Hi...
Xen enforces maxmem allocation so that no guest is allowed to
use more memory than maxmem, whether it uses a balloon driver
or not. If memory is overcommitted, allocation of pages (via
a balloon driver or hotplug or any other mechanism) is
first-come-first-served but no domU can allocate more than
its predefined maxmem. If a domU balloon driver requests more
memory from Xen and Xen has no more physical memory to allocate,
Xen fails the request.
Think of a balloon driver like any other hardware driver but it
happens to have a very large and highly variable appetite for
memory.
If a guest needs more memory and can't get it, it isn't any
different than if a bare-metal OS runs into its physical
memory limit: Swapping occurs. Or if there is no swap
disk (or virtual swap disk if it is a guest), userland memory
allocation fails or the kernel invokes the "OOM killer" or,
in worst case, a bare-metal OS (or the guest) crashes.
So, in other words, NO, a maliciously ballooning guest cannot
cause other guests to crash, unless those other guests balloon
their memory down to such a low level that they cannot continue
to run.
There seems to be a lot of interest in memory overcommit lately.
For a good overview, see http://oss.oracle.com/projects/tmem
Thanks,
Dan
> -----Original Message-----
> From: Stephen Spector [mailto:stephen.spector@xxxxxxxxxx]
> Sent: Friday, August 13, 2010 8:25 AM
> To: Moritz Duge; xen-users@xxxxxxxxxxxxxxxxxxx; Dan Magenheimer
> Subject: RE: [Xen-users] Very technical question about ballooning
>
> Adding Dan Magenheimer for his thoughts..
>
> -----Original Message-----
> From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-users-
> bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Moritz Duge
> Sent: Thursday, August 12, 2010 10:38 AM
> To: xen-users@xxxxxxxxxxxxxxxxxxx
> Subject: [Xen-users] Very technical question about ballooning
>
> Hi there!
> I'm having a quite difficult question about the ballooning feature of
> Xen.
>
> The scenario is like this: I'm having a dom0 and some domUs. But I
> don't
> trust the operating-system inside one of the domUs. Please don't ask me
> why I just don't trust this operating-system! I can give you 1001
> reasons for it. This domU operating-system could be managed by an evil
> administrator or it could just be unsecure, so someone can break into
> it
> and gain root access.
>
> Nevertheless, I would like to use ballooning for all of the domUs, also
> the untrusted one. Mainly because the memory requirements of the domUs
> change sometimes, but I don't want to reboot them.
> That's why I want to use ballooning. And the added maxmem-values (not
> the memory values) will be more then the physical memory I have.
>
>
> So the question is: Does Xen ensure, that the untrusted guest doesn't
> cheats the ballooning model?
> What will happen, if memory is set to 512 mb for example and maxmem is
> 768 mb. And then, the guest just unloads the ballooning stuff from it's
> operating-system kernel.
>
> - Will the guest be able to "see" (by using the linux-command free in
> the guest for example) it's maxmem (768 mb)?
>
> - And what will happend, if the guest tries to use it's full maxmem
> (768
> mb), not just the 512 mb? Will the guest crash???
>
> - What happends if the guest can use maxmem and the whole system (dom0
> and the real hardware computer) runs out of memory? Will the whole real
> computer crash? Or just the malicious domU? Or all the domUs, but not
> the dom0???
>
>
> Think of that: In the scenario I'm talking about, the bad domU is not
> really under my control. For shure, I wouldn't use more memory then I
> have. But in this case it's not my decision. It's the decision of
> somebody evil who gained the control over the domU (as I said, don't
> ask
> me why - there are enough exploids and undiscovered security holes out
> there).
>
>
> At last:
>
> - Are there differences concerning this, when using the paravirtualized
> mode (linux) and using the hvm mode with paravirtualized hvm drivers???
>
> - Are there differences between the versions of the or the available
> xen-linux-kernels?
>
> - It's not so hard to have a Xen Kernel without ballooning. For example
> look at Fedora 9. It brings a Xen-PV Kernel without ballooning!
>
>
> At very last: Is there any detailed documentation for this?
>
>
> Thanks!
> Moritz Duge
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|