB")
+	}
 	if hostConfig.KernelMemory > 0 && !checkKernelVersion(4, 0, 0) {
 		warnings = append(warnings, "You specified a kernel memory limit on a kernel older than 4.0. Kernel memory limits are experimental on older kernels, it won't work as expected and can cause your system to be unstable.")
 		logrus.Warnf("You specified a kernel memory limit on a kernel older than 4.0. Kernel memory limits are experimental on older kernels, it won't work as expected and can cause your system to be unstable.")

docs/reference/api/docker_remote_api.md

@@ -102,6 +102,7 @@ This section lists each version from latest to oldest.  Each listing includes a
 * `GET /version` now returns the `BuildTime` field in RFC3339Nano format to make it 
   consistent with other date/time values returned by the API.
 * `AuthConfig` now supports a `registrytoken` for token based authentication
+* `POST /containers/create` now has a 4M minimum value limit for `HostConfig.KernelMemory`
 
 ### v1.21 API changes
 

docs/reference/run.md

@@ -619,10 +619,10 @@ container:
 
 | Option                     |  Description                                                                                                                                    |
 | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
-| `-m`, `--memory=""`        | Memory limit (format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`.                              |
+| `-m`, `--memory=""`        | Memory limit (format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. Minimum is 4M.               |
 | `--memory-swap=""`         | Total memory limit (memory + swap, format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`.         |
 | `--memory-reservation=""`  | Memory soft limit (format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`.                         |
-| `--kernel-memory=""`       | Kernel memory limit (format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`.                       |
+| `--kernel-memory=""`       | Kernel memory limit (format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. Minimum is 4M.        |
 | `-c`, `--cpu-shares=0`     | CPU shares (relative weight)                                                                                                                    |
 | `--cpu-period=0`           | Limit the CPU CFS (Completely Fair Scheduler) period                                                                                            |
 | `--cpuset-cpus=""`         | CPUs in which to allow execution (0-3, 0,1)                                                                                                     |

integration-cli/docker_cli_run_unix_test.go

@@ -169,10 +169,19 @@ func (s *DockerSuite) TestRunWithKernelMemory(c *check.C) {
 	out, err := inspectField("test1", "HostConfig.KernelMemory")
 	c.Assert(err, check.IsNil)
 	c.Assert(out, check.Equals, "52428800")
+}
+
+func (s *DockerSuite) TestRunWithInvalidKernelMemory(c *check.C) {
+	testRequires(c, kernelMemorySupport)
+
+	out, _, err := dockerCmdWithError("run", "--kernel-memory", "2M", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected := "Minimum kernel memory limit allowed is 4MB"
+	c.Assert(out, checker.Contains, expected)
 
 	out, _, err = dockerCmdWithError("run", "--kernel-memory", "-16m", "--name", "test2", "busybox", "echo", "test")
-	expected := "invalid size"
 	c.Assert(err, check.NotNil)
+	expected = "invalid size"
 	c.Assert(out, checker.Contains, expected)
 }