This version is kernel-3.10.0-1062.1.2.el7 with the memory cgroup kmem
accounting feature (CONFIG_MEMCG_KMEM
) disabled.
This featue causes kernel memory leaks when using versions of runc
that unconditionally enable per-cgroup kernel memory resource accounting, leading to systems becoming unusable when many containers were created.
The links below mention actual leaks of cgroups as well. However, in testing this appears to be fixed in more recent RedHat/CentOS kernel versions.
We disable the feature in the kernel configuration, which however changes its ABI.
See: fb13977
See: https://docs.google.com/document/d/1892PZs2ZdV4_JsSoFwC6WfoOHqKVirFci9r_6NAJzUU/edit?usp=sharing
See: moby/moby#29638 (comment)
See: kubernetes/kubernetes#61937
See: opencontainers/runc#1725
See: https://bugzilla.redhat.com/show_bug.cgi?id=1507149
See: https://bugs.schedmd.com/show_bug.cgi?id=5082#c28