Re: [PATCH] libxc: try to find last used pfn when migrating

[Juergen Gross <jgross@suse.com>]

On 27/11/15 16:22, Ian Jackson wrote:
> Juergen Gross writes ("Re: [Xen-devel] [PATCH] libxc: try to find last used pfn when migrating"):
>> xl migrate will use much less resources for a domain with a 3.x kernel
>> started with max_mem being much larger than mem. E.g. in case you start
>> a domain on a small stand-by system and migrate it later to the large
>> production system and want to balloon it up there.
>>
>> Additionally there was a discussion this week on irc regarding this
>> topic and concern was raised this could block dom0 responsiveness.
> 
> I agree that this is a real problem but AFAICT I don't think the
> approach taken in Juergen's toolstack patch will solve it completely.
> 
> I would phrase the bug like this:
> 
>    A malicious guest kernel can cause the toolstack, when attempting
>    to migrate the domain, to use wildly excessive dom0 RAM.
> 
> I think where the administrator has configured a guest with (say) 1G
> of RAM, the memory used by the toolstack to migrate it should be
> significantly less than that 1G.
> 
> If the toolstack algorithms are such that strange behaviour by a guest
> could violate this assumption, then the toolstack should have an
> explicit check and (by default, at least) refuse to migrate such a
> guest.
> 
> I think Juergen's patch is a good workaround for existing guests which
> /accidentally/ exhibit undesirable behaviour, if we want to keep
> supporting them.

It should be considered to be a working base for being able to reject
migrating a misbehaving domain.

I guess any pv-guest which active p2m list is covering more than twice
it's max_mem can be considered to be misbehaving and migration could be
rejected.

More fine tuning would be possible by supporting a sparse p2m list, but
this would require more work. I'm not sure if it's possible to support
a sparse logdirty bitmap with current hypervisor interfaces.


Juergen