Hey, For anyone interested, there is more background here: https://fedoraproject.org/wiki/Features/KVM_Huge_Page_Backed_Memory On Wed, 2009-07-22 at 21:25 -0400, john cooper wrote:

This patch allows passing of a "-mem-path <arg>" flag to qemu for support of huge page backed guests. A guest may request this option via specifying:

<hugepage>on</hugepage>

Other options include: - <hugepages/> - <memory hugepages="yes">XXXXX</memory>

in its domain definition xml file. The request for huge page backing will be attempted within libvirt if the host system has indicated a hugetlbfs mount point in qemu.conf, for example:

hugepage_mount = "/hugetlbfs"

I'd suggest /dev/hugepages as the default - /hugetlbfs has an seriously unstandard whiff about it Apart from that, the patch looks good to me - it needs to be re-based onto latest master, but the conflict is no big deal. Cheers, Mark.

* Mark McLoughlin (markmc@redhat.com) wrote:

I'd suggest /dev/hugepages as the default - /hugetlbfs has an seriously unstandard whiff about it

What about /var/lib/libvirt/qemu/hugetlb and having the whole thing under libvirt's control? It can allow for better security I think. thanks, -chris

* Daniel P. Berrange (berrange@redhat.com) wrote:

On Thu, Jul 23, 2009 at 11:35:17AM -0700, Chris Wright wrote:

...

* Mark McLoughlin (markmc@redhat.com) wrote:

...

I'd suggest /dev/hugepages as the default - /hugetlbfs has an seriously unstandard whiff about it

What about /var/lib/libvirt/qemu/hugetlb and having the whole thing under libvirt's control? It can allow for better security I think.

Does hugetlbfs support extended attributes ? If so, the sVirt will automatically ensure isolation of each VM's backing file. If it doesn't supported extended attrs, then using hugetlbs at all would seem to blow a huge hole in our security model ...

You should be able to specify a per mount point security context. There is no xattr support for hugetlbfs. thanks, -chris

Daniel P. Berrange wrote:

On Wed, Jul 22, 2009 at 09:25:02PM -0400, john cooper wrote:

...

This patch allows passing of a "-mem-path <arg>" flag to qemu for support of huge page backed guests. A guest may request this option via specifying:

<hugepage>on</hugepage>

in its domain definition xml file.

This really opens a can of worms. While obviously this maps very simply onto KVM's -mem-path argument, I can't help thinking things are going to get much more advanced later. For example, I don't think a boolean on/off is sufficient for this, since Xen already has a 3rd option of 'best effort' it uses by default where it'll try to allocate hugepages and fallback to normal pages - in fact you can't tell Xen not to use hugepages AFAIK.

I agree growing beyond a simple on/off switch is likely. The patch originally had a "prealloc" option (since removed) to accommodate passing of the existing "-mem-prealloc" flag. That option defaults to enabled, which is desired in general and therefore was dropped for the sake of patch simplicity.

I'm also wondering whether we need to be concerned about different hugepage sizes for guest configs eg 2M vs 1 GB, vs a mix of both - who decides?

Not a consideration currently, but it does underscore the argument for a more extensible option syntax.

KVM also seems to have ability to request that huge pages are pre-allocated upfront, vs on demand, though I'm not sure what happens to a VM if it doesn't pre-allocate and it later can't be satisfied.

That was the motivation for "-mem-prealloc", prior to which a VM would SIGSEGV terminate if a huge page fault couldn't be satisfied during runtime. The (now default) preallocation behavior guarantees the guest has its working set present at startup but at the potential cost of overly pessimistic memory allocation.

...

The request for huge page backing will be attempted within libvirt if the host system has indicated a hugetlbfs mount point in qemu.conf, for example:

hugepage_mount = "/hugetlbfs"

Seems like it would be simpler to just open /proc/mounts and scan it to find whether/where hugetlbfs is mounted, so it would 'just work' if the user had mounted it.

Checking /proc/mounts solely seemed a bit too speculative which is where the qemu.conf option arose. But I can see both being useful as in checking whether the qemu.conf mount point exists, otherwise attempting to glean the information from /proc/mounts, and if neither are satisfied flagging the error.

It looks like argument is not available in upstream QEMU, only part of the KVM fork ? ANy idea why it hasn't been sent upstream, and/or whether it will be soon.

I'd hazard due to the existing huge page support being closely tied to kvm and no motivation as of yet to reconcile this upstream.

I'm loathe to add more KVM specific options since we've been burnt everytime we've done this in the past with its semantics changing when merged to QEMU :-(

Quite understandable. It is also why I was attempting to be as generic (and simple) as possible here and not excessively cast the existing kvm implementation specifics into the exported libvirt option.

