Xen project Mailing List

RE: [Xen-users] Very technical question about ballooning

To: Stephen Spector <stephen.spector@xxxxxxxxxx>, Moritz Duge <md@xxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx

From: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>

Date: Fri, 13 Aug 2010 07:58:48 -0700 (PDT)

Cc:

Delivery-date: Fri, 13 Aug 2010 08:01:02 -0700

List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi... Xen enforces maxmem allocation so that no guest is allowed to use more memory than maxmem, whether it uses a balloon driver or not. If memory is overcommitted, allocation of pages (via a balloon driver or hotplug or any other mechanism) is first-come-first-served but no domU can allocate more than its predefined maxmem. If a domU balloon driver requests more memory from Xen and Xen has no more physical memory to allocate, Xen fails the request. Think of a balloon driver like any other hardware driver but it happens to have a very large and highly variable appetite for memory. If a guest needs more memory and can't get it, it isn't any different than if a bare-metal OS runs into its physical memory limit: Swapping occurs. Or if there is no swap disk (or virtual swap disk if it is a guest), userland memory allocation fails or the kernel invokes the "OOM killer" or, in worst case, a bare-metal OS (or the guest) crashes. So, in other words, NO, a maliciously ballooning guest cannot cause other guests to crash, unless those other guests balloon their memory down to such a low level that they cannot continue to run. There seems to be a lot of interest in memory overcommit lately. For a good overview, see http://oss.oracle.com/projects/tmem Thanks, Dan > -----Original Message----- > From: Stephen Spector [mailto:stephen.spector@xxxxxxxxxx] > Sent: Friday, August 13, 2010 8:25 AM > To: Moritz Duge; xen-users@xxxxxxxxxxxxxxxxxxx; Dan Magenheimer > Subject: RE: [Xen-users] Very technical question about ballooning > > Adding Dan Magenheimer for his thoughts.. > > -----Original Message----- > From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-users- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Moritz Duge > Sent: Thursday, August 12, 2010 10:38 AM > To: xen-users@xxxxxxxxxxxxxxxxxxx > Subject: [Xen-users] Very technical question about ballooning > > Hi there! > I'm having a quite difficult question about the ballooning feature of > Xen. > > The scenario is like this: I'm having a dom0 and some domUs. But I > don't > trust the operating-system inside one of the domUs. Please don't ask me > why I just don't trust this operating-system! I can give you 1001 > reasons for it. This domU operating-system could be managed by an evil > administrator or it could just be unsecure, so someone can break into > it > and gain root access. > > Nevertheless, I would like to use ballooning for all of the domUs, also > the untrusted one. Mainly because the memory requirements of the domUs > change sometimes, but I don't want to reboot them. > That's why I want to use ballooning. And the added maxmem-values (not > the memory values) will be more then the physical memory I have. > > > So the question is: Does Xen ensure, that the untrusted guest doesn't > cheats the ballooning model? > What will happen, if memory is set to 512 mb for example and maxmem is > 768 mb. And then, the guest just unloads the ballooning stuff from it's > operating-system kernel. > > - Will the guest be able to "see" (by using the linux-command free in > the guest for example) it's maxmem (768 mb)? > > - And what will happend, if the guest tries to use it's full maxmem > (768 > mb), not just the 512 mb? Will the guest crash??? > > - What happends if the guest can use maxmem and the whole system (dom0 > and the real hardware computer) runs out of memory? Will the whole real > computer crash? Or just the malicious domU? Or all the domUs, but not > the dom0??? > > > Think of that: In the scenario I'm talking about, the bad domU is not > really under my control. For shure, I wouldn't use more memory then I > have. But in this case it's not my decision. It's the decision of > somebody evil who gained the control over the domU (as I said, don't > ask > me why - there are enough exploids and undiscovered security holes out > there). > > > At last: > > - Are there differences concerning this, when using the paravirtualized > mode (linux) and using the hvm mode with paravirtualized hvm drivers??? > > - Are there differences between the versions of the or the available > xen-linux-kernels? > > - It's not so hard to have a Xen Kernel without ballooning. For example > look at Fedora 9. It brings a Xen-PV Kernel without ballooning! > > > At very last: Is there any detailed documentation for this? > > > Thanks! > Moritz Duge > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.