On Mon, 27 Mar 2017 12:33:48 +0200
Andrea Bolognani <abologna(a)redhat.com> wrote:
On Fri, 2017-03-24 at 13:58 -0400, Luiz Capitulino wrote:
[...]
> > + be allowed to swap them out, which might be required for some
> > + workloads such as RT. For QEMU/KVM guests, the memory used by the QEMU
>
> Minor, but I'd do s/RT/real-time. As this doc is for the general population,
> RT may not be a know term for everyone.
Sure.
> > + process itself will be locked too: unlike guest memory, this is an
> > + amount libvirt has no way of figuring out in advance, so it has to
> > + remove the limit on locked memory altogether. This can be very
> > + dangerous as the host might run out of memory and be unable to
reclaim
> > + it from the guest,
>
> I'd rewrite this to:
>
> """
> This option has a drawback and a possible security risk for the host. If
> the host is running out of memory, it will be unable to reclaim the
> memory locked by this guest which could cause the host to run out of
> memory. In particular, a malicious guest could be able to lock as much
> memory it wants, causing a DDoS attack in the host. For setups where
> this may have a significant impact, it is highly recommended to use
> <hard_limit> to prevent this attack.
> """
Another stab at it (which plugs into my original version):
[...] remove the limit on locked memory altogether. Thus,
enabling this option opens up to a potential security risk:
the host will be unable to reclaim the locked memory back
from the guest when it's running out of memory, which means
a malicious guest allocating large amounts of locked memory
could cause a denial-of-service attach on the host. Because
of this, using the option is discouraged unless your [...]
Does it look reasonable?
That looks fine, although I'd drop "discouraged" because that's
not helpful to those who must use the feature. I think it's better
to objectively explain what the problems are and how to prevent or
mitigate them. That's what I tried to do in my paragraph.