+15

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

··· 719 719 </listitem> 720 720 <listitem> 721 721 <para> 722 722 + systemd-oomd is enabled by default. Depending on which systemd 723 723 + units have <literal>ManagedOOMSwap=kill</literal> or 724 724 + <literal>ManagedOOMMemoryPressure=kill</literal>, systemd-oomd 725 725 + will SIGKILL all the processes under the appropriate 726 726 + descendant cgroups when the configured limits are exceeded. 727 727 + NixOS does currently not configure cgroups with oomd by 728 728 + default, this can be enabled using 729 729 + <link xlink:href="options.html#opt-systemd.oomd.enableRootSlice">systemd.oomd.enableRootSlice</link>, 730 730 + <link xlink:href="options.html#opt-systemd.oomd.enableSystemSlice">systemd.oomd.enableSystemSlice</link>, 731 731 + and 732 732 + <link xlink:href="options.html#opt-systemd.oomd.enableUserServices">systemd.oomd.enableUserServices</link>. 733 733 + </para> 734 734 + </listitem> 735 735 + <listitem> 736 736 + <para> 722 737 The <literal>pass-secret-service</literal> package now 723 738 includes systemd units from upstream, so adding it to the 724 739 NixOS <literal>services.dbus.packages</literal> option will

+9

nixos/doc/manual/release-notes/rl-2211.section.md

··· 235 235 236 236 - Add udev rules for the Teensy family of microcontrollers. 237 237 238 238 + - systemd-oomd is enabled by default. Depending on which systemd units have 239 239 + `ManagedOOMSwap=kill` or `ManagedOOMMemoryPressure=kill`, systemd-oomd will 240 240 + SIGKILL all the processes under the appropriate descendant cgroups when the 241 241 + configured limits are exceeded. NixOS does currently not configure cgroups 242 242 + with oomd by default, this can be enabled using 243 243 + [systemd.oomd.enableRootSlice](options.html#opt-systemd.oomd.enableRootSlice), 244 244 + [systemd.oomd.enableSystemSlice](options.html#opt-systemd.oomd.enableSystemSlice), 245 245 + and [systemd.oomd.enableUserServices](options.html#opt-systemd.oomd.enableUserServices). 246 246 + 238 247 - The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API. 239 248 240 249 - There is a new module for AMD SEV CPU functionality, which grants access to the hardware.

+1

nixos/modules/module-list.nix

··· 1236 1236 ./system/boot/systemd/journald.nix 1237 1237 ./system/boot/systemd/logind.nix 1238 1238 ./system/boot/systemd/nspawn.nix 1239 1239 + ./system/boot/systemd/oomd.nix 1239 1240 ./system/boot/systemd/shutdown.nix 1240 1241 ./system/boot/systemd/tmpfiles.nix 1241 1242 ./system/boot/systemd/user.nix

