From: Richard Davies <richard-li8END47hbdWk0Htik3J/w@public.gmane.org>
To: Michal Hocko <mhocko-AlSwsSmVLrQ@public.gmane.org>
Cc: Vladimir Davydov
<vdavydov-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>,
Marian Marinov <mm-NV7Lj0SOnH0@public.gmane.org>,
Max Kellermann <mk-xMchvyqCc6DQT0dZR+AlfA@public.gmane.org>,
Tim Hockin <thockin-Rl2oBbRerpQdnm+yROfE0A@public.gmane.org>,
Frederic Weisbecker
<fweisbec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Serge Hallyn
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
Tim Hockin <thockin-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Glauber Costa <glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>,
Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>,
linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org,
William Dauchy <wdauchy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
David Rientjes <rientjes-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Daniel Walsh <dwalsh-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: Protection against container fork bombs [WAS: Re: memcg with kmem limit doesn't recover after disk i/o causes limit to be hit]
Date: Tue, 29 Apr 2014 19:39:28 +0100 [thread overview]
Message-ID: <20140429183928.GF29606@alpha.arachsys.com> (raw)
In-Reply-To: <20140429182742.GB25609-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
Michal Hocko wrote:
> Richard Davies wrote:
> > Dwight Engen wrote:
> > > Is there a plan to separately account/limit stack pages vs kmem in
> > > general? Richard would have to verify, but I suspect kmem is not
> > > currently viable as a process limiter for him because
> > > icache/dcache/stack is all accounted together.
> >
> > Certainly I would like to be able to limit container fork-bombs without
> > limiting the amount of disk IO caching for processes in those containers.
> >
> > In my testing with of kmem limits, I needed a limit of 256MB or lower to
> > catch fork bombs early enough. I would definitely like more than 256MB of
> > disk caching.
> >
> > So if we go the "working kmem" route, I would like to be able to specify a
> > limit excluding disk cache.
>
> Page cache (which is what you mean by disk cache probably) is a
> userspace accounted memory with the memory cgroup controller. And you
> do not have to limit that one.
OK, that's helpful - thanks.
As an aside, with the normal (non-kmem) cgroup controller, is there a way
for me to exclude page cache and only limit the equivalent of the rss line
in memory.stat?
e.g. say I have a 256GB physical machine, running 200 containers, each with
1GB normal-mem limit (for running software) and 256MB kmem limit (to stop
fork-bombs).
The physical disk IO bandwidth is a shared resource between all the
containers, so ideally I would like the kernel to used the 56GB of RAM as
shared page cache however it best reduces physical IOPs, rather than having
a per-container limit.
Thanks,
Richard.
WARNING: multiple messages have this Message-ID (diff)
From: Richard Davies <richard@arachsys.com>
To: Michal Hocko <mhocko@suse.cz>
Cc: Dwight Engen <dwight.engen@oracle.com>,
Tim Hockin <thockin@google.com>,
Vladimir Davydov <vdavydov@parallels.com>,
David Rientjes <rientjes@google.com>,
Marian Marinov <mm@yuhu.biz>, Max Kellermann <mk@cm4all.com>,
Tim Hockin <thockin@hockin.org>,
Frederic Weisbecker <fweisbec@gmail.com>,
containers@lists.linux-foundation.org,
Serge Hallyn <serge.hallyn@ubuntu.com>,
Glauber Costa <glommer@parallels.com>,
linux-mm@kvack.org, William Dauchy <wdauchy@gmail.com>,
Johannes Weiner <hannes@cmpxchg.org>, Tejun Heo <tj@kernel.org>,
cgroups@vger.kernel.org, Daniel Walsh <dwalsh@redhat.com>
Subject: Re: Protection against container fork bombs [WAS: Re: memcg with kmem limit doesn't recover after disk i/o causes limit to be hit]
Date: Tue, 29 Apr 2014 19:39:28 +0100 [thread overview]
Message-ID: <20140429183928.GF29606@alpha.arachsys.com> (raw)
In-Reply-To: <20140429182742.GB25609@dhcp22.suse.cz>
Michal Hocko wrote:
> Richard Davies wrote:
> > Dwight Engen wrote:
> > > Is there a plan to separately account/limit stack pages vs kmem in
> > > general? Richard would have to verify, but I suspect kmem is not
> > > currently viable as a process limiter for him because
> > > icache/dcache/stack is all accounted together.
