Re: [PATCH V1 17/26] machine: memfd-alloc option

[Peter Xu <peterx@redhat.com>]

On Fri, May 31, 2024 at 03:32:05PM -0400, Steven Sistare wrote:
> On 5/30/2024 2:14 PM, Peter Xu wrote:
> > On Thu, May 30, 2024 at 01:11:09PM -0400, Steven Sistare wrote:
> > > On 5/29/2024 3:14 PM, Peter Xu wrote:
> > > > On Wed, May 29, 2024 at 01:31:38PM -0400, Steven Sistare wrote:
> > > > > > > diff --git a/system/memory.c b/system/memory.c
> > > > > > > index 49f1cb2..ca04a0e 100644
> > > > > > > --- a/system/memory.c
> > > > > > > +++ b/system/memory.c
> > > > > > > @@ -1552,8 +1552,9 @@ bool memory_region_init_ram_nomigrate(MemoryRegion *mr,
> > > > > > >                                           uint64_t size,
> > > > > > >                                           Error **errp)
> > > > > > >     {
> > > > > > > +    uint32_t flags = current_machine->memfd_alloc ? RAM_SHARED : 0;
> > > > > > 
> > > > > > If there's a machine option to "use memfd for allocations", then it's
> > > > > > shared mem... Hmm..
> > > > > > 
> > > > > > It is a bit confusing to me in quite a few levels:
> > > > > > 
> > > > > >      - Why memory allocation method will be defined by a machine property,
> > > > > >        even if we have memory-backend-* which should cover everything?
> > > > > 
> > > > > Some memory regions are implicitly created, and have no explicit representation
> > > > > on the qemu command line.  memfd-alloc affects those.
> > > > > 
> > > > > More generally, memfd-alloc affects all ramblock allocations that are
> > > > > not explicitly represented by memory-backend object.  Thus the simple
> > > > > command line "qemu -m 1G" does not explicitly describe an object, so it
> > > > > goes through the anonymous allocation path, and is affected by memfd-alloc.
> > > > 
> > > > Can we simply now allow "qemu -m 1G" to work for cpr-exec?
> > > 
> > > I assume you meant "simply not allow".
> > > 
> > > Yes, I could do that, but I would need to explicitly add code to exclude this
> > > case, and add a blocker.  Right now it "just works" for all paths that lead to
> > > ram_block_alloc_host, without any special logic at the memory-backend level.
> > > And, I'm not convinced that simplifies the docs, as now I would need to tell
> > > the user that "-m 1G" and similar constructions do not work with cpr.
> > > 
> > > I can try to clarify the doc for -memfd-alloc as currently defined.
> > 
> > Why do we need to keep cpr working for existing qemu cmdlines?  We'll
> > already need to add more new cmdline options already anyway, right?
> > 
> > cpr-reboot wasn't doing it, and that made sense to me, so that new features
> > will require the user to opt-in for it, starting with changing its
> > cmdlines.
> 
> I agree.  We need a new option to opt-in to cpr-friendly memory allocation, and I
> am proposing -machine memfd-alloc. I am simply saying that I can try to do a better
> job explaining the functionality in my proposed text for memfd-alloc, instead of
> changing the functionality to exclude "-m 1G".  I believe excluding "-m 1G" is the
> wrong approach, for the reasons I stated - messier implementation *and* documentation.
> 
> I am open to different syntax for opting in.

If the machine property is the only way to go then I agree that might be a
good idea, even though the name can be further discussed.  But I still want
to figure out something below.

