Add memory policy support

askervin · askervin · commit 06415e0c9095 · 2025-09-17T10:33:11.000+03:00
Implement support for Linux memory policy in OCI spec PR: opencontainers/runtime-spec#1282 Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
diff --git a/features.go b/features.go
@@ -58,6 +58,10 @@ var featuresCommand = cli.Command{
 				IntelRdt: &features.IntelRdt{
 					Enabled: &t,
 				},
+				MemoryPolicy: &features.MemoryPolicy{
+					Modes: specconv.KnownMemoryPolicyModes(),
+					Flags: specconv.KnownMemoryPolicyFlags(),
+				},
 				MountExtensions: &features.MountExtensions{
 					IDMap: &features.IDMap{
 						Enabled: &t,
diff --git a/go.mod b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/moby/sys/userns v0.1.0
 	github.com/mrunalp/fileutils v0.5.1
 	github.com/opencontainers/cgroups v0.0.4
-	github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67
+	github.com/opencontainers/runtime-spec v1.2.2-0.20250804081626-bfdffd548aa6
 	github.com/opencontainers/selinux v1.12.0
 	github.com/seccomp/libseccomp-golang v0.11.0
 	github.com/sirupsen/logrus v1.9.3
diff --git a/go.sum b/go.sum
@@ -47,8 +47,8 @@ github.com/mrunalp/fileutils v0.5.1 h1:F+S7ZlNKnrwHfSwdlgNSkKo67ReVf8o9fel6C3dkm
 github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/opencontainers/cgroups v0.0.4 h1:XVj8P/IHVms/j+7eh8ggdkTLAxjz84ZzuFyGoE28DR4=
 github.com/opencontainers/cgroups v0.0.4/go.mod h1:s8lktyhlGUqM7OSRL5P7eAW6Wb+kWPNvt4qvVfzA5vs=
-github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67 h1:Q+KewUGTMamIe6Q39xCD/T1NC1POmaTlWnhjikCrZHA=
-github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.2.2-0.20250804081626-bfdffd548aa6 h1:6S6r1L8VO9b1UfgIQi+nteqlElma9KDlzZw/nM3ctI0=
+github.com/opencontainers/runtime-spec v1.2.2-0.20250804081626-bfdffd548aa6/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
 github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
diff --git a/internal/linux/linux.go b/internal/linux/linux.go
@@ -2,6 +2,7 @@ package linux
 
 import (
 	"os"
+	"unsafe"
 
 	"golang.org/x/sys/unix"
 )
@@ -72,3 +73,26 @@ func Sendmsg(fd int, p, oob []byte, to unix.Sockaddr, flags int) error {
 	})
 	return os.NewSyscallError("sendmsg", err)
 }
+
+func bitmaskFromInts(bits []int) []uint64 {
+	maxBit := 0
+	for _, bit := range bits {
+		if bit > maxBit {
+			maxBit = bit
+		}
+	}
+	mask := make([]uint64, (maxBit/64)+1)
+	for _, bit := range bits {
+		mask[bit/64] |= (1 << (bit % 64))
+	}
+	return mask
+}
+
+// SetMempolicy wraps set_mempolicy.
+func SetMempolicy(mode uint, mask *unix.CPUSet) error {
+	_, _, errno := unix.Syscall(unix.SYS_SET_MEMPOLICY, uintptr(mode), uintptr(unsafe.Pointer(mask)), uintptr(unsafe.Sizeof(*mask)*8))
+	if errno != 0 {
+		return os.NewSyscallError("set_mempolicy", errno)
+	}
+	return nil
+}
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
@@ -214,6 +214,9 @@ type Config struct {
 	// to limit the resources (e.g., L3 cache, memory bandwidth) the container has available
 	IntelRdt *IntelRdt `json:"intel_rdt,omitempty"`
 
+	// MemoryPolicy specifies NUMA memory policy for the container.
+	MemoryPolicy *LinuxMemoryPolicy `json:"memoryPolicy,omitempty"`
+
 	// RootlessEUID is set when the runc was launched with non-zero EUID.
 	// Note that RootlessEUID is set to false when launched with EUID=0 in userns.
 	// When RootlessEUID is set, runc creates a new userns for the container.
@@ -305,7 +308,8 @@ type CPUAffinity struct {
 	Initial, Final *unix.CPUSet
 }
 
