On Tue, Mar 14, 2017 at 15:54:25 -0400, Luiz Capitulino wrote:
On Tue, 14 Mar 2017 20:28:12 +0100
Andrea Bolognani <abologna(a)redhat.com> wrote:
> On Tue, 2017-03-14 at 14:54 -0400, Luiz Capitulino wrote:
> > > It's unfortunate that the current, buggy behavior made
> > > it look like you didn't necessarily have to worry about
> > > this. If we fix it, existing guests will fail to start
> > > right away instead of possibly crashing in the future:
> > > while that's going to be very annoying in the short run,
> >
> > It breaks existing guests, so it's beyond annoying.
Because they were relying on a bug in our code rather than following the
documentation.
> Existing guests are already broken, it's just that the
> breakage has not hit them yet ;)
We should prevent that from happening.
The only way we could achieve this is to set the memory locking limit to
"unlimited" by default, computing the limit is impossible unless the
result will be bigger than host's memory which is effectively equivalent
to "unlimited".
> > > Luiz mentioned the fact that you can't set the
memory
> > > locking limit to "unlimited" with the current
<hard_limit>
> > > element: that's something we can, and should, address.
> > > With that implemented, the administrator will have full
> > > control on the memory limit and will be able to implement
> > > the policy that best suits the use case at hand.
> >
> > Asking <locked/> users to set <hard_limit> to
"unlimited"
> > is a much worse solution than automatically setting the
> > memory lock limit to infinity in libvirt, for the reasons
> > I outlined in my first email.
Memory locking limit and memory hard limit are separate things even
though they can be set by a single value in domain XML. Hard limit is by
default unlimited and a domain will just be killed if it consumes too
much memory. However setting memory locking limit to unlimited may cause
an OOM condition inside the host kernel, which is why it is not and
shouldn't be the default value. However, ...
> Removing all memory locking limits should be something that
> admins very carefully opt-in into, because of the potential
> host DoS consequences. Certainly not the default.
There's no opt-in with <locked/>, it is mandatory to increase
the mlock limit. Asking users to do this themselves is only
adding an extra step that's causing breakage right now.
... we could consider <locked/> to be the explicit request for
setting an infinite memory locking limit and letting users set a lower
limit with hard_limit if they want.
There are several other cases in which memory is locked implicitly and
we should definitely not set the unlimited default for them.
Jirka