From: "Michael S. Tsirkin" <mst@redhat.com>
To: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: James.Bottomley@HansenPartnership.com,
"Denis V. Lunev" <den@openvz.org>,
qemu-devel@nongnu.org,
Raushaniya Maksudova <rmaksudova@virtuozzo.com>,
Anthony Liguori <aliguori@amazon.com>
Subject: Re: [Qemu-devel] [PATCH 1/1] balloon: add a feature bit to let Guest OS deflate balloon on oom
Date: Mon, 15 Jun 2015 12:10:05 +0200 [thread overview]
Message-ID: <20150615120626-mutt-send-email-mst@redhat.com> (raw)
In-Reply-To: <557EA1E9.3070000@de.ibm.com>
On Mon, Jun 15, 2015 at 11:59:05AM +0200, Christian Borntraeger wrote:
> Am 15.06.2015 um 11:06 schrieb Michael S. Tsirkin:
>
> >>> AFAIK management tools depend on balloon not deflating
> >>> below host-specified threshold to avoid OOM on the host.
> >>> So I don't think we can make this a default,
> >>> management needs to enable this explicitly.
> >>
> >> If the ballooning is required to keep the host memory managedment
> >> from OOM - iow abusing ballooning as memory hotplug between guests
> >> then yes better let the guest oom - that makes sense.
> >>
> >> Now: I think that doing so (not having enough swap in the host if
> >> all guests deflate) and relying on balloon semantics is fundamentally
> >> broken. Let me explain this: The problem is that we rely on guest
> >> cooperation for the host integrity. As I explained using madvise
> >> WONT_NEED will replace the current PTEs with invalid/emtpy PTEs. As
> >> soon as the guest kernel re-touches the page (e.g. a malicious
> >> kernel module - not the balloon driver) it will be backed by the VMAs
> >> default method - so usually with a shared R/O copy of the empty
> >> zero page. Write accesses will result in a copy-on-write and allocate
> >> new memory in the host.
> >> There is nothing we can do in the balloon protocol to protect the host
> >> against malicious guests allocating all the maximum memory.
> >
> > If we want to try and harden host, we can unmap it so guest will crash
> > if it touches pages without deflate.
> >
> >> If you need host integrity against guest memory usage, something like
> >> cgroups_memory or so is probably the only reliable way.
> >
> > In the original design, protection against a malicious guest is not the
> > point of the balloon, it's a technology that let you overcommit
> > cooperative guests.
>
> Sure. But then its perfectly fine to let the guest reclaim by default,
> because your statement
> "AFAIK management tools depend on balloon not deflating
> below host-specified threshold to avoid OOM on the host.
> So I don't think we can make this a default,
> management needs to enable this explicitly."
>
> is not true ;-)
>
> Christian
I don't see the connection.
Deflate on OOM means "it's OK to deflate if you like, this won't
cause any harm". If you set this flag, you can't overcommit host too
agressively even with cooperative guests.
--
MST
next prev parent reply other threads:[~2015-06-15 10:10 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-09 10:19 [Qemu-devel] [PATCH v6 0/1] balloon: add a feature bit to let Guest OS deflate Denis V. Lunev
2015-06-09 10:19 ` [Qemu-devel] [PATCH 1/1] balloon: add a feature bit to let Guest OS deflate balloon on oom Denis V. Lunev
2015-06-09 10:37 ` Christian Borntraeger
2015-06-10 12:02 ` Denis V. Lunev
2015-06-10 13:13 ` Michael S. Tsirkin
2015-06-10 13:27 ` Denis V. Lunev
2015-06-12 11:56 ` Christian Borntraeger
2015-06-13 20:10 ` Michael S. Tsirkin
2015-06-15 7:01 ` Christian Borntraeger
2015-06-15 9:06 ` Michael S. Tsirkin
2015-06-15 9:59 ` Christian Borntraeger
2015-06-15 10:10 ` Michael S. Tsirkin [this message]
2015-06-15 11:10 ` Christian Borntraeger
2015-06-09 10:37 ` Denis V. Lunev
-- strict thread matches above, loose matches on Subject: below --
2015-06-15 10:52 [Qemu-devel] [PATCH v7 0/1] balloon: add a feature bit to let Guest OS deflate Denis V. Lunev
2015-06-15 10:52 ` [Qemu-devel] [PATCH 1/1] balloon: add a feature bit to let Guest OS deflate balloon on oom Denis V. Lunev
2015-06-23 13:36 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150615120626-mutt-send-email-mst@redhat.com \
--to=mst@redhat.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=aliguori@amazon.com \
--cc=borntraeger@de.ibm.com \
--cc=den@openvz.org \
--cc=qemu-devel@nongnu.org \
--cc=rmaksudova@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).