Add memory policy support

Implement support for Linux memory policy in OCI spec PR:
opencontainers/runtime-spec#1282

Signed-off-by: Antti Kervinen <[email protected]>

Author: askervin

features.go

@@ -58,6 +58,10 @@ var featuresCommand = cli.Command{
 				IntelRdt: &features.IntelRdt{
 					Enabled: &t,
 				},
+				MemoryPolicy: &features.MemoryPolicy{
+					Modes: specconv.KnownMemoryPolicyModes(),
+					Flags: specconv.KnownMemoryPolicyFlags(),
+				},
 				MountExtensions: &features.MountExtensions{
 					IDMap: &features.IDMap{
 						Enabled: &t,

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/moby/sys/userns v0.1.0
 	github.com/mrunalp/fileutils v0.5.1
 	github.com/opencontainers/cgroups v0.0.4
-	github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67
+	github.com/opencontainers/runtime-spec v1.2.2-0.20250804081626-bfdffd548aa6
 	github.com/opencontainers/selinux v1.12.0
 	github.com/seccomp/libseccomp-golang v0.11.0
 	github.com/sirupsen/logrus v1.9.3

go.sum

@@ -47,8 +47,8 @@ github.com/mrunalp/fileutils v0.5.1 h1:F+S7ZlNKnrwHfSwdlgNSkKo67ReVf8o9fel6C3dkm
 github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/opencontainers/cgroups v0.0.4 h1:XVj8P/IHVms/j+7eh8ggdkTLAxjz84ZzuFyGoE28DR4=
 github.com/opencontainers/cgroups v0.0.4/go.mod h1:s8lktyhlGUqM7OSRL5P7eAW6Wb+kWPNvt4qvVfzA5vs=
-github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67 h1:Q+KewUGTMamIe6Q39xCD/T1NC1POmaTlWnhjikCrZHA=
-github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.2.2-0.20250804081626-bfdffd548aa6 h1:6S6r1L8VO9b1UfgIQi+nteqlElma9KDlzZw/nM3ctI0=
+github.com/opencontainers/runtime-spec v1.2.2-0.20250804081626-bfdffd548aa6/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
 github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

libcontainer/configs/config.go

@@ -214,6 +214,9 @@ type Config struct {
 	// to limit the resources (e.g., L3 cache, memory bandwidth) the container has available
 	IntelRdt *IntelRdt `json:"intel_rdt,omitempty"`
 
+	// MemoryPolicy specifies NUMA memory policy for the container.
+	MemoryPolicy *LinuxMemoryPolicy `json:"memoryPolicy,omitempty"`
+
 	// RootlessEUID is set when the runc was launched with non-zero EUID.
 	// Note that RootlessEUID is set to false when launched with EUID=0 in userns.
 	// When RootlessEUID is set, runc creates a new userns for the container.

libcontainer/configs/memorypolicy.go

@@ -0,0 +1,10 @@
+package configs
+
+// LinuxMemoryPolicy contains memory policy configuration.
+type LinuxMemoryPolicy struct {
+	// Mode combines memory poliy mode and mode flags. Refer to
+	// set_mempolicy() documentation for details.
+	Mode uint
+	// Contains NUMA nodes to which the mode applies.
+	Nodes []int
+}

libcontainer/init_linux.go

@@ -659,6 +659,10 @@ func setupIOPriority(config *initConfig) error {
 	return nil
 }
 
+func setupMemoryPolicy(config *configs.Config) error {
+	return system.SetMempolicy(config.MemoryPolicy.Mode, config.MemoryPolicy.Nodes)
+}
+
 func setupPersonality(config *configs.Config) error {
 	return system.SetLinuxPersonality(config.Personality.Domain)
 }

libcontainer/setns_init_linux.go

@@ -110,6 +110,11 @@ func (l *linuxSetnsInit) Init() error {
 	if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
 		return err
 	}
+	if l.config.Config.MemoryPolicy != nil {
+		if err := setupMemoryPolicy(l.config.Config); err != nil {
+			return err
+		}
+	}
 	if l.config.Config.Personality != nil {
 		if err := setupPersonality(l.config.Config); err != nil {
 			return err

libcontainer/specconv/spec_linux.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"path/filepath"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -41,6 +42,12 @@ var (
 		flag  int
 	}
 	complexFlags map[string]func(*configs.Mount)
+	mpolModeMap  map[specs.MemoryPolicyModeType]uint
+	mpolModeFMap map[specs.MemoryPolicyFlagType]uint
+)
+
+const (
+	maxNumaNode = 1023
 )
 
