Hi there! I''m having a quite difficult question about the ballooning feature of Xen. The scenario is like this: I''m having a dom0 and some domUs. But I don''t trust the operating-system inside one of the domUs. Please don''t ask me why I just don''t trust this operating-system! I can give you 1001 reasons for it. This domU operating-system could be managed by an evil administrator or it could just be unsecure, so someone can break into it and gain root access. Nevertheless, I would like to use ballooning for all of the domUs, also the untrusted one. Mainly because the memory requirements of the domUs change sometimes, but I don''t want to reboot them. That''s why I want to use ballooning. And the added maxmem-values (not the memory values) will be more then the physical memory I have. So the question is: Does Xen ensure, that the untrusted guest doesn''t cheats the ballooning model? What will happen, if memory is set to 512 mb for example and maxmem is 768 mb. And then, the guest just unloads the ballooning stuff from it''s operating-system kernel. - Will the guest be able to "see" (by using the linux-command free in the guest for example) it''s maxmem (768 mb)? - And what will happend, if the guest tries to use it''s full maxmem (768 mb), not just the 512 mb? Will the guest crash??? - What happends if the guest can use maxmem and the whole system (dom0 and the real hardware computer) runs out of memory? Will the whole real computer crash? Or just the malicious domU? Or all the domUs, but not the dom0??? Think of that: In the scenario I''m talking about, the bad domU is not really under my control. For shure, I wouldn''t use more memory then I have. But in this case it''s not my decision. It''s the decision of somebody evil who gained the control over the domU (as I said, don''t ask me why - there are enough exploids and undiscovered security holes out there). At last: - Are there differences concerning this, when using the paravirtualized mode (linux) and using the hvm mode with paravirtualized hvm drivers??? - Are there differences between the versions of the or the available xen-linux-kernels? - It''s not so hard to have a Xen Kernel without ballooning. For example look at Fedora 9. It brings a Xen-PV Kernel without ballooning! At very last: Is there any detailed documentation for this? Thanks! Moritz Duge _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Stephen Spector
2010-Aug-13 14:25 UTC
RE: [Xen-users] Very technical question about ballooning
Adding Dan Magenheimer for his thoughts.. -----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Moritz Duge Sent: Thursday, August 12, 2010 10:38 AM To: xen-users@lists.xensource.com Subject: [Xen-users] Very technical question about ballooning Hi there! I''m having a quite difficult question about the ballooning feature of Xen. The scenario is like this: I''m having a dom0 and some domUs. But I don''t trust the operating-system inside one of the domUs. Please don''t ask me why I just don''t trust this operating-system! I can give you 1001 reasons for it. This domU operating-system could be managed by an evil administrator or it could just be unsecure, so someone can break into it and gain root access. Nevertheless, I would like to use ballooning for all of the domUs, also the untrusted one. Mainly because the memory requirements of the domUs change sometimes, but I don''t want to reboot them. That''s why I want to use ballooning. And the added maxmem-values (not the memory values) will be more then the physical memory I have. So the question is: Does Xen ensure, that the untrusted guest doesn''t cheats the ballooning model? What will happen, if memory is set to 512 mb for example and maxmem is 768 mb. And then, the guest just unloads the ballooning stuff from it''s operating-system kernel. - Will the guest be able to "see" (by using the linux-command free in the guest for example) it''s maxmem (768 mb)? - And what will happend, if the guest tries to use it''s full maxmem (768 mb), not just the 512 mb? Will the guest crash??? - What happends if the guest can use maxmem and the whole system (dom0 and the real hardware computer) runs out of memory? Will the whole real computer crash? Or just the malicious domU? Or all the domUs, but not the dom0??? Think of that: In the scenario I''m talking about, the bad domU is not really under my control. For shure, I wouldn''t use more memory then I have. But in this case it''s not my decision. It''s the decision of somebody evil who gained the control over the domU (as I said, don''t ask me why - there are enough exploids and undiscovered security holes out there). At last: - Are there differences concerning this, when using the paravirtualized mode (linux) and using the hvm mode with paravirtualized hvm drivers??? - Are there differences between the versions of the or the available xen-linux-kernels? - It''s not so hard to have a Xen Kernel without ballooning. For example look at Fedora 9. It brings a Xen-PV Kernel without ballooning! At very last: Is there any detailed documentation for this? Thanks! Moritz Duge _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dan Magenheimer
