WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] Very technical question about ballooning

Hi...

Xen enforces maxmem allocation so that no guest is allowed to
use more memory than maxmem, whether it uses a balloon driver
or not.  If memory is overcommitted, allocation of pages (via
a balloon driver or hotplug or any other mechanism) is
first-come-first-served but no domU can allocate more than
its predefined maxmem.  If a domU balloon driver requests more
memory from Xen and Xen has no more physical memory to allocate,
Xen fails the request.  

Think of a balloon driver like any other hardware driver but it
happens to have a very large and highly variable appetite for
memory.

If a guest needs more memory and can't get it, it isn't any
different than if a bare-metal OS runs into its physical
memory limit:  Swapping occurs.  Or if there is no swap
disk (or virtual swap disk if it is a guest), userland memory
allocation fails or the kernel invokes the "OOM killer" or,
in worst case, a bare-metal OS (or the guest) crashes.

So, in other words, NO, a maliciously ballooning guest cannot
cause other guests to crash, unless those other guests balloon
their memory down to such a low level that they cannot continue
to run.

There seems to be a lot of interest in memory overcommit lately.
For a good overview, see http://oss.oracle.com/projects/tmem 

Thanks,
Dan


> -----Original Message-----
> From: Stephen Spector [mailto:stephen.spector@xxxxxxxxxx]
> Sent: Friday, August 13, 2010 8:25 AM
> To: Moritz Duge; xen-users@xxxxxxxxxxxxxxxxxxx; Dan Magenheimer
> Subject: RE: [Xen-users] Very technical question about ballooning
> 
> Adding Dan Magenheimer for his thoughts..
> 
> -----Original Message-----
> From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-users-
> bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Moritz Duge
> Sent: Thursday, August 12, 2010 10:38 AM
> To: xen-users@xxxxxxxxxxxxxxxxxxx
> Subject: [Xen-users] Very technical question about ballooning
> 
> Hi there!
> I'm having a quite difficult question about the ballooning feature of
> Xen.
> 
> The scenario is like this: I'm having a dom0 and some domUs. But I
> don't
> trust the operating-system inside one of the domUs. Please don't ask me
> why I just don't trust this operating-system! I can give you 1001
> reasons for it. This domU operating-system could be managed by an evil
> administrator or it could just be unsecure, so someone can break into
> it
> and gain root access.
> 
> Nevertheless, I would like to use ballooning for all of the domUs, also
> the untrusted one. Mainly because the memory requirements of the domUs
> change sometimes, but I don't want to reboot them.
> That's why I want to use ballooning. And the added maxmem-values (not
> the memory values) will be more then the physical memory I have.
> 
> 
> So the question is: Does Xen ensure, that the untrusted guest doesn't
> cheats the ballooning model?
> What will happen, if memory is set to 512 mb for example and maxmem is
> 768 mb. And then, the guest just unloads the ballooning stuff from it's
> operating-system kernel.
> 
> - Will the guest be able to "see" (by using the linux-command free in
> the guest for example) it's maxmem (768 mb)?
> 
> - And what will happend, if the guest tries to use it's full maxmem
> (768
> mb), not just the 512 mb? Will the guest crash???
> 
> - What happends if the guest can use maxmem and the whole system (dom0
> and the real hardware computer) runs out of memory? Will the whole real
> computer crash? Or just the malicious domU? Or all the domUs, but not
> the dom0???
> 
> 
> Think of that: In the scenario I'm talking about, the bad domU is not
> really under my control. For shure, I wouldn't use more memory then I
> have. But in this case it's not my decision. It's the decision of
> somebody evil who gained the control over the domU (as I said, don't
> ask
> me why - there are enough exploids and undiscovered security holes out
> there).
> 
> 
> At last:
> 
> - Are there differences concerning this, when using the paravirtualized
> mode (linux) and using the hvm mode with paravirtualized hvm drivers???
> 
> - Are there differences between the versions of the or the available
> xen-linux-kernels?
> 
> - It's not so hard to have a Xen Kernel without ballooning. For example
> look at Fedora 9. It brings a Xen-PV Kernel without ballooning!
> 
> 
> At very last: Is there any detailed documentation for this?
> 
> 
> Thanks!
> Moritz Duge
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>