 func initMaps() {
@@ -148,6 +155,22 @@ func initMaps() {
 				m.IDMapping.Recursive = true
 			},
 		}
+
+		mpolModeMap = map[specs.MemoryPolicyModeType]uint{
+			specs.MpolDefault:            0,
+			specs.MpolPreferred:          1,
+			specs.MpolBind:               2,
+			specs.MpolInterleave:         3,
+			specs.MpolLocal:              4,
+			specs.MpolPreferredMany:      5,
+			specs.MpolWeightedInterleave: 6,
+		}
+
+		mpolModeFMap = map[specs.MemoryPolicyFlagType]uint{
+			specs.MpolFStaticNodes:   1 << 15,
+			specs.MpolFRelativeNodes: 1 << 14,
+			specs.MpolFNumaBalancing: 1 << 13,
+		}
 	})
 }
 
@@ -184,6 +207,30 @@ func KnownMountOptions() []string {
 	return res
 }
 
+// KnownMemoryPolicyModes returns the list of the known memory policy modes.
+// Used by `runc features`.
+func KnownMemoryPolicyModes() []string {
+	initMaps()
+	var res []string
+	for k := range mpolModeMap {
+		res = append(res, string(k))
+	}
+	sort.Strings(res)
+	return res
+}
+
+// KnownMemoryPolicyFlags returns the list of the known memory policy mode flags.
+// Used by `runc features`.
+func KnownMemoryPolicyFlags() []string {
+	initMaps()
+	var res []string
+	for k := range mpolModeFMap {
+		res = append(res, string(k))
+	}
+	sort.Strings(res)
+	return res
+}
+
 // AllowedDevices is the set of devices which are automatically included for
 // all containers.
 //
@@ -467,6 +514,28 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 				MemBwSchema:   spec.Linux.IntelRdt.MemBwSchema,
 			}
 		}
+		if spec.Linux.MemoryPolicy != nil &&
+			(spec.Linux.MemoryPolicy.Mode != "" ||
+				spec.Linux.MemoryPolicy.Nodes != "" ||
+				len(spec.Linux.MemoryPolicy.Flags) > 0) {
+			var ok bool
+			specMp := spec.Linux.MemoryPolicy
+			confMp := &configs.LinuxMemoryPolicy{}
+			if confMp.Mode, ok = mpolModeMap[specMp.Mode]; !ok {
+				return nil, fmt.Errorf("invalid memory policy mode %q", specMp.Mode)
+			}
+			if confMp.Nodes, err = parseListSet(specMp.Nodes, 0, maxNumaNode); err != nil {
+				return nil, fmt.Errorf("invalid memory policy nodes %q: %w", specMp.Nodes, err)
+			}
+			for _, specFlag := range specMp.Flags {
+				confModeFlag, ok := mpolModeFMap[specFlag]
+				if !ok {
+					return nil, fmt.Errorf("invalid memory policy flag %q", specFlag)
+				}
+				confMp.Mode |= confModeFlag
+			}
+			config.MemoryPolicy = confMp
+		}
 		if spec.Linux.Personality != nil {
 			if len(spec.Linux.Personality.Flags) > 0 {
 				logrus.Warnf("ignoring unsupported personality flags: %+v because personality flag has not supported at this time", spec.Linux.Personality.Flags)
@@ -1135,6 +1204,50 @@ func parseMountOptions(options []string) *configs.Mount {
 	return &m
 }
 
+// parseListSet parses "list set" syntax ("0,61-63,2") into a list ([0, 61, 62, 63, 2]).
+func parseListSet(listSet string, minValue, maxValue int) ([]int, error) {
+	var result []int
+	parts := strings.Split(listSet, ",")
+	for _, part := range parts {
+		switch {
+		case part == "":
+			continue
+		case strings.Contains(part, "-"):
+			rangeParts := strings.Split(part, "-")
+			if len(rangeParts) != 2 {
+				return nil, fmt.Errorf("invalid range: %s", part)
+			}
+			start, err := strconv.Atoi(rangeParts[0])
+			if err != nil {
+				return nil, err
+			}
+			end, err := strconv.Atoi(rangeParts[1])
+			if err != nil {
+				return nil, err
+			}
+			if start > end {
+				return nil, fmt.Errorf("invalid range %s: start > end", part)
+			}
+			if start < minValue || end > maxValue {
+				return nil, fmt.Errorf("invalid range %s: out of range %d-%d", part, minValue, maxValue)
+			}
+			for i := start; i <= end; i++ {
+				result = append(result, i)
+			}
+		default:
+			num, err := strconv.Atoi(part)
+			if err != nil {
+				return nil, err
+			}
+			if num < minValue || num > maxValue {
+				return nil, fmt.Errorf("invalid value %d: out of range %d-%d", num, minValue, maxValue)
+			}
+			result = append(result, num)
+		}
+	}
+	return result, nil
+}
+
 func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
 	if config == nil {
 		return nil, nil