I agree that setting up hugetlbfs is out of scope for libvirt. We should just probe to see whether its available or not. We ought to have some way of reporting available hugepages though, both at a host level, and likely per NUMA node too. Without this a mgmt app using libvirt has no clue whether they'll be able to actually use hugepages successfully or not.

Agree. Extracting this host information will be needed when more comprehensive management of the same exists. Still it would seem a case of best-effort enforcement without some sort of additional coordination. The process of gleaning the number of free huge pages from the host and launching of the guest currently has an inherent race. Thanks, -john -- john.cooper@redhat.com

On Thu, Jul 23, 2009 at 09:00:18PM -0400, john cooper wrote:

I've incorporated feedback received on the prior version into the patch below.

The host mount point for hugetlbfs is queried by default from /proc/mounts unless overridden in qemu.conf via:

hugepage_mount = "<path_to_mount_point>"

This should make the concern of establishing a mount point path convention a non-issue for the general case while still allowing the same to be deterministically set if needed.

In light of what Chris said about extended attribute support for SELinux I think we, sadly, have no choice by to mount a new instance of hugetlbfs per VM, labelled with the context of that VM. The problem is that this doesn't really fit into the internal architecture we have in the slightest. The SELinux support we have is focused around re-labelling existing resources. This hugetlbfs support implies that the SELinux driver is altering our command line arg generator, which is not an easy thing for us to support, given the code flow here. We might have to resort to sick gross hacks.... unless the kernel guys think its easy to add extended attribute support to hugetlbfs in no time at all.

Complete disable of hugepage backing can be accomplished by setting the mount point to "".

A guest now requests hugepage backing via specifying:

<hugepage enable='on'/>

Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

On Tue, Jul 28, 2009 at 10:55:58AM +0100, Mark McLoughlin wrote:

On Mon, 2009-07-27 at 22:55 +0100, Daniel P. Berrange wrote:

...

On Thu, Jul 23, 2009 at 09:00:18PM -0400, john cooper wrote:

...

I've incorporated feedback received on the prior version into the patch below.

The host mount point for hugetlbfs is queried by default from /proc/mounts unless overridden in qemu.conf via:

hugepage_mount = "<path_to_mount_point>"

This should make the concern of establishing a mount point path convention a non-issue for the general case while still allowing the same to be deterministically set if needed.

In light of what Chris said about extended attribute support for SELinux I think we, sadly, have no choice by to mount a new instance of hugetlbfs per VM, labelled with the context of that VM.

I haven't played with hugetlbfs much, so let me make sure I understand the issue:

-) With --mempath, qemu creates a file under the supplied directory and mmap()s it, using the mapped region for guest memory

-) Because the directory is under hugetlbfs, that memory is huge page backed

-) Guest memory can be read by reading this file

-) The file is owned by the uid of the qemu process, so any other processes with that uid can access guest memory

-) If we could label the file, we could use policy to prevent qemu processes from accessing each other's files

-) We can't, so the alternative is to use a separate hugetlbfs mount for each guest, each with a different label - each mount will only contain the file for that guest, and only be accessible by that guest

Yes, that's pretty much the size of it. NB, the file QEMU creates in hugetlbfs is immediately deleted, but you can still access it via /proc/$PID/fd eg $ mount -t hugetlbfs none /mnt/ $ qemu-kvm -m 60 --mem-prealloc --mem-path /mnt/ -cdrom ~berrange/boot.iso $ pgrep qemu-kvm 12441 $ lsof -p 12441 | grep /mnt qemu-kvm 12441 root DEL REG 0,19 1756707 /mnt/kvm.izG73m qemu-kvm 12441 root 8u REG 0,19 85983232 1756707 /mnt/kvm.izG73m (deleted) $ cat > filecon.c <<EOF #include <selinux/selinux.h> #include <stdio.h> #include <unistd.h> #include <fcntl.h> int main(int argc, char **argv) { int fd; security_context_t con; fd = open (argv[1], O_RDONLY); fgetfilecon(fd, &con); fprintf(stderr, "Context: %s\n", (char *)con); close(fd); return 0; } $ gcc -lselinux -o filecon filecon.c $ ./filecon /proc/12441/fd/8 Context: system_u:object_r:hugetlbfs_t:s0 We need the latest 's0' be to be different for every VM. Normally this would 'just work' since, if qemu is running under ':s75', then any fle it create would be labelled ':s75' , but hugetlbfs doesn't support setting attributes # touch /mnt/foo # ls -lZ /mnt/foo -rw-r--r--. root root system_u:object_r:hugetlbfs_t:s0 /mnt/foo # chcon system_u:object_r:hugetlbfs_t:s75 /mnt/foo chcon: failed to change context of `/mnt/foo' to `system_u:object_r:hugetlbfs_t:s75': Invalid argument But we can change the context per mount # mount -o remount,context=system_u:object_r:hugetlbfs_t:s75 /mnt/ # ls -lZ /root/foo -rw-r--r--. root root system_u:object_r:hugetlbfs_t:s75 /root/foo Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

On Tue, Jul 28, 2009 at 08:04:31AM -0400, Stephen Smalley wrote:

On Mon, 2009-07-27 at 22:55 +0100, Daniel P. Berrange wrote:

...