-func toCPUSet(str string) (*unix.CPUSet, error) {
+// ToCPUSet parses a string representing a CPU set into a unix.CPUSet.
+func ToCPUSet(str string) (*unix.CPUSet, error) {
 	if str == "" {
 		return nil, nil
 	}
@@ -356,7 +360,7 @@ func toCPUSet(str string) (*unix.CPUSet, error) {
 		}
 	}
 	if s.Count() == 0 {
-		return nil, fmt.Errorf("no CPUs found in %q", str)
+		return nil, fmt.Errorf("no members found in set %q", str)
 	}
 
 	return s, nil
@@ -367,11 +371,11 @@ func ConvertCPUAffinity(sa *specs.CPUAffinity) (*CPUAffinity, error) {
 	if sa == nil {
 		return nil, nil
 	}
-	initial, err := toCPUSet(sa.Initial)
+	initial, err := ToCPUSet(sa.Initial)
 	if err != nil {
 		return nil, fmt.Errorf("bad CPUAffinity.Initial: %w", err)
 	}
-	final, err := toCPUSet(sa.Final)
+	final, err := ToCPUSet(sa.Final)
 	if err != nil {
 		return nil, fmt.Errorf("bad CPUAffinity.Final: %w", err)
 	}
diff --git a/libcontainer/configs/memorypolicy.go b/libcontainer/configs/memorypolicy.go
@@ -0,0 +1,31 @@
+package configs
+
+import "golang.org/x/sys/unix"
+
+const (
+	// Memory policy modes.
+	MPOL_DEFAULT = iota
+	MPOL_PREFERRED
+	MPOL_BIND
+	MPOL_INTERLEAVE
+	MPOL_LOCAL
+	MPOL_PREFERRED_MANY
+	MPOL_WEIGHTED_INTERLEAVE
+
+	// Mode flags.
+	MPOL_F_STATIC_NODES   = 1 << 15
+	MPOL_F_RELATIVE_NODES = 1 << 14
+	MPOL_F_NUMA_BALANCING = 1 << 13
+)
+
+// LinuxMemoryPolicy contains memory policy configuration.
+type LinuxMemoryPolicy struct {
+	// Mode specifies memory policy mode without mode flags. See
+	// set_mempolicy() documentation for details.
+	Mode uint
+	// Flags contains mode flags.
+	Flags []uint
+	// Nodes contains NUMA nodes to which the mode applies.
+	// Using unix.CPUSet to represent a bitmask of nodes.
+	Nodes *unix.CPUSet
+}
diff --git a/libcontainer/configs/tocpuset_test.go b/libcontainer/configs/tocpuset_test.go
@@ -59,8 +59,8 @@ func TestToCPUSet(t *testing.T) {
 	for _, tc := range testCases {
 		tc := tc
 		t.Run(tc.in, func(t *testing.T) {
-			out, err := toCPUSet(tc.in)
-			t.Logf("toCPUSet(%q) = %v (error: %v)", tc.in, out, err)
+			out, err := ToCPUSet(tc.in)
+			t.Logf("ToCPUSet(%q) = %v (error: %v)", tc.in, out, err)
 			// Check the error.
 			if tc.isErr {
 				if err == nil {
diff --git a/libcontainer/configs/validate/validator.go b/libcontainer/configs/validate/validator.go
@@ -34,6 +34,7 @@ func Validate(config *configs.Config) error {
 		mountsStrict,
 		scheduler,
 		ioPriority,
+		memoryPolicy,
 	}
 	for _, c := range checks {
 		if err := c(config); err != nil {
@@ -454,3 +455,26 @@ func ioPriority(config *configs.Config) error {
 
 	return nil
 }
+
+func memoryPolicy(config *configs.Config) error {
+	mpol := config.MemoryPolicy
+	if mpol == nil {
+		return nil
+	}
+	switch mpol.Mode {
+	case configs.MPOL_DEFAULT, configs.MPOL_LOCAL:
+		if mpol.Nodes != nil && mpol.Nodes.Count() != 0 {
+			return fmt.Errorf("memory policy mode requires 0 nodes but got %d", mpol.Nodes.Count())
+		}
+	case configs.MPOL_BIND, configs.MPOL_INTERLEAVE,
+		configs.MPOL_PREFERRED_MANY, configs.MPOL_WEIGHTED_INTERLEAVE:
+		if mpol.Nodes == nil || mpol.Nodes.Count() == 0 {
+			return fmt.Errorf("memory policy mode requires at least one node but got 0")
+		}
+	case configs.MPOL_PREFERRED:
+		// Zero or more nodes are allowed by the kernel.
+	default:
+		return fmt.Errorf("invalid memory policy mode: %d", mpol.Mode)
+	}
+	return nil
+}
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
@@ -659,6 +659,18 @@ func setupIOPriority(config *initConfig) error {
 	return nil
 }
 