> >
> > Certainly I would like to be able to limit container fork-bombs without
> > limiting the amount of disk IO caching for processes in those containers.
> >
> > In my testing with of kmem limits, I needed a limit of 256MB or lower to
> > catch fork bombs early enough. I would definitely like more than 256MB of
> > disk caching.
> >
> > So if we go the "working kmem" route, I would like to be able to specify a
> > limit excluding disk cache.
>
> Page cache (which is what you mean by disk cache probably) is a
> userspace accounted memory with the memory cgroup controller. And you
> do not have to limit that one.
OK, that's helpful - thanks.
As an aside, with the normal (non-kmem) cgroup controller, is there a way
for me to exclude page cache and only limit the equivalent of the rss line
in memory.stat?
e.g. say I have a 256GB physical machine, running 200 containers, each with
1GB normal-mem limit (for running software) and 256MB kmem limit (to stop
fork-bombs).
The physical disk IO bandwidth is a shared resource between all the
containers, so ideally I would like the kernel to used the 56GB of RAM as
shared page cache however it best reduces physical IOPs, rather than having
a per-container limit.
Thanks,
Richard.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2014-04-29 18:39 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-16 15:46 memcg with kmem limit doesn't recover after disk i/o causes limit to be hit Richard Davies
2014-04-18 15:59 ` Michal Hocko
[not found] ` <20140418155939.GE4523-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2014-04-18 17:57 ` Vladimir Davydov
2014-04-18 17:57 ` Vladimir Davydov
[not found] ` <5351679F.5040908-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2014-04-18 18:20 ` Michal Hocko
2014-04-18 18:20 ` Michal Hocko
2014-04-18 18:37 ` Vladimir Davydov
2014-04-20 14:28 ` Protection against container fork bombs [WAS: Re: memcg with kmem limit doesn't recover after disk i/o causes limit to be hit] Richard Davies
2014-04-20 14:28 ` Richard Davies
[not found] ` <20140420142830.GC22077-2oeHp4OYwSjPZs67QiJbJtBPR1lH4CV8@public.gmane.org>
2014-04-20 18:35 ` Tim Hockin
2014-04-22 18:39 ` Dwight Engen
2014-04-20 18:35 ` Tim Hockin
2014-04-22 18:39 ` Dwight Engen
[not found] ` <20140422143943.20609800-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2014-04-22 20:05 ` Richard Davies
2014-04-22 20:05 ` Richard Davies
[not found] ` <20140422200531.GA19334-2oeHp4OYwSjPZs67QiJbJtBPR1lH4CV8@public.gmane.org>
2014-04-22 20:13 ` Tim Hockin
2014-04-23 6:07 ` Marian Marinov
2014-04-23 6:07 ` Marian Marinov
[not found] ` <535758A0.5000500-NV7Lj0SOnH0@public.gmane.org>
2014-04-23 12:49 ` Dwight Engen
2014-04-23 12:49 ` Dwight Engen
[not found] ` <20140423084942.560ae837-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2014-04-28 18:00 ` Serge Hallyn
2014-04-28 18:00 ` Serge Hallyn
2014-04-29 7:25 ` Michal Hocko
2014-04-29 7:25 ` Michal Hocko
[not found] ` <20140429072515.GB15058-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2014-04-29 13:03 ` Serge Hallyn
2014-04-29 13:03 ` Serge Hallyn
2014-04-29 13:57 ` Marian Marinov
2014-04-29 13:57 ` Marian Marinov
2014-04-29 13:57 ` Marian Marinov
2014-04-29 14:04 ` Tim Hockin
2014-04-29 14:04 ` Tim Hockin
2014-04-29 15:43 ` Michal Hocko
2014-04-29 15:43 ` Michal Hocko
2014-04-29 15:43 ` Michal Hocko
[not found] ` <20140429154345.GH15058-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2014-04-29 16:06 ` Tim Hockin
2014-04-29 16:06 ` Tim Hockin
2014-04-29 16:51 ` Frederic Weisbecker
[not found] ` <20140429165114.GE6129-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2014-04-29 16:59 ` Tim Hockin