In light of what Chris said about extended attribute support for SELinux I think we, sadly, have no choice by to mount a new instance of hugetlbfs per VM, labelled with the context of that VM. The problem is that this doesn't really fit into the internal architecture we have in the slightest. The SELinux support we have is focused around re-labelling existing resources.

This hugetlbfs support implies that the SELinux driver is altering our command line arg generator, which is not an easy thing for us to support, given the code flow here. We might have to resort to sick gross hacks.... unless the kernel guys think its easy to add extended attribute support to hugetlbfs in no time at all.

There is a vfs fallback for setxattr of the security.* namespace to the security module, which would work for hugetlbfs if not for the fact that policy defines it as a genfscon-labeled filesystem. We only started prohibiting setxattr on genfscon-labeled filesystems in 2.6.30; prior to that we only did that for mountpoint-labeled filesystems. I can actually chcon a file in a hugetlbfs mount on 2.6.29.

Ahh, I can get that to work too on 2.6.29, I had previously been testing 2.6.30 :-)

To convert hugetlbfs to fully support labeling we'd need hugetlbfs_mknod() to call security_inode_init_security() to set up new inode security labels, just like shmem_mknod() does for tmpfs. And then we'd need to switch over the policy from genfscon to fs_use_trans.

This sounds like a preferrable plan to me - avoids having to have 100s, if not 1000s, of isntances of hugetlbfs mounted on large machines, then John's latest patch for libvirt would pretty much be sufficient. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

On Wed, Jul 22, 2009 at 10:57:30PM +0100, Mark McLoughlin wrote:

* src/qemu_conf.h: export qemudNetworkIfaceConnect()

* src/qemu_conf.c: move vnet_hdr logic into qemudNetworkIfaceConnect() since we need it for hotplug too

Okay just some refactoring, ACK -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/

On Wed, Jul 22, 2009 at 10:57:31PM +0100, Mark McLoughlin wrote:

With hotplug, we're going to want to pass a tapfd name rather than an actual file descriptor, so prepare the way by passing a string tapfd to qemuBuildHostNetStr().

* src/qemu_conf.h: qemuBuildHostNetStr() takes a string tapfd now

* src/qemu_conf.c: pass qemuBuildHostNetStr() a string rather than an actual file descriptor

* src/qemu_driver.c: update qemudDomainAttachNetDevice() for change

Okay looks simple, ACK Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/

On Wed, Jul 22, 2009 at 10:57:32PM +0100, Mark McLoughlin wrote:

In subsequent patches we're going to have a file descriptor to close too, so centralize the error handling cleanups to make things easier.

* src/qemu_conf.c: in qemudDomainAttachNetDevice() consolidate the error handling cleanups together

Okay, having a more standard error handling mechanism with centralized exits looks better, ACK Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/

On Wed, Jul 22, 2009 at 10:57:33PM +0100, Mark McLoughlin wrote:

Add a little helper function to write the monitor command followed by carriage return in a single write.

This doesn't make any real difference, but allows us to more easily switch to using sendmsg() when using the monitor over a unix socket. [...] +static int +qemudMonitorSend(const virDomainObjPtr vm, + const char *cmd) +{ + char *full; + size_t len; + int ret = -1; + + if (virAsprintf(&full, "%s\r", cmd) < 0) + return -1;

Hum, we introduce an allocation here, and if it fails we really should call the OOM errror centralized routine Once done looks fine to me, ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/

On Wed, Jul 22, 2009 at 10:57:34PM +0100, Mark McLoughlin wrote:

Switch from using write() to using sendmsg() on QEMU's monitor socket so that we can add support for SCM_RIGHTS.

* src/qemu_driver.c: add sendmsg() based qemudMonitorSendUnix() and use it when the monitor fd is a unix socket

Okay this makes sense only once looking at the next patch where the extra information can only be passed as part of a struct iovec ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/

On Mon, Jul 27, 2009 at 10:59:47AM +0200, Daniel Veillard wrote:

On Wed, Jul 22, 2009 at 10:57:35PM +0100, Mark McLoughlin wrote:

...

