Re: [Qemu-devel] [PATCH 1/1] balloon: add a feature bit to let Guest OS deflate balloon on oom

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Christian Borntraeger <borntraeger@de.ibm.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: James.Bottomley@HansenPartnership.com,
	"Denis V. Lunev" <den@openvz.org>,
	qemu-devel@nongnu.org,
	Raushaniya Maksudova <rmaksudova@virtuozzo.com>,
	Anthony Liguori <aliguori@amazon.com>
Subject: Re: [Qemu-devel] [PATCH 1/1] balloon: add a feature bit to let Guest OS deflate balloon on oom
Date: Mon, 15 Jun 2015 11:59:05 +0200	[thread overview]
Message-ID: <557EA1E9.3070000@de.ibm.com> (raw)
In-Reply-To: <20150615104654-mutt-send-email-mst@redhat.com>

Am 15.06.2015 um 11:06 schrieb Michael S. Tsirkin:

>>> AFAIK management tools depend on balloon not deflating
>>> below host-specified threshold to avoid OOM on the host.
>>> So I don't think we can make this a default,
>>> management needs to enable this explicitly.
>>
>> If the ballooning is required to keep the host memory managedment
>> from OOM - iow abusing ballooning as memory hotplug between guests
>> then yes better let the guest oom - that makes sense.
>>
>> Now: I think that doing so (not having enough swap in the host if
>> all guests deflate) and relying on balloon semantics is fundamentally
>> broken. Let me explain this: The problem is that we rely on guest
>> cooperation for the host integrity. As I explained  using madvise 
>> WONT_NEED will replace the current PTEs with invalid/emtpy PTEs. As
>> soon as the guest kernel re-touches the page (e.g. a malicious 
>> kernel module - not the balloon driver) it will be backed by the VMAs
>> default method - so usually with a shared R/O copy of the empty
>> zero page. Write accesses will result in a copy-on-write and allocate
>> new memory in the host. 
>> There is nothing we can do in the balloon protocol to protect the host
>> against malicious guests allocating all the maximum memory.
> 
> If we want to try and harden host, we can unmap it so guest will crash
> if it touches pages without deflate.
> 
>> If you need host integrity against guest memory usage, something like
>> cgroups_memory or so is probably the only reliable way.
> 
> In the original design, protection against a malicious guest is not the
> point of the balloon, it's a technology that let you overcommit
> cooperative guests.

Sure. But then its perfectly fine to let the guest reclaim by default,
because your statement 
"AFAIK management tools depend on balloon not deflating
 below host-specified threshold to avoid OOM on the host.
 So I don't think we can make this a default,
 management needs to enable this explicitly."

is not true ;-)

Christian

next prev parent reply	other threads:[~2015-06-15 10:00 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-06-09 10:19 [Qemu-devel] [PATCH v6 0/1] balloon: add a feature bit to let Guest OS deflate Denis V. Lunev
2015-06-09 10:19 ` [Qemu-devel] [PATCH 1/1] balloon: add a feature bit to let Guest OS deflate balloon on oom Denis V. Lunev
2015-06-09 10:37   ` Christian Borntraeger
2015-06-10 12:02     ` Denis V. Lunev
2015-06-10 13:13       ` Michael S. Tsirkin
2015-06-10 13:27         ` Denis V. Lunev
2015-06-12 11:56         ` Christian Borntraeger
2015-06-13 20:10           ` Michael S. Tsirkin
2015-06-15  7:01             ` Christian Borntraeger
2015-06-15  9:06               ` Michael S. Tsirkin
2015-06-15  9:59                 ` Christian Borntraeger [this message]
2015-06-15 10:10                   ` Michael S. Tsirkin
2015-06-15 11:10                     ` Christian Borntraeger
2015-06-09 10:37   ` Denis V. Lunev
  -- strict thread matches above, loose matches on Subject: below --
2015-06-15 10:52 [Qemu-devel] [PATCH v7 0/1] balloon: add a feature bit to let Guest OS deflate Denis V. Lunev
2015-06-15 10:52 ` [Qemu-devel] [PATCH 1/1] balloon: add a feature bit to let Guest OS deflate balloon on oom Denis V. Lunev
2015-06-23 13:36   ` Christian Borntraeger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=557EA1E9.3070000@de.ibm.com \
    --to=borntraeger@de.ibm.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=aliguori@amazon.com \
    --cc=den@openvz.org \
    --cc=mst@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=rmaksudova@virtuozzo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).