bug(wrap): add oom_score_adj to exec specs

alexandermerritt · alexandermerritt · commit 5e71d4341b2b · 2026-04-03T22:29:23.000-04:00
This value can be forwarded from a CRI and ensures an appropriate OOM
score is set for processes in cases where high memory use is seen.

Signed-off-by: Alexander Merritt &lt;alexander@edera.dev&gt;
diff --git a/src/config.rs b/src/config.rs
@@ -85,6 +85,9 @@ pub struct ExecutableSpec {
     /// Requires `no_new_privs = true`.
     #[serde(default)]
     pub seccomp: Option<SeccompFilter>,
+
+    /// An optional out-of-memory score adjustment value.
+    pub oom_score_adj: Option<i32>,
 }
 
 #[derive(Default, Debug, Serialize, Deserialize)]
diff --git a/src/runner.rs b/src/runner.rs
@@ -97,6 +97,11 @@ impl AttachRequestBuilder {
         self
     }
 
+    pub fn set_oom_score_adj(mut self, score: i32) -> AttachRequestBuilder {
+        self.config.exec.oom_score_adj = Some(score);
+        self
+    }
+
     pub fn push_namespace(mut self, ns: Namespace) -> AttachRequestBuilder {
         if self.config.namespaces.is_none() {
             self.config.namespaces = vec![].into();
@@ -211,6 +216,11 @@ impl CreateRequestBuilder {
         self
     }
 
+    pub fn set_oom_score_adj(mut self, score: i32) -> CreateRequestBuilder {
+        self.config.exec.oom_score_adj = Some(score);
+        self
+    }
+
     pub fn set_hostname(mut self, hostname: &str) -> CreateRequestBuilder {
         self.config.hostname = hostname.to_string().into();
         self
diff --git a/src/wrap.rs b/src/wrap.rs
@@ -639,6 +639,15 @@ impl Wrappable for CreateRequest {
 
         debug!("mount tree finalized, doing final prep");
 
+        // Ensure the process receives the desired out-of-memory score adjustment.
+        // If not specified, we do want to pro-actively set this value to the
+        // kernel-default of zero, else the subprocess inherits the styrolite
+        // oom score (which is typically set to a very low value).
+        fs::write(
+            "/proc/self/oom_score_adj",
+            self.exec.oom_score_adj.unwrap_or(0).to_string(),
+        )?;
+
         // We need to toggle SECBIT before we change UID/GID,
         // or else changing UID/GID may cause us to lose the capabilities
         // we need to explicitly drop capabilities later on.
@@ -841,6 +850,10 @@ impl Wrappable for AttachRequest {
 
         apply_capabilities(self.capabilities.as_ref())?;
 
+        if let Some(score) = self.exec.oom_score_adj {
+            fs::write("/proc/self/oom_score_adj", score.to_string())?;
+        }
+
         debug!("all namespaces joined -- forking child");
         fork_and_wait()?;
 

Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,9 @@ pub struct ExecutableSpec {`
`85`	`85`	/// Requires `no_new_privs = true`.
`86`	`86`	`#[serde(default)]`
`87`	`87`	`pub seccomp: Option<SeccompFilter>,`
	`88`	`+`
	`89`	`+ /// An optional out-of-memory score adjustment value.`
	`90`	`+ pub oom_score_adj: Option<i32>,`
`88`	`91`	`}`
`89`	`92`
`90`	`93`	`#[derive(Default, Debug, Serialize, Deserialize)]`