Add qemudMonitorCommandWithFd() which allows a file descriptor to be sent to qemu over a unix monitor socket using SCM_RIGHTS. See the unix(7) and cmsg(3) man pages.

* src/qemu_conf.c: add a scm_fd param to qemudMonitorCommandExtra(), add qemudMonitorCommandWithFd(), implement SCM_RIGHTS support in qemudMonitorSendUnix()

ACK, that's the logical next step from previous patch, apparently SCM_RIGHTS has been around forever, so this should not break on older kernel I assume.

It won't break on any kernel we care about in the slightest ;-P I'm sure other things will break first ! Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

On Wed, Jul 22, 2009 at 10:57:36PM +0100, Mark McLoughlin wrote:

In order to hotplug a network/bridge backed NIC, we need to first create the tap file descriptor, add the tap interface to the bridge and then pass the file descriptor to the qemu process using the 'getfd' monitor command.

Once the tapfd has been accepted, we create the network backend using host_net_add, supplying the name assigned to the tapfd. If this fails, we need to close the tapfd in qemu using the 'closefd' monitor command.

* src/qemu_driver.c: add support for tapfd based hotplug in qemudDomainAttachNetDevice() [...] + if (tapfd != -1) { + if (virAsprintf(&tapfd_name, "fd-%s", net->hostnet_name) < 0) + goto no_memory; + + if (virAsprintf(&tapfd_close, "closefd %s", tapfd_name) < 0) + goto no_memory;

[...]

+try_tapfd_close: + VIR_FREE(reply); + + if (tapfd_close) { + if (qemudMonitorCommand(vm, tapfd_close, &reply) < 0) + VIR_WARN(_("Failed to close tapfd with '%s'\n"), tapfd_close); + else + VIR_DEBUG("%s: closefd: %s\n", vm->def->name, reply); + } + goto cleanup;

This makes sense except I didn't expect tapfd_close which seems used only in an error path to be allocated on the main branch (assuming a tapfd). Otherwise looks clean, ACK Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/

On Mon, Jul 27, 2009 at 10:32:42AM +0100, Mark McLoughlin wrote:

On Mon, 2009-07-27 at 11:06 +0200, Daniel Veillard wrote:

...

On Wed, Jul 22, 2009 at 10:57:29PM +0100, Mark McLoughlin wrote:

...

Hey, So, here are the patches needed to complete the QEMU NIC hotplug work by supporting network and bridge backed interfaces.

We support this by passing a tap file descriptor to qemu over the monitor socket using SCM_RIGHTS.

The monitor commands required for this (getfd and closefd) are queued up in Anthony's queue and should be in qemu-0.11-rc1 which is due to be released very soon:

http://repo.or.cz/w/qemu/aliguori-queue.git?a=commitdiff;h=4edd6c2645 http://repo.or.cz/w/qemu/aliguori-queue.git?a=commitdiff;h=f4069061e3

Note: I just remembered I'm not handling missing support for these commands very well. I'll make it handle an 'unknown command' reply gracefully by failing the attach tommorrow.

Yes that's my main uncertainty about this patch set, we assume the support is present and I don't see any detection code, can you send this quickly to finish the serie of patches ?

Yep, the below hunk is all we need - I'll squash it into 7/7

Okay, thanks ! Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/

On Mon, 2009-07-27 at 22:19 +0100, Daniel P. Berrange wrote:

On Wed, Jul 22, 2009 at 10:57:29PM +0100, Mark McLoughlin wrote:

...

Hey, So, here are the patches needed to complete the QEMU NIC hotplug work by supporting network and bridge backed interfaces.

We support this by passing a tap file descriptor to qemu over the monitor socket using SCM_RIGHTS.

The monitor commands required for this (getfd and closefd) are queued up in Anthony's queue and should be in qemu-0.11-rc1 which is due to be released very soon:

http://repo.or.cz/w/qemu/aliguori-queue.git?a=commitdiff;h=4edd6c2645 http://repo.or.cz/w/qemu/aliguori-queue.git?a=commitdiff;h=f4069061e3

Note: I just remembered I'm not handling missing support for these commands very well. I'll make it handle an 'unknown command' reply gracefully by failing the attach tommorrow.

ACK to this patch series since its almost certainly going into QEMU upstream any minute. It doesn't have any public API impact, so worst case we later change / remove it.

Thanks, it's upstream now: http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=c1d6eed7e8 as is the machine type aliases: http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=9574758134 This is on the 0.12 branch, but I've asked for them to be pulled into the stable-0.11 branch ... we'll see. Cheers, Mark.