+func setupMemoryPolicy(config *configs.Config) error {
+	mpol := config.MemoryPolicy
+	if mpol == nil {
+		return nil
+	}
+	modeWithFlags := mpol.Mode
+	for _, flag := range mpol.Flags {
+		modeWithFlags |= flag
+	}
+	return linux.SetMempolicy(modeWithFlags, config.MemoryPolicy.Nodes)
+}
+
 func setupPersonality(config *configs.Config) error {
 	return system.SetLinuxPersonality(config.Personality.Domain)
 }
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
@@ -80,6 +80,11 @@ func (l *linuxSetnsInit) Init() error {
 	if err := setupIOPriority(l.config); err != nil {
 		return err
 	}
+
+	if err := setupMemoryPolicy(l.config.Config); err != nil {
+		return err
+	}
+
 	// Tell our parent that we're ready to exec. This must be done before the
 	// Seccomp rules have been applied, because we need to be able to read and
 	// write to a socket.
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
@@ -41,6 +41,14 @@ var (
 		flag  int
 	}
 	complexFlags map[string]func(*configs.Mount)
+	mpolModeMap  map[specs.MemoryPolicyModeType]uint
+	mpolModeFMap map[specs.MemoryPolicyFlagType]uint
+)
+
+const (
+	// maxNumaNode is the maximum NUMA node number supported.
+	// Must be large enough to cover what the kernel supports.
+	maxNumaNode = 4095
 )
 
 func initMaps() {
@@ -148,6 +156,22 @@ func initMaps() {
 				m.IDMapping.Recursive = true
 			},
 		}
+
+		mpolModeMap = map[specs.MemoryPolicyModeType]uint{
+			specs.MpolDefault:            configs.MPOL_DEFAULT,
+			specs.MpolPreferred:          configs.MPOL_PREFERRED,
+			specs.MpolBind:               configs.MPOL_BIND,
+			specs.MpolInterleave:         configs.MPOL_INTERLEAVE,
+			specs.MpolLocal:              configs.MPOL_LOCAL,
+			specs.MpolPreferredMany:      configs.MPOL_PREFERRED_MANY,
+			specs.MpolWeightedInterleave: configs.MPOL_WEIGHTED_INTERLEAVE,
+		}
+
+		mpolModeFMap = map[specs.MemoryPolicyFlagType]uint{
+			specs.MpolFStaticNodes:   configs.MPOL_F_STATIC_NODES,
+			specs.MpolFRelativeNodes: configs.MPOL_F_RELATIVE_NODES,
+			specs.MpolFNumaBalancing: configs.MPOL_F_NUMA_BALANCING,
+		}
 	})
 }
 