libcontainer/specconv/spec_linux_test.go

@@ -338,6 +338,111 @@ func TestSetupSeccomp(t *testing.T) {
 	}
 }
 
+func TestParseListSet(t *testing.T) {
+	testCases := []struct {
+		name               string
+		listSet            string
+		minValue, maxValue int
+		expectedInts       []int
+		expectedErr        string
+	}{
+		{
+			name:    "empty string",
+			listSet: "",
+		},
+		{
+			name:         "single value at max",
+			listSet:      "42",
+			expectedInts: []int{42},
+			maxValue:     42,
+		},
+		{
+			name:         "full range from min to max",
+			listSet:      "0-7",
+			expectedInts: []int{0, 1, 2, 3, 4, 5, 6, 7},
+			maxValue:     7,
+		},
+		{
+			name:         "comma separated values",
+			listSet:      "1,3",
+			expectedInts: []int{1, 3},
+			maxValue:     5,
+		},
+		{
+			name:         "comma separated values and overlapping ranges",
+			listSet:      "3-5,1,4-6",
+			expectedInts: []int{3, 4, 5, 1, 4, 5, 6},
+			maxValue:     10,
+		},
+		{
+			name:         "empty ranges, single number ranges",
+			listSet:      ",2,,4-4,",
+			expectedInts: []int{2, 4},
+			maxValue:     4,
+		},
+		{
+			name:        "value out of range",
+			listSet:     "2-4,0",
+			minValue:    1,
+			maxValue:    4,
+			expectedErr: "invalid value",
+		},
+		{
+			name:        "end of range out of range",
+			listSet:     "2-4,0",
+			maxValue:    3,
+			expectedErr: "invalid range",
+		},
+		{
+			name:        "start is greater than end",
+			listSet:     "4-3,0",
+			maxValue:    1024,
+			expectedErr: "invalid range",
+		},
+		{
+			name:        "syntax error in value",
+			listSet:     "a",
+			maxValue:    1024,
+			expectedErr: "invalid syntax",
+		},
+		{
+			name:        "syntax error at range start",
+			listSet:     "0,?-4",
+			maxValue:    1024,
+			expectedErr: "invalid syntax",
+		},
+		{
+			name:        "syntax error at range end",
+			listSet:     "0,4-,2",
+			maxValue:    1024,
+			expectedErr: "invalid syntax",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			obsInts, obsErr := parseListSet(tc.listSet, tc.minValue, tc.maxValue)
+			if len(obsInts) != len(tc.expectedInts) {
+				t.Errorf("Expected %d ints, got %d (%v)", len(tc.expectedInts), len(obsInts), obsInts)
+			}
+			for i, v := range obsInts {
+				if len(tc.expectedInts) > i && v != tc.expectedInts[i] {
+					t.Errorf("Expected at index %d value %d, got %d", i, tc.expectedInts[i], v)
+				}
+			}
+			switch {
+			case tc.expectedErr == "" && obsErr != nil:
+				t.Errorf("Expected no error, got %v", obsErr)
+			case tc.expectedErr != "" && obsErr == nil:
+				t.Errorf("Expected error %v, got nil", tc.expectedErr)
+			case tc.expectedErr != "" && obsErr != nil:
+				if !strings.Contains(obsErr.Error(), tc.expectedErr) {
+					t.Errorf("Expected error containing %q, got %v", tc.expectedErr, obsErr)
+				}
+			}
+		})
+	}
+}
+
 func TestLinuxCgroupWithMemoryResource(t *testing.T) {
 	cgroupsPath := "/user/cgroups/path/id"
 

libcontainer/standard_init_linux.go

@@ -238,6 +238,13 @@ func (l *linuxStandardInit) Init() error {
 		}
 	}
 
+	// Set memory policy if specified.
+	if l.config.Config.MemoryPolicy != nil {
+		if err := setupMemoryPolicy(l.config.Config); err != nil {
+			return err
+		}
+	}
+
 	// Set personality if specified.
 	if l.config.Config.Personality != nil {
 		if err := setupPersonality(l.config.Config); err != nil {