Should -XX:+UseContainerSupport flag be used in OpenJDK images?

Solution Verified - Updated 14 Jun 2024

---

Environment

• Red Hat build of OpenJDK
  • OpenJDK 1.8.191+
  • OpenJDK 11
  • Openshift Image with redhat-openjdk-18/openjdk18-openshift

Issue

• JVM options -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap are used for application, should -XX:+UseContainerSupport flag also be applied?

Resolution

Since OpenJDK 8u191+ java is container aware and will calculate the Xmx/Xms as a percentage of the container size

The flag is -XX:[+|-]UseContainerSupport was introduced in JDK 10, for the Red Hat build of OpenJDK, it is backported to OpenJDK 8, see errata RHBA-2018:3017, it is default to on.
This flag enables the JVM to be aware that it is running in a CRI-O/Docker container and will extract container-specific configuration information instead of querying the operating system.
The information being extracted is the number of CPUs and total memory that have been allocated to the container. The total number of CPUs available to the Java process is calculated from any specified CPU sets, CPU shares or CPU quotas. This support is only available on Linux based platforms.

UseCGroupMemoryLimitForHeap Usage

` -XX:+UseCGroupMemoryLimitForHeap` (used with `-XX:+UnlockExperimentalVMOptions`) should **NOT** be used, as it was an experimental flag and it is deprecated when `UseContainerSupport` was introduced. `-XX:+UseCGroupMemoryLimitForHeap` is been removed in OpenJDK11. See OpenJDK jira [JDK-8194086 Remove deprecated experimental flag UseCGroupMemoryLimitForHeap](https://bugs.openjdk.java.net/browse/JDK-8194086).

JVM flag	Purpose	Observation
UseContainerSupport	Makes the JVM container aware - via cgroups	Back ported on Java 8u191 and it the default
UseCGroupMemoryLimitForHeap	Calculate JVM limits via cgroups(control groups)	[Deprecated] Experimental flag introduced on Java 8u131 deprecated for UseContainerSupport

Root Cause

Before UseContainerSupport the JVM process was not container aware, so it did not recognize (and therefore not enforce) the memory or cpu limits set by the container this limit is recognized from the cgroups, which is a kernel feature that limits resource usage: CPU, memory, disk I/O, network.

SBR

• JVM & Diagnostics

Product(s)

• Red Hat build of OpenJDK

Components

• java-1.8.0-openjdk

Category

• Configure

Tags

• jvm
• jvm_tunning
• openshift

---

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.