@@ -184,6 +208,30 @@ func KnownMountOptions() []string {
 	return res
 }
 
+// KnownMemoryPolicyModes returns the list of the known memory policy modes.
+// Used by `runc features`.
+func KnownMemoryPolicyModes() []string {
+	initMaps()
+	var res []string
+	for k := range mpolModeMap {
+		res = append(res, string(k))
+	}
+	sort.Strings(res)
+	return res
+}
+
+// KnownMemoryPolicyFlags returns the list of the known memory policy mode flags.
+// Used by `runc features`.
+func KnownMemoryPolicyFlags() []string {
+	initMaps()
+	var res []string
+	for k := range mpolModeFMap {
+		res = append(res, string(k))
+	}
+	sort.Strings(res)
+	return res
+}
+
 // AllowedDevices is the set of devices which are automatically included for
 // all containers.
 //
@@ -467,6 +515,28 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 				MemBwSchema:   spec.Linux.IntelRdt.MemBwSchema,
 			}
 		}
+		if spec.Linux.MemoryPolicy != nil {
+			var ok bool
+			var err error
+			specMp := spec.Linux.MemoryPolicy
+			confMp := &configs.LinuxMemoryPolicy{}
+			confMp.Mode, ok = mpolModeMap[specMp.Mode]
+			if !ok {
+				return nil, fmt.Errorf("invalid memory policy mode %q", specMp.Mode)
+			}
+			confMp.Nodes, err = configs.ToCPUSet(specMp.Nodes)
+			if err != nil {
+				return nil, fmt.Errorf("invalid memory policy nodes %q: %w", specMp.Nodes, err)
+			}
+			for _, specFlag := range specMp.Flags {
+				confModeFlag, ok := mpolModeFMap[specFlag]
+				if !ok {
+					return nil, fmt.Errorf("invalid memory policy flag %q", specFlag)
+				}
+				confMp.Flags = append(confMp.Flags, confModeFlag)
+			}
+			config.MemoryPolicy = confMp
+		}
 		if spec.Linux.Personality != nil {
 			if len(spec.Linux.Personality.Flags) > 0 {
 				logrus.Warnf("ignoring unsupported personality flags: %+v because personality flag has not supported at this time", spec.Linux.Personality.Flags)
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
@@ -164,6 +164,10 @@ func (l *linuxStandardInit) Init() error {
 		return err
 	}
 
+	if err := setupMemoryPolicy(l.config.Config); err != nil {
+		return err
+	}
+
 	// Tell our parent that we're ready to exec. This must be done before the
 	// Seccomp rules have been applied, because we need to be able to read and
 	// write to a socket.
diff --git a/tests/integration/memorypolicy.bats b/tests/integration/memorypolicy.bats
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go
diff --git a/vendor/modules.txt b/vendor/modules.txt

Original file line number	Diff line number	Diff line change
`@@ -214,6 +214,9 @@ type Config struct {`
`214`	`214`	`// to limit the resources (e.g., L3 cache, memory bandwidth) the container has available`
`215`	`215`	IntelRdt *IntelRdt `json:"intel_rdt,omitempty"`
`216`	`216`
	`217`	`+ // MemoryPolicy specifies NUMA memory policy for the container.`
	`218`	+ MemoryPolicy *LinuxMemoryPolicy `json:"memoryPolicy,omitempty"`
	`219`	`+`
`217`	`220`	`// RootlessEUID is set when the runc was launched with non-zero EUID.`
`218`	`221`	`// Note that RootlessEUID is set to false when launched with EUID=0 in userns.`
`219`	`222`	`// When RootlessEUID is set, runc creates a new userns for the container.`
`@@ -305,7 +308,8 @@ type CPUAffinity struct {`
`305`	`308`	`Initial, Final *unix.CPUSet`
`306`	`309`	`}`
`307`	`310`
`308`		`-func toCPUSet(str string) (*unix.CPUSet, error) {`
	`311`	`+// ToCPUSet parses a string representing a CPU set into a unix.CPUSet.`
	`312`	`+func ToCPUSet(str string) (*unix.CPUSet, error) {`
`309`	`313`	`if str == "" {`
`310`	`314`	`return nil, nil`
`311`	`315`	`}`
`@@ -356,7 +360,7 @@ func toCPUSet(str string) (*unix.CPUSet, error) {`
`356`	`360`	`}`
`357`	`361`	`}`
`358`	`362`	`if s.Count() == 0 {`
`359`		`- return nil, fmt.Errorf("no CPUs found in %q", str)`
	`363`	`+ return nil, fmt.Errorf("no members found in set %q", str)`
`360`	`364`	`}`
`361`	`365`
`362`	`366`	`return s, nil`
`@@ -367,11 +371,11 @@ func ConvertCPUAffinity(sa specs.CPUAffinity) (CPUAffinity, error) {`
`367`	`371`	`if sa == nil {`
`368`	`372`	`return nil, nil`
`369`	`373`	`}`
`370`		`- initial, err := toCPUSet(sa.Initial)`
	`374`	`+ initial, err := ToCPUSet(sa.Initial)`
`371`	`375`	`if err != nil {`
`372`	`376`	`return nil, fmt.Errorf("bad CPUAffinity.Initial: %w", err)`
`373`	`377`	`}`
`374`		`- final, err := toCPUSet(sa.Final)`
	`378`	`+ final, err := ToCPUSet(sa.Final)`
`375`	`379`	`if err != nil {`
`376`	`380`	`return nil, fmt.Errorf("bad CPUAffinity.Final: %w", err)`
`377`	`381`	`}`