figure out memory requirements for citizenlab ooniapi service #322
Description
citizenlab docker explodes on deploying to ec2 with oomkiller
Jan 29 14:28:53 ip-10-0-0-106 python3[19671]: ansible-community.docker.docker_container Invoked with name=citizenlab image=ooni/api-citizenlab:v0.1.0rc0 state=started user=1006:1006 network_mode=host volumes=['/opt/citizenlab/backend/citizenlab/citizenlab.conf:/etc/ooni/citizenlab.conf', '/var/lib/ooniapi:/var/lib/ooniapi', '/var/lib/citizenlab:/var/lib/citizenlab'] docker_host=unix:///var/run/docker.sock api_version=auto timeout=60 tls=False use_ssh_client=False validate_certs=False debug=False cleanup=False container_default_behavior=no_defaults command_handling=correct force_kill=False image_comparison=desired-image image_label_mismatch=ignore image_name_mismatch=recreate keep_volumes=True networks_cli_compatible=True output_logs=False pull=missing pull_check_mode_behavior=image_not_present recreate=False restart=False healthy_wait_timeout=300.0 tls_hostname=None ca_path=None client_cert=None client_key=None comparisons=None default_host_ip=None kill_signal=None paused=None removal_wait_timeout=None auto_remove=None blkio_weight=None capabilities=None cap_drop=None cgroupns_mode=None cgroup_parent=None command=None cpu_period=None cpu_quota=None cpuset_cpus=None cpuset_mems=None cpu_shares=None entrypoint=None cpus=None detach=None interactive=None devices=None device_read_bps=None device_write_bps=None device_read_iops=None device_write_iops=None device_requests=None device_cgroup_rules=None dns_servers=None dns_opts=None dns_search_domains=None domainname=None env=None env_file=None etc_hosts=None groups=None healthcheck=None hostname=None init=None ipc_mode=None kernel_memory=None labels=None links=None log_driver=None log_options=None mac_address=None memory=None memory_reservation=None memory_swap=None memory_swappiness=None stop_timeout=None networks=None oom_killer=None oom_score_adj=None pid_mode=None pids_limit=None platform=None privileged=None read_only=None restart_policy=None restart_retries=None runtime=None security_opts=None shm_size=None stop_signal=None storage_opts=None sysctls=None tmpfs=None tty=None ulimits=None userns_mode=None uts=None volume_driver=None volumes_from=None working_dir=None mounts=None exposed_ports=None publish_all_ports=None published_ports=None
Jan 29 14:29:01 ip-10-0-0-106 systemd[1]: var-lib-containerd-tmpmounts-containerd\x2dmount673954499.mount: Deactivated successfully.
Jan 29 14:29:21 ip-10-0-0-106 dockerd[18193]: time="2026-01-29T14:29:21.715328585Z" level=info msg="image pulled" digest="sha256:6376ce84377c11e6232e4804c40b47df932ad129317d5d87bdf3e19633f39481" remote="docker.io/ooni/api-citizenlab:v0.1.0rc0"
Jan 29 14:29:22 ip-10-0-0-106 dockerd[18193]: time="2026-01-29T14:29:22.051184374Z" level=error msg="failed to validate image signature" error="resolving signature chain for image sha256:6376ce84377c11e6232e4804c40b47df932ad129317d5d87bdf3e19633f39481: expected image index descriptor, got application/vnd.docker.distribution.manifest.v2+json"
Jan 29 14:29:22 ip-10-0-0-106 kernel: [13379.636957] evm: overlay not supported
Jan 29 14:29:22 ip-10-0-0-106 systemd[1]: tmp-containerd\x2dmount4191060004.mount: Deactivated successfully.
Jan 29 14:29:22 ip-10-0-0-106 containerd[17723]: time="2026-01-29T14:29:22.486837512Z" level=info msg="connecting to shim 19e12637582b6bbf5a95b23ae7f85481268a1984662504c71cc32529a98d4c03" address="unix:///run/containerd/s/e198f3bd57e085752a26f9abe03384a65dc9cb4ab96edb7af8967a4acf09a9ce" namespace=moby protocol=ttrpc version=3
Jan 29 14:29:22 ip-10-0-0-106 systemd[1]: Started libcontainer container 19e12637582b6bbf5a95b23ae7f85481268a1984662504c71cc32529a98d4c03.
Jan 29 14:29:22 ip-10-0-0-106 dockerd[18193]: time="2026-01-29T14:29:22.808187806Z" level=info msg="sbJoin: gwep4 ''->'', gwep6 ''->''" eid=c62ef2bb7905 ep=citizenlab net=host nid=243a72a7c0cb
Jan 29 14:51:58 ip-10-0-0-106 kernel: [14736.228908] dbus-daemon invoked oom-killer: gfp_mask=0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), order=0, oom_score_adj=-900
Jan 29 14:51:58 ip-10-0-0-106 kernel: [14736.228923] CPU: 1 PID: 448 Comm: dbus-daemon Not tainted 6.8.0-1044-aws #46~22.04.1-Ubuntu
Jan 29 14:51:58 ip-10-0-0-106 kernel: [14736.228931] Hardware name: Amazon EC2 t3a.nano/, BIOS 1.0 10/16/2017
Jan 29 14:51:58 ip-10-0-0-106 kernel: [14736.228935] Call Trace: