RFR: 8370572: Cgroups hierarchical memory limit is not honored after JDK-8322420 [v2]
Aleksey Shipilev
shade at openjdk.org
Wed Oct 29 17:32:23 UTC 2025
On Wed, 29 Oct 2025 12:01:22 GMT, Aleksey Shipilev <shade at openjdk.org> wrote:
>>> I tried to come up with a regression test for it, but could not: local reproducers require amending _host_ configuration, which requires superuser privileges, among other hassle it introduces.
>>
>> Without a proper regression test this is bound to fall through the cracks again. So are you sure this cannot be tested? It should be fine if the test needs root privileges (we could skip it if not root). But it would be better than not having one.
>
>> Without a proper regression test this is bound to fall through the cracks again. So are you sure this cannot be tested? It should be fine if the test needs root privileges (we could skip it if not root). But it would be better than not having one.
>
> Yes, I tried to write a test, but it was not simple at all. AFAICS, you need to configure the _host_ in a particular way to get to the interesting configuration, when part of hierarchy is hidden. So not only it would require root, it would also make changes to the host cgroup config (and properly revert them at the end of testing!). It would be better if we could come up with something like Docker-in-Docker kind of test, but that is probably a headache as well.
>
> Anyway, we are dealing with the real-world, customer-facing breakage here, so I reasoned it was unwise to delay the immediately deployable fix, just because it was unclear how to write a reliable regression test for it :)
> So here's a simple test (based on [`test/jdk/jdk/internal/platform/docker/TestDockerMemoryMetrics.java`](https://github.com/openjdk/jdk/blob/28f2591bad49c4d1590325c3d315d850ab6bcc7d/test/jdk/jdk/internal/platform/docker/TestDockerMemoryMetrics.java) which basically implements @shipilev Docker reproducer. It only runs if the user is `root` or a `sudo` user and if the system supports cgroup v1. The test fails with the current implementation and succeeds with the patch proposed in this PR.
Thanks!
It has the disadvantages I listed before: requires super-user, modifies host cgroup configuration, needs to clean up after itself, etc. As it stands now, it is not an automatic test (anyone runs jtreg-s with root privileges?), so it does not buy us any regression testing posture much right now. And we will spend time bike-shedding and dealing with (likely) testbugs from it.
So I would very much prefer to integrate this fix without a test, backport the to 25u and 21u ASAP to unbreak users, and _then_ follow-up with the test.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/28006#issuecomment-3462801122
More information about the hotspot-runtime-dev
mailing list