From: Paul Durrant <Paul.Durrant@citrix.com>
To: Jan Beulich <JBeulich@suse.com>,
George Dunlap <George.Dunlap@citrix.com>
Cc: Kevin Tian <kevin.tian@intel.com>, Wei Liu <wei.liu2@citrix.com>,
Ian Campbell <Ian.Campbell@citrix.com>,
Andrew Cooper <Andrew.Cooper3@citrix.com>,
Zhang Yu <yu.c.zhang@linux.intel.com>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
Stefano Stabellini <Stefano.Stabellini@citrix.com>,
"zhiyuan.lv@intel.com" <zhiyuan.lv@intel.com>,
Ian Jackson <Ian.Jackson@citrix.com>,
"Keir (Xen.org)" <keir@xen.org>
Subject: Re: [PATCH v3 3/3] tools: introduce parameter max_wp_ram_ranges.
Date: Fri, 5 Feb 2016 09:24:26 +0000 [thread overview]
Message-ID: <012513b81f7b4da9af251d942ebae66c@AMSPEX02CL03.citrite.net> (raw)
In-Reply-To: <56B46C3302000078000CEDF4@prv-mh.provo.novell.com>
> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: 05 February 2016 08:33
> To: George Dunlap
> Cc: Andrew Cooper; Ian Campbell; Paul Durrant; Stefano Stabellini; Wei Liu;
> Ian Jackson; Kevin Tian; zhiyuan.lv@intel.com; Zhang Yu; xen-
> devel@lists.xen.org; Keir (Xen.org)
> Subject: Re: [Xen-devel] [PATCH v3 3/3] tools: introduce parameter
> max_wp_ram_ranges.
>
> >>> On 04.02.16 at 18:12, <george.dunlap@citrix.com> wrote:
> > Two angles on this.
> >
> > First, assuming that limiting the number of ranges is what we want: I'm
> > not really a fan of using HVM_PARAMs for this, but as long as it's not
> > considered a public interface (i.e., it could go away or disappear and
> > everything would Just Work), then I wouldn't object.
>
> The parameter setting interface generally is guest exposed, it's just
> that many parameters can't be set by guests for themselves. Of
> course the new #define could be put inside a Xen/tools conditional.
>
> > Although I would ask: would it instead be suitable for now to just set
> > the default limit for WP_RAM to 8196 in the hypervisor, since we do
> > expect it to be tracking gpfn ranges rather than IO regions? And if we
> > determine in the future that more ranges are necessary, to then do the
> > work of moving it to using p2m types (or exposing a knob to adjust it)?
>
> That's what collides with disaggregation (as pointed out before):
> Any tool stack component could then create wp-ram pages in
> guests it controls, no matter whether those guests actually have
> a need for such. I continue to think that if we indeed got this
> route, then the host admin should be required to explicitly state
> that the risks are acceptable (by allowing only certain guests to
> actually create [many] of such pages).
>
> > But (and this the other angle): is simply marking a numerical limit
> > sufficient to avoid memory exhaustion? Is there a danger that after
> > creating several guests, such that Xen was now running very low on
> > memory, that a guest would (purposely or not) cause memory to be
> > exhausted sometime further after boot, causing a system-wide DoS (or
> > just general lack of stability)?
>
> The guest itself can't, but other than fully privileged tool stack
> components could, and that's still something we need to avoid.
>
> > In the shadow / hap memory case, the memory is pre-allocated up front,
> > which makes sure that nothing a guest does can cause Xen to run out of
> > memory once it's booted. Without pre-allocating it, it's still possible
> > that the admin might start up enough VMs that exhaustion is *possible*,
> > but won't be triggered until later (when the guest starts using more GTTs).
> >
> > Although in fact this really points to the need for a general overhaul
> > in how memory allocation on behalf of a domain is handled in general;
> > that's a bigger chunk of work.
>
> Well, right now there's pretty little allocation happening at run time
> afaict, i.e. having a couple of pages available will generally keep
> things going smoothly. (Once upon a time it was that there were -
> iirc - no active runtime allocations at all, i.e. such had occurred only
> in the context of things like domctls, where failure could be dealt
> with by ballooning a few pages out of some domain and retrying.
