Does user space program(runc) regulate the size of physical address space of a docker container process?

Question

Below is the CloudFormation template to configure ECS task containers on AWS EC2 instance(Linux):

  TodobackendTaskDefinition:
    Type: "AWS::ECS::TaskDefinition"
    Properties:
      ContainerDefinitions:

        - Name: todobackend
          Image: someacct/todobackend
          Memory: 450
          MountPoints:
            - ContainerPath: /var/www/todobackend
              SourceVolume: webroot


        - Name: nginx
          Image: someacct/todobackend-nginx
          Memory: 300
          PortMappings:
            - ContainerPort: "8000"
              HostPort: "8000"
          MountPoints:
            - ContainerPath: /var/www/todobackend
              SourceVolume: webroot

      Volumes:
        - Name: webroot
          Host:
            SourcePath: /ecs/webroot


  TodobackendAdhocTaskDefinition:
    Type: "AWS::ECS::TaskDefinition"
    Properties:
      ContainerDefinitions:
        - Name: todobackend
          Image: someacct/todobackend
          Memory: 245
          MountPoints:
            - ContainerPath: /var/www/todobackend
              SourcePath: webroot

      Volumes:
        - Name: webroot
          Host:
            SourcePath: /ecs/webroot

---

where memory attribute for three containers are evenly divided(450+300+250 MB) assuming that these 3 containers are running on t2.micro EC2 instance type that has 1 GB RAM allocated(physical)

Changing these values(of "Memory") randomly makes the container run or fail without knowing proper reason for failure.

On failure, we get such errors, on debugging in AWS cloud:

Containers do not run ON docker. Containers are processes - they run on linux kernel. Containers are Linux processes(or Windows)

Docker container namespace is internally created using runtime·clone() system call.

Memory management map each process virtual address space to physical address space. Process management refers virtual addresses, but not physical address.

For Memory: 300MB syntax in the above code, AWS documentation says: "The amount (in MiB) of memory to present to the container."

---

---

In docker world, containerd creates shim process for every new container. runc actually creates a container process.

1) What does assigning of RAM Memory: 300MB size to a container process, mean?in the above code... Is it a size of physical address space of a process(or virtual address space of a process)?

2) Does runc userspace program use runtime·clone() system call to set physical memory space(Memory: 300MB) for each container process?

https://github.com/golang/go/blob/1650f1ba0b964a06a242c3318e85b3b46f010614/src/runtime/sys_linux_amd64.s#L540

Answer 1

You should not use memory parameter in such a small instance with such minimum memory, remember there is one big difference between these two, by reaching memory limit your container will be killed.

With memoryReservation you container can consume more memory and if one container under load then it will able consume memory more then desired limit.

memoryReservation

The soft limit (in MiB) of memory to reserve for the container. When system memory is under contention, Docker attempts to keep the container memory to this soft limit; however, your container can consume more memory when needed.

memory

The amount (in MiB) of memory to present to the container. If your container attempts to exceed the memory specified here, the container is killed.

container_definition_memory

Where this memory parameter not controlled by the container itself but controlled by ECS agent.

ECS_agent

How to calculate memory size needed for each docker container?

Where your this question is a concern, this totally depends on the underlying application that you are going to run in the container. I saw you are using nginx you can read here nginx-plus-sizing-guide