> 
> > > > AFAIU that's
> > > > what we do with cpr-reboot: we ask the user to specify the right things to
> > > > make other thing work.  Otherwise it won't.
> > > > 
> > > > > 
> > > > > Internally, create_default_memdev does create a memory-backend object.
> > > > > That is what my doc comment above refers to:
> > > > >     Any associated memory-backend objects are created with share=on
> > > > > 
> > > > > An explicit "qemu -object memory-backend-*" is not affected by memfd-alloc.
> > > > > 
> > > > > The qapi comments in patch "migration: cpr-exec mode" attempt to say all that:
> > > > > 
> > > > > +#     Memory backend objects must have the share=on attribute, and
> > > > > +#     must be mmap'able in the new QEMU process.  For example,
> > > > > +#     memory-backend-file is acceptable, but memory-backend-ram is
> > > > > +#     not.
> > > > > +#
> > > > > +#     The VM must be started with the '-machine memfd-alloc=on'
> > > > > +#     option.  This causes implicit ram blocks -- those not explicitly
> > > > > +#     described by a memory-backend object -- to be allocated by
> > > > > +#     mmap'ing a memfd.  Examples include VGA, ROM, and even guest
> > > > > +#     RAM when it is specified without a memory-backend object.
> > > > 
> > > > VGA is IIRC 16MB chunk, ROM is even smaller.  If the user specifies -object
> > > > memory-backend-file,share=on propertly, these should be the only outliers?
> > > > 
> > > > Are these important enough for the downtime?  Can we put them into the
> > > > migrated image alongside with the rest device states?
> > > 
> > > It's not about downtime.  vfio, vdpa, and iommufd pin all guest pages.
> > > The pages must remain pinned during CPR to support ongoing DMA activity
> > > which could target those pages (which we do not quiesce), and the same
> > > physical pages must be used for the ramblocks in the new qemu process.
> > 
> > Ah ok, yes DMA can happen on the fly.
> > 
> > Guest mem is definitely the major DMA target and that can be covered by
> > -object memory-backend-*,shared=on cmdlines.
> > 
> > ROM is definitely not a DMA target.  So is VGA ram a target for, perhaps,
> > an assigned vGPU device?  Do we have a list of things that will need that?
> > Can we make them work somehow by sharing them like guest mem?
> 
> The pass-through devices map and pin all memory accessible to the guest.
> We cannot make exceptions based on our intuition of how the memory will
> and will not be used.

True, but if you see my whole point is trying to see whether we can get rid
of the machine property completely, and it's also because we're just so
close to getting rid of it.. which I feel.

QEMU memory layout can be complicated across all the platforms, but I doubt
whether that's true for CPR's purpose and archs that it plans to support.
A generic VM's memory topology shouldn't be that complicated at all,
e.g. on x86:

              Block Name    PSize              Offset               Used              Total                HVA  RO
                  pc.ram    4 KiB  0x0000000000000000 0x0000000008000000 0x0000000008000000 0x00007f684fe00000  rw
   0000:00:02.0/vga.vram    4 KiB  0x0000000008080000 0x0000000001000000 0x0000000001000000 0x00007f684e800000  rw
    /rom@etc/acpi/tables    4 KiB  0x0000000009100000 0x0000000000020000 0x0000000000200000 0x00007f684dc00000  ro
                 pc.bios    4 KiB  0x0000000008000000 0x0000000000040000 0x0000000000040000 0x00007f68dc200000  ro
  0000:00:03.0/e1000.rom    4 KiB  0x00000000090c0000 0x0000000000040000 0x0000000000040000 0x00007f684e000000  ro
                  pc.rom    4 KiB  0x0000000008040000 0x0000000000020000 0x0000000000020000 0x00007f684fa00000  ro
    0000:00:02.0/vga.rom    4 KiB  0x0000000009080000 0x0000000000010000 0x0000000000010000 0x00007f684e400000  ro
   /rom@etc/table-loader    4 KiB  0x0000000009300000 0x0000000000001000 0x0000000000010000 0x00007f684d800000  ro
      /rom@etc/acpi/rsdp    4 KiB  0x0000000009340000 0x0000000000001000 0x0000000000001000 0x00007f684d400000  ro

It's simply the major ram, ROMs, and VGA.

I hoped it can work without it, I'll mention one more reason below.

So if we're going to have this machine property, can I still request a
possible list of things that can be the target of this property besides
guest mem?  I just want to know where it can be used "for real".  I know it
might be complicated, but maybe not.  I really can only think of VGA, and I
doubt whether that should be DMAed at all.

