Docker --memory-reservation Fails to Update memory.high in cgroup v2, While Manual Update Works

[yitian108]

Description

When using docker update --memory-reservation to set a memory soft limit (memory.high in cgroup v2), the parameter is not propagated to the container’s cgroup file (memory.high), even though docker inspect confirms the value is updated. However, manually writing to memory.high (e.g., echo 1G > memory.high) works as expected.

Steps to reproduce the issue

1. Start a container without initial memory constraints
   docker run -d --name test nginx
2. Update the container with --memory-reservation
   docker update --memory-reservation=1g test
3. Verify via docker inspect
   docker inspect test --format '{{.HostConfig.MemoryReservation}}' # Output: 1073741824 (1GB)
4. Check the cgroup file
   cat /sys/fs/cgroup/system.slice/docker-$(docker inspect -f '{{.Id}}' test).scope/memory.high # Output: max
5. Manually update memory.high
   echo 1G > /sys/fs/cgroup/system.slice/docker-$(docker inspect -f '{{.Id}}' test).scope/memory.high cat memory.high # Output: 1073741824 (1GB)

Describe the results you received and expected

Expected behavior
docker update --memory-reservation=1g should update the cgroup’s memory.high file to 1073741824

But Actual Result:

docker inspect shows the correct value (1073741824), but memory.high remains max.
Manual updates to memory.high work immediately.

What version of runc are you using?

docker version

Client: Docker Engine - Community
Version: 24.0.7
API version: 1.43
Go version: go1.20.10
Git commit: afdd53b
Built: Thu Oct 26 09:09:13 2023
OS/Arch: linux/amd64
Context: default

Server: Docker Engine - Community
Engine:
Version: 24.0.7
API version: 1.43 (minimum version 1.12)
Go version: go1.20.10
Git commit: 311b9ff
Built: Thu Oct 26 09:07:45 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.6.27
GitCommit: a1496014c916f9e62104b33d1bb5bd03b0858e59
runc:
Version: 1.1.11
GitCommit: v1.1.11-0-g4bccb38c
docker-init:
Version: 0.19.0
GitCommit: de40ad0

Host OS information

Kernel Version: 5.14.0-503.11.1.el9_5.x86_64
Operating System: AlmaLinux 9.3 (Shamrock Pampas Cat)
OSType: linux

Host kernel information

5.14.0-503.11.1.el9_5.x86_64

[yitian108]

Also see reference: moby/moby#49599 (comment)

[lifubang]

Describe the results you received and expected

Expected behavior docker update --memory-reservation=1g should update the cgroup’s memory.high file to 1073741824

But Actual Result:

docker inspect shows the correct value (1073741824), but memory.high remains max. Manual updates to memory.high work immediately.

Runc now write the value of MemoryReservation to memory.low in cgroupv2, you mean it's wrong? You think it should be written to memory.high?

[yitian108]

Hello @lifubang , I just want to know which Docker option maps to the memory.high parameter in cgroup v2.

[lifubang]

In runc, I think you can use .Linux.Resources.Unified["memory.high"] to update the value of memory.high when using cgroup v2 unified mode. But I don't know whether there is an option in Docker to map to .Linux.Resources.Unified or not.

[rata]

@yitian108 Okay, so this doesn't seem like a runc bug, then. I don't think you can tune that in docker (having a quick look at the man-page), but it seems you can specify any cgroupv2 things in nerdctl.

I'm closing this, but pelase feel free to re-open if I'm missing something