2014-04-29 16:59 ` Tim Hockin
[not found] ` <CAO_Rewa20dneL8e3T4UPnu2Dkv28KTgFJR9_YSmRBKp-_yqewg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-29 17:06 ` Michal Hocko
2014-04-29 17:06 ` Michal Hocko
[not found] ` <20140429170639.GA25609-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2014-04-29 17:30 ` Dwight Engen
2014-04-29 17:30 ` Dwight Engen
2014-04-29 18:09 ` Richard Davies
[not found] ` <20140429180927.GB29606-2oeHp4OYwSjPZs67QiJbJtBPR1lH4CV8@public.gmane.org>
2014-04-29 18:27 ` Michal Hocko
2014-04-29 18:27 ` Michal Hocko
[not found] ` <20140429182742.GB25609-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2014-04-29 18:39 ` Richard Davies [this message]
2014-04-29 18:39 ` Richard Davies
2014-04-29 19:03 ` Michal Hocko
[not found] ` <20140429183928.GF29606-2oeHp4OYwSjPZs67QiJbJtBPR1lH4CV8@public.gmane.org>
2014-04-29 19:03 ` Michal Hocko
2014-04-29 21:36 ` Marian Marinov
2014-04-29 21:36 ` Marian Marinov
[not found] ` <53601B68.60906-NV7Lj0SOnH0@public.gmane.org>
2014-04-30 13:31 ` Michal Hocko
2014-04-30 13:31 ` Michal Hocko
2014-04-30 13:31 ` Michal Hocko
2014-04-29 18:27 ` Michal Hocko
[not found] ` <20140429133039.162d9dd7-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2014-04-29 18:09 ` Richard Davies
2014-04-29 17:06 ` Michal Hocko
2014-04-29 21:44 ` Frederic Weisbecker
2014-04-29 21:44 ` Frederic Weisbecker
2014-04-30 13:12 ` Daniel J Walsh
[not found] ` <5360F6B4.9010308-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-04-30 13:28 ` Frederic Weisbecker
2014-04-30 13:28 ` Frederic Weisbecker
2014-04-30 13:28 ` Frederic Weisbecker
[not found] ` <20140429214454.GF6129-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2014-04-30 13:12 ` Daniel J Walsh
2014-04-29 21:44 ` Frederic Weisbecker
2014-04-29 16:59 ` Tim Hockin
[not found] ` <CAO_RewYZDGLBAKit4CudTbqVk+zfDRX8kP0W6Zz90xJh7abM9Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-04-29 16:51 ` Frederic Weisbecker
2014-04-29 13:03 ` Serge Hallyn
2014-05-06 11:40 ` Marian Marinov
2014-06-10 14:50 ` Marian Marinov
2014-06-10 14:50 ` Marian Marinov
2014-06-10 14:50 ` Marian Marinov
2014-05-06 11:40 ` Marian Marinov
2014-05-07 17:15 ` Dwight Engen
[not found] ` <20140507131514.43716518-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2014-05-07 22:39 ` Marian Marinov
2014-05-07 22:39 ` Marian Marinov
[not found] ` <536AB626.9070005-108MBtLGafw@public.gmane.org>
2014-05-08 15:25 ` Richard Davies
2014-05-08 15:25 ` Richard Davies
[not found] ` <5368CA47.7030007-NV7Lj0SOnH0@public.gmane.org>
2014-05-07 17:15 ` Dwight Engen
2014-04-23 6:07 ` Marian Marinov
2014-06-10 12:18 ` Alin Dobre
2014-06-10 12:18 ` Alin Dobre
2014-04-22 20:13 ` Tim Hockin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140429183928.GF29606@alpha.arachsys.com \
--to=richard-li8end47hbdwk0htik3j/w@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dwalsh-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=fweisbec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org \
--cc=hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org \
--cc=linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org \
--cc=mhocko-AlSwsSmVLrQ@public.gmane.org \
--cc=mk-xMchvyqCc6DQT0dZR+AlfA@public.gmane.org \
--cc=mm-NV7Lj0SOnH0@public.gmane.org \
--cc=rientjes-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=thockin-Rl2oBbRerpQdnm+yROfE0A@public.gmane.org \
--cc=thockin-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=vdavydov-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org \
--cc=wdauchy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.