[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCHv1] xen: increase default number of PIRQs for hardware domains

>>> On 05.12.14 at 13:02, <andrew.cooper3@xxxxxxxxxx> wrote:
> On 05/12/14 09:44, Jan Beulich wrote:
>>>>> On 03.12.14 at 17:04, <david.vrabel@xxxxxxxxxx> wrote:
>>> The default limit for the number of PIRQs for hardware domains (dom0)
>>> is not sufficient for some (x86) systems.
>>> Since the pirq structures are individually and dynamically allocated,
>>> the limit for hardware domains may be increased to the number of
>>> possible IRQs.
>> I nevertheless disagree to moving the bound up to the Xen internal
>> limit unconditionally: What use does it have to allow hwdom to use
>> thousands of MSIs?
> Because systems that big exist.  We have one.  In particular, it needs
> somewhere between 288 and 512 pirqs to scan the bus and bring up the
> physical functions alone.

This are hundreds, not thousands. I also heavily doubt that a system
needs any IRQs at all to scan the bus.

>> If a system got that many, the main purpose of
>> running Xen on it I would expect to be to hand various of the
>> respective devices to guests. Hence no need for hwdom to have
>> that many by default, even if this doesn't result in any extra
>> resource consumption.
>> That said, I can see the current default of 256 being too low though.
>> Quite likely in the absence of a user specified value the default
>> ought to be derived from nr_irqs - nr_static_irqs rather than being
>> any fixed number. Considering the default used for nr_irqs, I'd think
>> along the lines of sqrt(num_present_cpus()) * NR_DYNAMIC_VECTORS
>> or dom0->max_vcpus * NR_DYNAMIC_VECTORS (or the minimum of
>> the two) for x86.
> The hardware domain is trusted ultimately.  It can, amongst other
> things, rewrite the bootloader command line and replace xen.gz.  It can
> be trusted not to maliciously waste Xen resource.
> Having an arbitrary restriction on the the hardware domains means only
> that, in the case the arbitrary limit is hit, system devices fail to
> function properly.  This is far more noticeable if the limit is hit
> during probe.  The admin can edit the bootloader and increase the limit,
> but only if the root disk was a driver lucky enough to get its
> interrupt, or the default network card got its interrupts.

There's no need to have disk access in order to add a boot option
- any reasonable boot loader ought to allow editing the command

> The limit serves no security or resource purpose, but has the chance of
> crippling the boot of the system, and making recovery hard or
> impossible.  On this justification alone, the limit should be removed.

But David's patch doesn't remove the limit, it just moves it as high as
is currently deemed reasonable. That may change, even if we can't
foresee it right now. I'm fine with proposing an alternative patch as
requested by David, but I'm not going to ack this one. If another
maintainer wants to commit it nevertheless, my disagreement here
isn't meant to be a veto...


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.