+57

nixos/modules/system/boot/systemd/oomd.nix

··· 1 1 + { config, lib, ... }: let 2 2 + 3 3 + cfg = config.systemd.oomd; 4 4 + 5 5 + in { 6 6 + options.systemd.oomd = { 7 7 + enable = lib.mkEnableOption "the systemd-oomd OOM killer" // { default = true; }; 8 8 + 9 9 + # Fedora enables the first and third option by default. See the 10-oomd-* files here: 10 10 + # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac351025597 11 11 + enableRootSlice = lib.mkEnableOption "oomd on the root slice (-.slice)"; 12 12 + enableSystemSlice = lib.mkEnableOption "oomd on the system slice (system.slice)"; 13 13 + enableUserServices = lib.mkEnableOption "oomd on all user services (user@.service)"; 14 14 + 15 15 + extraConfig = lib.mkOption { 16 16 + type = with lib.types; attrsOf (oneOf [ str int bool ]); 17 17 + default = {}; 18 18 + example = lib.literalExpression ''{ DefaultMemoryPressureDurationSec = "20s"; }''; 19 19 + description = '' 20 20 + Extra config options for systemd-oomd. See man oomd.conf 21 21 + for available options. 22 22 + ''; 23 23 + }; 24 24 + }; 25 25 + 26 26 + config = lib.mkIf cfg.enable { 27 27 + systemd.additionalUpstreamSystemUnits = [ 28 28 + "systemd-oomd.service" 29 29 + "systemd-oomd.socket" 30 30 + ]; 31 31 + systemd.services.systemd-oomd.wantedBy = [ "multi-user.target" ]; 32 32 + 33 33 + environment.etc."systemd/oomd.conf".text = lib.generators.toINI {} { 34 34 + OOM = cfg.extraConfig; 35 35 + }; 36 36 + 37 37 + systemd.oomd.extraConfig.DefaultMemoryPressureDurationSec = lib.mkDefault "20s"; # Fedora default 38 38 + 39 39 + users.users.systemd-oom = { 40 40 + description = "systemd-oomd service user"; 41 41 + group = "systemd-oom"; 42 42 + isSystemUser = true; 43 43 + }; 44 44 + users.groups.systemd-oom = { }; 45 45 + 46 46 + systemd.slices."-".sliceConfig = lib.mkIf cfg.enableRootSlice { 47 47 + ManagedOOMSwap = "kill"; 48 48 + }; 49 49 + systemd.slices."system".sliceConfig = lib.mkIf cfg.enableSystemSlice { 50 50 + ManagedOOMSwap = "kill"; 51 51 + }; 52 52 + systemd.services."user@".serviceConfig = lib.mkIf cfg.enableUserServices { 53 53 + ManagedOOMMemoryPressure = "kill"; 54 54 + ManagedOOMMemoryPressureLimit = "50%"; 55 55 + }; 56 56 + }; 57 57 + }

+1

nixos/tests/all-tests.nix

··· 607 607 systemd-networkd-ipv6-prefix-delegation = handleTest ./systemd-networkd-ipv6-prefix-delegation.nix {}; 608 608 systemd-networkd-vrf = handleTest ./systemd-networkd-vrf.nix {}; 609 609 systemd-nspawn = handleTest ./systemd-nspawn.nix {}; 610 610 + systemd-oomd = handleTest ./systemd-oomd.nix {}; 610 611 systemd-shutdown = handleTest ./systemd-shutdown.nix {}; 611 612 systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; 612 613 systemd-misc = handleTest ./systemd-misc.nix {};

+37

nixos/tests/systemd-oomd.nix

··· 1 1 + import ./make-test-python.nix ({ pkgs, ... }: 2 2 + 3 3 + { 4 4 + name = "systemd-oomd"; 5 5 + 6 6 + nodes.machine = { pkgs, ... }: { 7 7 + systemd.oomd.extraConfig.DefaultMemoryPressureDurationSec = "1s"; # makes the test faster 8 8 + # Kill cgroups when more than 1% pressure is encountered 9 9 + systemd.slices."-".sliceConfig = { 10 10 + ManagedOOMMemoryPressure = "kill"; 11 11 + ManagedOOMMemoryPressureLimit = "1%"; 12 12 + }; 13 13 + # A service to bring the system under memory pressure 14 14 + systemd.services.testservice = { 15 15 + serviceConfig.ExecStart = "${pkgs.coreutils}/bin/tail /dev/zero"; 16 16 + }; 17 17 + # Do not kill the backdoor 18 18 + systemd.services.backdoor.serviceConfig.ManagedOOMMemoryPressure = "auto"; 19 19 + 20 20 + virtualisation.memorySize = 1024; 21 21 + }; 22 22 + 23 23 + testScript = '' 24 24 + # Start the system 25 25 + machine.wait_for_unit("multi-user.target") 26 26 + machine.succeed("oomctl") 27 27 + 28 28 + # Bring the system into memory pressure 29 29 + machine.succeed("echo 0 > /proc/sys/vm/panic_on_oom") # NixOS tests kill the VM when the OOM killer is invoked - override this 30 30 + machine.succeed("systemctl start testservice") 31 31 + 32 32 + # Wait for oomd to kill something 33 33 + # Matches these lines: 34 34 + # systemd-oomd[508]: Killed /system.slice/systemd-udevd.service due to memory pressure for / being 3.26% > 1.00% for > 1s with reclaim activity 35 35 + machine.wait_until_succeeds("journalctl -b | grep -q 'due to memory pressure for'") 36 36 + ''; 37 37 + })