2010-Aug-13 14:58 UTC
RE: [Xen-users] Very technical question about ballooning
Hi... Xen enforces maxmem allocation so that no guest is allowed to use more memory than maxmem, whether it uses a balloon driver or not. If memory is overcommitted, allocation of pages (via a balloon driver or hotplug or any other mechanism) is first-come-first-served but no domU can allocate more than its predefined maxmem. If a domU balloon driver requests more memory from Xen and Xen has no more physical memory to allocate, Xen fails the request. Think of a balloon driver like any other hardware driver but it happens to have a very large and highly variable appetite for memory. If a guest needs more memory and can''t get it, it isn''t any different than if a bare-metal OS runs into its physical memory limit: Swapping occurs. Or if there is no swap disk (or virtual swap disk if it is a guest), userland memory allocation fails or the kernel invokes the "OOM killer" or, in worst case, a bare-metal OS (or the guest) crashes. So, in other words, NO, a maliciously ballooning guest cannot cause other guests to crash, unless those other guests balloon their memory down to such a low level that they cannot continue to run. There seems to be a lot of interest in memory overcommit lately. For a good overview, see http://oss.oracle.com/projects/tmem Thanks, Dan> -----Original Message----- > From: Stephen Spector [mailto:stephen.spector@citrix.com] > Sent: Friday, August 13, 2010 8:25 AM > To: Moritz Duge; xen-users@lists.xensource.com; Dan Magenheimer > Subject: RE: [Xen-users] Very technical question about ballooning > > Adding Dan Magenheimer for his thoughts.. > > -----Original Message----- > From: xen-users-bounces@lists.xensource.com [mailto:xen-users- > bounces@lists.xensource.com] On Behalf Of Moritz Duge > Sent: Thursday, August 12, 2010 10:38 AM > To: xen-users@lists.xensource.com > Subject: [Xen-users] Very technical question about ballooning > > Hi there! > I''m having a quite difficult question about the ballooning feature of > Xen. > > The scenario is like this: I''m having a dom0 and some domUs. But I > don''t > trust the operating-system inside one of the domUs. Please don''t ask me > why I just don''t trust this operating-system! I can give you 1001 > reasons for it. This domU operating-system could be managed by an evil > administrator or it could just be unsecure, so someone can break into > it > and gain root access. > > Nevertheless, I would like to use ballooning for all of the domUs, also > the untrusted one. Mainly because the memory requirements of the domUs > change sometimes, but I don''t want to reboot them. > That''s why I want to use ballooning. And the added maxmem-values (not > the memory values) will be more then the physical memory I have. > > > So the question is: Does Xen ensure, that the untrusted guest doesn''t > cheats the ballooning model? > What will happen, if memory is set to 512 mb for example and maxmem is > 768 mb. And then, the guest just unloads the ballooning stuff from it''s > operating-system kernel. > > - Will the guest be able to "see" (by using the linux-command free in > the guest for example) it''s maxmem (768 mb)? > > - And what will happend, if the guest tries to use it''s full maxmem > (768 > mb), not just the 512 mb? Will the guest crash??? > > - What happends if the guest can use maxmem and the whole system (dom0 > and the real hardware computer) runs out of memory? Will the whole real > computer crash? Or just the malicious domU? Or all the domUs, but not > the dom0??? > > > Think of that: In the scenario I''m talking about, the bad domU is not > really under my control. For shure, I wouldn''t use more memory then I > have. But in this case it''s not my decision. It''s the decision of > somebody evil who gained the control over the domU (as I said, don''t > ask > me why - there are enough exploids and undiscovered security holes out > there). > > > At last: > > - Are there differences concerning this, when using the paravirtualized > mode (linux) and using the hvm mode with paravirtualized hvm drivers??? > > - Are there differences between the versions of the or the available > xen-linux-kernels? > > - It''s not so hard to have a Xen Kernel without ballooning. For example > look at Fedora 9. It brings a Xen-PV Kernel without ballooning! > > > At very last: Is there any detailed documentation for this? > > > Thanks! > Moritz Duge > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
