From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jacob Gorm Hansen Subject: Re: copy on write memory Date: Fri, 19 Nov 2004 13:02:01 +0100 Message-ID: <419DE0B9.4030502@diku.dk> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: xen-devel-admin@lists.sourceforge.net Errors-To: xen-devel-admin@lists.sourceforge.net List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , List-Archive: To: Keir Fraser Cc: Peri Hankey , urmk@reason.marist.edu, Rik van Riel , xen-devel@lists.sourceforge.net List-Id: xen-devel@lists.xenproject.org Keir Fraser wrote: > This would end up pushing policy into Xen -- what happens when memory > is fully committed, some domain has given up a bunch of his > exclusively-owned pages by buying into the shared table, and now he > has a slew of CoW faults and wants to get some of his exclusive pages > back from Xen, thankyou very much? > > At this point Xen needs some reclamation policy (saying that Xen will > guarantee to have enough pages around to satisfy these requests is not > possible, since the point of the sharing is to be able to > "over-reserve" memory). It needs to decide which pages to reclaim, > then have a mechanism for reclaiming them which will probably involve > communicating up to the domains concerned in advance and setting > timeouts by when they must relinquish their mappings. > > This is the kind of thing I would prefer to implement outside Xen. Could the same thing not work using an event-channel rather than a hypercall then? I guess you basically do the same when giving your pages away for a driver to fill them up with data? My main point is that the domains have better knowledge about what pages are likely to be shareable than dom0 or Xen has, and so should volunteer to share them, and somehow be rewarded. The problem of reclamation-policy will exist for any solution that over-reserves memory, including the transparent VMWare system. For some pages, like the guest OS kernel text area, it would be ok to remove these pages from the domain's allowance for good -- it will not need to CoW these, and the domain builder could simply build that part of the domain from shared pages. Perhaps this should just be a one-way street, you give up pages to be nice to others (and get cheaper hosting or whatever kind of reward you can think of in return), and then you lose the right to write to them for good. Should you need more writable pages, you will have to re-grow your reservation, and if that fails you will need to flush some slabs or buffer caches or or page stuff to disk or whatever you do in Linux when you have memory pressure. Ultimately you may want to migrate to a less loaded machine. It seems to me any other kind of solution will allow a malicious domain to affect the performance of innocent domains by repeatedly sharing and unsharing its pages (whether by explicit hypercall or by placing popular vs random data in them). Jacob ------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8