> 
> Also, we cannot simply abandon the old pinned ramblocks, owned by an mm_struct
> that will become a zombie.  We would actually need to write additional code
> to call device ioctls to unmap the oddball ramblocks.  It is far cleaner
> and more correct to preserve them all.
> 
> > It'll be a complete tragedy if we introduced this whole thing only because
> > of some minority.  I want to understand whether there's any generic way to
> > solve this problem rather than this magical machine property.  IMHO it's
> > very not trivial to maintain.
> 
> The machine property is the generic way.
> 
> A single opt-in option to call memfd_create() is an elegant and effective solution.
> The code is small and not hard to maintain.  This is the option patch.  Most of it
> is the boiler plate that any option has, and the single code location that formerly
> called qemu_anon_ram_alloc now optionally calls qemu_memfd_create:
> 
>   machine: memfd-alloc option             25 insertions(+), 28 deletions(-)
> 
> These patches are simply stylistic and modularity improvements for ramblock,
> valuable in their own right, which allows the previous patch to be small and clean.
> 
>   physmem: ram_block_create               29 insertions(+), 21 deletions(-)
>   physmem: hoist guest_memfd creation     48 insertions(+), 37 deletions(-)
>   physmem: hoist host memory allocation   36 insertions(+), 44 deletions(-)
>   physmem: set ram block idstr earlier    25 insertions(+), 28 deletions(-)

Let me explain the other reason why I don't want to have that machine
property..

That property, irrelevant of what it is called (and I doubt whether Dan's
suggestion on "shared-ram" is good, e.g. mmap(MAP_SHARED) doesn't have user
visible fd but it's shared-ram for sure..), is yet another way to specify
guest mem types.

What if the user specified this property but specified something else in
the -object parameters?  E.g. -machine share-ram=on -object
memory-backend-ram,share=off.  What should we do?

Fundamentally that's also why I "hope" we can avoid adding yet one more
place configure guest mem, and stick with -objects.

> 
> > > > > >      - Even if we have such a machine property, why setting "memfd" will
> > > > > >        always imply shared?  why not private?  After all it's not called
> > > > > >        "memfd-shared-alloc", and we can create private mappings using
> > > > > >        e.g. memory-backend-memfd,share=off.
> > > > > 
> > > > > There is no use case for memfd-alloc with share=off, so no point IMO in
> > > > > making the option more verbose.
> > > > 
> > > > Unfortunately this fact doesn't make the property easier to understand. :-( >
> > > > > For cpr, the mapping with all its modifications must be visible to new
> > > > > qemu when qemu mmaps it.
> > > > 
> > > > So this might be the important part - do you mean migrating
> > > > VGA/ROM/... small ramblocks won't work (besides any performance concerns)?
> > > > Could you elaborate?
> > > 
> > > Pinning.
> > > 
> > > > Cpr-reboot already introduced lots of tricky knobs to QEMU.  We may need to
> > > > restrict that specialty to minimal, making the interfacing as clear as
> > > > possible, or (at least migration) maintainers will start to be soon scared
> > > > and running away, if such proposal was not shot down.
> > > > 
> > > > In short, I hope when we introduce new knobs for cpr, we shouldn't always
> > > > keep cpr-* modes in mind, but consider whenever the user can use it without
> > > > cpr-*.  I'm not sure whether it'll be always possible, but we should try.
> > > 
> > > I agree in principle.  FWIW, I have tried to generalize the functionality needed
> > > by cpr so it can be used in other ways: per-mode blockers, per-mode notifiers,
> > > precreate vmstate, factory objects; to base it on migration internals with
> > > minimal change (vmstate); and to make minimal changes in the migration control
> > > paths.
> > 
> > Thanks.
> > 
> > For this one I think reusing -object interface (hopefully without
> > introducing a knob) would be a great step if that can fully describe what
> > cpr-exec is looking for.  E.g., when cpr-exec mode enabled it can sanity
> > check the memory backends making sure all things satisfy its need, and fail
> > migration otherwise upfront.
> 
> For '-object memory-backend-*', I can tell whether cpr is allowed or not
> without additional knobs.  See the blocker patches for examples where cpr
> is blocked.
> 
> The problem is the implicit ramblocks that currently call qemu_ram_alloc_internal.

I hope it won't ever happen that we introduced this property because "we
don't know", then when we know we found no real RAM regions are using it if
properly specify -object.  So I hope at least we know what we're doing, and
for explicitly what reason..

Let me know if you think I'm asking too much (which is possible.. :).  But I
hope in case that might be interesting to you too to know the real answer.

Thanks,

-- 
Peter Xu