> I'm afraid that's not the case anymore nowadays, and even if it
> was would collide with disaggregation, as a tool stack component
> legitimately issuing a domctl may not have the privileges to
> balloon other than the domain it controls, in particular not Dom0.)
>
> > But in any case, it seems to me that we can entirely avoid the question
> > of how many ranges might ever be necessary by starting with a fixed
> > limit in the hypervisor, and then moving to a p2m-type based
> > implementation if and when that becomes unsatisfactory.
>
> With all of the above I think we should rather explore the p2m-type
> based approach, in particular the suggestion Kevin has made to
> direct all p2m_mmio_write_dm (a name which appears to have been
> badly chosen, considering that we're talking about RAM pages
> here) write accesses to the default ioreq server (utilizing that
> upstream qemu doesn't itself register as such).
>
Utilizing the default server is a backwards step. GVT-g would have to use the old HVM_PARAM mechanism to cause it's emulator to become default. I think a more appropriate mechanism would be p2m_mmio_write_dm to become something like 'p2m_ioreq_server_write' and then have a hypercall to allow it to be mapped to a particular ioreq server.
Obviously only one could claim it but, with a p2t, the bit could be re-purposed to simply mean 'go look in the p2t' for more information and then the p2t could be structured to allow emulations to be steered to one of many ioreq servers (for read and/or write emulation).
Paul
> Jan
next prev parent reply other threads:[~2016-02-05 9:24 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-29 10:45 [PATCH v12 0/3] Refactor ioreq server for better performance Yu Zhang
2016-01-29 10:45 ` [PATCH v12 1/3] Refactor rangeset structure " Yu Zhang
2016-01-29 10:45 ` [PATCH v12 2/3] Differentiate IO/mem resources tracked by ioreq server Yu Zhang
2016-01-29 10:45 ` [PATCH v3 3/3] tools: introduce parameter max_wp_ram_ranges Yu Zhang
2016-01-29 16:33 ` Jan Beulich
2016-01-30 14:38 ` Yu, Zhang
2016-02-01 7:52 ` Jan Beulich
2016-02-01 12:02 ` Wei Liu
2016-02-01 12:15 ` Jan Beulich
2016-02-01 12:49 ` Wei Liu
2016-02-01 13:07 ` Jan Beulich
2016-02-01 15:14 ` Yu, Zhang
2016-02-01 16:16 ` Jan Beulich
2016-02-01 16:33 ` Yu, Zhang
2016-02-01 16:19 ` Yu, Zhang
2016-02-01 16:35 ` Jan Beulich
2016-02-01 16:37 ` Yu, Zhang
2016-02-01 17:05 ` Ian Jackson
2016-02-02 8:04 ` Yu, Zhang
2016-02-02 11:51 ` Wei Liu
2016-02-02 13:56 ` Yu, Zhang
2016-02-02 10:32 ` Jan Beulich
2016-02-02 10:56 ` Yu, Zhang
2016-02-02 11:12 ` Jan Beulich
2016-02-02 14:01 ` Yu, Zhang
2016-02-02 14:42 ` Jan Beulich
2016-02-02 15:00 ` Yu, Zhang
2016-02-02 15:21 ` Jan Beulich
2016-02-02 15:19 ` Yu, Zhang
2016-02-03 7:10 ` Yu, Zhang
2016-02-03 8:32 ` Jan Beulich
2016-02-03 12:20 ` Paul Durrant
2016-02-03 12:35 ` Jan Beulich
2016-02-03 12:50 ` Paul Durrant
