Set minimum memory limit to 6M, to account for higher startup memory use

[thaJeztah]

• fixes low memory on start causing strange failure condition #41164 low memory on start causing strange failure condition
• addresses Containers with memory limit < 6M fail with obscure error message #41167 Containers with memory limit < 6M fail with obscure error message
• relates to [CVE-2019-5736]: Runc uses more memory during start up after the fix opencontainers/runc#1980 [CVE-2019-5736]: Runc uses more memory during start up after the fix

For some time, we defined a minimum limit for --memory limits to account for
overhead during startup, and to supply a reasonable functional container.

Changes in the runtime (runc) introduced a higher memory footprint during container
startup, which now lead to obscure error-messages that are unfriendly for users:

run --rm --memory=4m alpine echo success
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:415: setting cgroup config for procHooks process caused \\\"failed to write \\\\\\\"4194304\\\\\\\" to \\\\\\\"/sys/fs/cgroup/memory/docker/1254c8d63f85442e599b17dff895f4543c897755ee3bd9b56d5d3d17724b38d7/memory.limit_in_bytes\\\\\\\": write /sys/fs/cgroup/memory/docker/1254c8d63f85442e599b17dff895f4543c897755ee3bd9b56d5d3d17724b38d7/memory.limit_in_bytes: device or resource busy\\\"\"": unknown.
ERRO[0000] error waiting for container: context canceled

Containers that fail to start because of this limit, will not be marked as OOMKilled,
which makes it harder for users to find the cause of the failure.

Note that after this memory is only required during startup of the container. After
the container was started, the container may not consume this memory, and limits
could (manually) be lowered, for example, an alpine container running only a shell
can run with 512k of memory;

echo 524288  > /sys/fs/cgroup/memory/docker/acdd326419f0898be63b0463cfc81cd17fb34d2dae6f8aa3768ee6a075ca5c86/memory.limit_in_bytes

However, restarting the container will reset that manual limit to the container's
configuration. While docker container update would allow for the updated limit to
be persisted, (re)starting the container after updating produces the same error message
again, so we cannot use different limits for docker run / docker create and docker update.

This patch raises the minimum memory limnit to 6M, so that a better error-message is
produced if a user tries to create a container with a memory-limit that is too low:

docker create --memory=4m alpine echo success
docker: Error response from daemon: Minimum memory limit allowed is 6MB.

- Description for the changelog

* Raise minimum memory limit to 6M, to account for higher memory use by runtimes during container startup

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

@kolyshkin @AkihiroSuda PTAL

Also wondering if we need a detection in docker container update, as apparently setting the limit to a value lower than the current use of the container is rejected by the kernel;

# container uses roughly 460KiB after starting
docker run -dit --name mycontainer --memory=8m alpine
acdd326419f0898be63b0463cfc81cd17fb34d2dae6f8aa3768ee6a075ca5c86

# setting limit to 256KiB is refused by the kernel
echo 262144 > /sys/fs/cgroup/memory/docker/acdd326419f0898be63b0463cfc81cd17fb34d2dae6f8aa3768ee6a075ca5c86/memory.limit_in_bytes
-bash: echo: write error: Device or resource busy

cat /sys/fs/cgroup/memory/docker/acdd326419f0898be63b0463cfc81cd17fb34d2dae6f8aa3768ee6a075ca5c86/memory.limit_in_bytes
524288

[AkihiroSuda]

Changes in the runtime (runc) introduced a higher memory footprint during container startup

Is there any specific commit that introduced the hog, or did it increased by nature due to the increase of LOC?

[thaJeztah]

The original raise in memory consumption was due to opencontainers/runc@0a8e411, which (I think) was later reduced by opencontainers/runc#1984.

Perhaps we need a git-bisect and build runc from various commits to see if there's specific changes that contributed. Also not sure if it's only runc that accounts for this, or also the containerd shims? (perhaps you know?)

[cpuguy83]

LGTM