|
xen-devel
RE: [Xen-devel] yanked share, round 2
How about combining both ideas: In order to map N pages from Xen's
share pool, a DomU must provide N pages back to the pool. When a DomU
unmaps (or crashes), it gets N pages back.
We get these features:
1) A domU can never cause the Xen share pool to shrink.
2) The number of pages mappable by a DomU is bounded only by the DomU
itself.
3) No page ownership problems.
4) We can have a nice share key ala SysV IPC semantics.
5) When no shares exist, the memory pool consumes no pages.
6) We leave Xen's heap alone.
The first benefit is critical since DomU's are untrusted. A downside is
that a platform with many DomU mappings will have many idle pages
sitting in the pool. Given all the benefits above, a very reasonable
price to pay.
-steve
-----Original Message-----
From: Anthony Liguori [mailto:aliguori@xxxxxxxxxx]
Sent: Friday, January 13, 2006 1:32 PM
To: King, Steven R
Cc: Rusty Russell; xen-devel
Subject: Re: [Xen-devel] yanked share, round 2
King, Steven R wrote:
>I would like hear your ideas for who manages the pool and how the pool
>avoids becoming depleted.
>
>
I won't take credit for this as it is Rusty's idea actually :-)
Depletion can be handled by setting a maximum amount of shared memory
per-domain (2MB for instance). Then as long as there is enough free
memory to satisfy the per-domain sharing requirement, you're fine.
The memory can be allocated straight from the xen heap and referenced
counted such that it is returned back to the heap when the last user
stops sharing it. The 2MB limit would be somewhat virtual since the
same page would be factored into every domain's actual limit who had a
reference to the page.
This is my understand at least, perhaps Rusty can clarify with what he
was thinking.
>In addition to avoiding the ownership problem, I see another nice
>advantage:
>The third party (Xen? a DomP?) can hand up to the DomU's a nice tidy
>key value representing the shared pages, which is very similar to the
>way SysV IPC memory sharing works.
>
>
Precisely :-)
Regards,
Anthony Liguori
>-steve
>
>-----Original Message-----
>From: Anthony Liguori [mailto:aliguori@xxxxxxxxxx]
>Sent: Friday, January 13, 2006 11:35 AM
>To: King, Steven R
>Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
>Subject: Re: [Xen-devel] yanked share, round 2
>
>You avoid zombies and either side can break the sharing without causing
>harm to the other side. Domains restarting are transparent to either
>end (the restarting domain just reattachs and keeps going). It avoids
>the general ownership problem altogether.
>
>Regards,
>
>Anthony Liguori
>
>King, Steven R wrote:
>
>
>
>>Hi Anthony -- Can you explain why this is ideal? I prefer that
>>sharers
>>
>>
>
>
>
>>and mappers have their own skin the game--that way, Xen doesn't have
>>to
>>
>>
>
>
>
>>manage a pool and nobody has to worry about the pool being depleted.
>>
>>-----Original Message-----
>>From: Anthony Liguori [mailto:aliguori@xxxxxxxxxx]
>>Sent: Friday, January 13, 2006 11:23 AM
>>To: King, Steven R
>>Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
>>Subject: Re: [Xen-devel] yanked share, round 2
>>
>>An ideal solution to this problem would be to keep a separate pool of
>>shared memory that neither domain owned. That removes any concerns
>>about ownership.
>>
>>Regards,
>>
>>Anthony Liguori
>>
>>King, Steven R wrote:
>>
>>
>>
>>
>>
>>>Hi folks,
>>>A previous thread discussed complications around DomU's sharing
>>>memory
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>pages with each other:
>>>http://lists.xensource.com/archives/html/xen-devel/2005-12/msg00499.h
>>>t
>>>ml
>>>
>>>To summarize, DomU's get into trouble, e.g. unable to shutdown,
>>>unless
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>the remote DomU's play nice. Since DomU's do not trust each other,
>>>that is problematic. I'd like to discuss how to clean away this
>>>dependency.
>>>
>>>Here's one idea. The goal is to robustly decouple the sharing and
>>>remote domains.
>>>
>>>Grant tables add a new GTF_safe flag, settable by the sharing DomU.
>>>In order to map a GTF_safe page, a remote domain must provide a page
>>>of its own, which I'll call an "under page".
>>>Xen holds the under-page on behalf of the remote DomU and maps the
>>>shared page into the remote DomU's machine.
>>>At any time, the sharing DomU can unshare the page, crash, etc, which
>>>ends ALL foreign access to that page, not just new mappings.
>>>For each remote domain that still maps the unshared page, Xen maps
>>>the
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>remote's under-page in place of the unshared page.
>>>The remote domain can unmap at any time and recover its under-page.
>>>
>>>The purpose of the under-page is to plug the memory hole in the
>>>remote
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>DomU created by a surprise unsharing. A nervous remote DomU could
>>>check that a share is GTF_safe before proceeding to map the page.
>>>
>>>Good, bad or ugly?
>>>-steve
>>>
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>-
>>>-
>>>-
>>>
>>>_______________________________________________
>>>Xen-devel mailing list
>>>Xen-devel@xxxxxxxxxxxxxxxxxxx
>>>http://lists.xensource.com/xen-devel
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [Xen-devel] yanked share, round 2, (continued)
- Re: [Xen-devel] yanked share, round 2, Anthony Liguori
- RE: [Xen-devel] yanked share, round 2, King, Steven R
- RE: [Xen-devel] yanked share, round 2, King, Steven R
- RE: [Xen-devel] yanked share, round 2, King, Steven R
- RE: [Xen-devel] yanked share, round 2, King, Steven R
- RE: [Xen-devel] yanked share, round 2,
King, Steven R <=
|
|
|
Home