2016-02-03 13:00 ` Jan Beulich
2016-02-03 13:07 ` Paul Durrant
2016-02-03 13:17 ` Jan Beulich
2016-02-03 13:18 ` Paul Durrant
2016-02-03 14:43 ` Ian Jackson
2016-02-03 15:10 ` Paul Durrant
2016-02-03 17:50 ` George Dunlap
2016-02-04 8:50 ` Yu, Zhang
2016-02-03 17:41 ` George Dunlap
2016-02-03 18:21 ` George Dunlap
2016-02-03 18:26 ` George Dunlap
2016-02-03 18:39 ` Andrew Cooper
2016-02-03 19:12 ` George Dunlap
2016-02-04 8:51 ` Yu, Zhang
2016-02-04 10:49 ` George Dunlap
2016-02-04 11:08 ` Ian Campbell
2016-02-04 11:19 ` Ian Campbell
2016-02-04 8:50 ` Yu, Zhang
2016-02-04 9:28 ` Paul Durrant
2016-02-04 9:38 ` Yu, Zhang
2016-02-04 9:49 ` Paul Durrant
2016-02-04 10:34 ` Jan Beulich
2016-02-04 13:33 ` Ian Jackson
2016-02-04 13:47 ` Paul Durrant
2016-02-04 14:12 ` Jan Beulich
2016-02-04 14:25 ` Paul Durrant
2016-02-04 15:06 ` Ian Jackson
2016-02-04 15:51 ` Paul Durrant
2016-02-05 3:47 ` Tian, Kevin
2016-02-05 3:35 ` Tian, Kevin
2016-02-04 14:08 ` Jan Beulich
2016-02-04 17:12 ` George Dunlap
2016-02-05 4:18 ` Tian, Kevin
2016-02-05 8:41 ` Yu, Zhang
2016-02-05 8:32 ` Jan Beulich
2016-02-05 9:24 ` Paul Durrant [this message]
2016-02-05 10:41 ` Jan Beulich
2016-02-05 11:14 ` George Dunlap
2016-02-05 11:24 ` Paul Durrant
2016-02-16 7:22 ` Tian, Kevin
2016-02-16 8:50 ` Paul Durrant
2016-02-16 10:33 ` Jan Beulich
2016-02-16 11:11 ` Paul Durrant
2016-02-17 3:18 ` Tian, Kevin
2016-02-17 8:58 ` Paul Durrant
2016-02-17 9:32 ` Jan Beulich
2016-02-17 9:58 ` Tian, Kevin
2016-02-17 10:03 ` Paul Durrant
2016-02-17 10:22 ` Jan Beulich
2016-02-17 10:24 ` Paul Durrant
2016-02-17 10:25 ` Tian, Kevin
2016-02-17 11:01 ` George Dunlap
2016-02-17 11:12 ` Paul Durrant
2016-02-22 15:56 ` George Dunlap
2016-02-22 16:02 ` Paul Durrant
2016-02-22 16:45 ` George Dunlap
2016-02-22 17:01 ` Paul Durrant
2016-02-22 17:23 ` George Dunlap
2016-02-22 17:34 ` Paul Durrant
2016-02-05 8:41 ` Yu, Zhang
2016-02-04 11:06 ` George Dunlap
2016-02-05 2:01 ` Zhiyuan Lv
2016-02-05 3:44 ` Tian, Kevin
2016-02-05 8:38 ` Jan Beulich
2016-02-05 11:05 ` George Dunlap
2016-02-05 15:13 ` Zhiyuan Lv
2016-02-05 20:14 ` George Dunlap
2016-02-05 8:40 ` Yu, Zhang
2016-02-04 10:06 ` Ian Campbell
2016-02-05 3:31 ` Tian, Kevin
2016-02-02 11:31 ` Andrew Cooper
2016-02-02 11:43 ` Jan Beulich
2016-02-02 14:20 ` Andrew Cooper
2016-02-01 11:57 ` Wei Liu
2016-02-01 15:15 ` Yu, Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=012513b81f7b4da9af251d942ebae66c@AMSPEX02CL03.citrite.net \
--to=paul.durrant@citrix.com \
--cc=Andrew.Cooper3@citrix.com \
--cc=George.Dunlap@citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@citrix.com \
--cc=JBeulich@suse.com \
--cc=Stefano.Stabellini@citrix.com \
--cc=keir@xen.org \
--cc=kevin.tian@intel.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
--cc=yu.c.zhang@linux.intel.com \
--cc=zhiyuan.lv@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).