J. Roeleveld
2010-Aug-13 15:03 UTC
Re: [Xen-users] Very technical question about ballooning
On Thursday 12 August 2010 16:38:26 Moritz Duge wrote:> Hi there! > I''m having a quite difficult question about the ballooning feature of Xen. > > The scenario is like this: I''m having a dom0 and some domUs. But I don''t > trust the operating-system inside one of the domUs. Please don''t ask me > why I just don''t trust this operating-system! I can give you 1001 > reasons for it. This domU operating-system could be managed by an evil > administrator or it could just be unsecure, so someone can break into it > and gain root access. > > Nevertheless, I would like to use ballooning for all of the domUs, also > the untrusted one. Mainly because the memory requirements of the domUs > change sometimes, but I don''t want to reboot them. > That''s why I want to use ballooning. And the added maxmem-values (not > the memory values) will be more then the physical memory I have. > > > So the question is: Does Xen ensure, that the untrusted guest doesn''t > cheats the ballooning model? > What will happen, if memory is set to 512 mb for example and maxmem is > 768 mb. And then, the guest just unloads the ballooning stuff from it''s > operating-system kernel.As far as I noticed, the domU will only be able to see the memory assigned to the domU bu the dom0. If the domU does not have ballooning support, then it can only see the amount of memory assigned to it during boot (or just before the ballooning support was removed) Ballooning support is in the kernel and the kernel is, at least on my system using PV, located on the dom0. The domU does not have access to the kernel and my domUs don''t have kernel-module support.> - Will the guest be able to "see" (by using the linux-command free in > the guest for example) it''s maxmem (768 mb)?"free" only shows the actual memory the domU can use. eg. what is assigned by the dom0.> - And what will happend, if the guest tries to use it''s full maxmem (768 > mb), not just the 512 mb? Will the guest crash???I don''t think it''s possible for a domU to use more memory then is actually assigned to the domU by dom0. "maxmem" is only the limit that can be assigned by the dom0 to the domU.> - What happends if the guest can use maxmem and the whole system (dom0 > and the real hardware computer) runs out of memory? Will the whole real > computer crash? Or just the malicious domU? Or all the domUs, but not > the dom0???Again, in my experience, it is not possible to overassign resources. maxmem on my system is 50% of the total memory in the machine for each VM. I have 8 running. However, I hardly ever assign the full amount to a domU. If I try to assign more memory then is available to be assigned, xen will simply reduce the amount to be assigned to the max possible. Example: I have 1GB free to assign. I want to assign 2GB to a domU that is already using 1.5GB This will work, and I then have 512MB left to assign. I then want to assign 2 GB to another domU that is already using 1GB. This domU will then end up with 2GB as that is all that was available. You can also specify a minimum amount of memory for the dom0. This ensures that the dom0, by auto-ballooning down, will not end up with less then this minimum. This will ensure the dom0 will remain stable.> Think of that: In the scenario I''m talking about, the bad domU is not > really under my control. For shure, I wouldn''t use more memory then I > have. But in this case it''s not my decision. It''s the decision of > somebody evil who gained the control over the domU (as I said, don''t ask > me why - there are enough exploids and undiscovered security holes out > there).Actually, as I described above, it is your decision as long as you have control over the dom0 and the "bad admin" does not have access to the dom0.> > > At last: > > - Are there differences concerning this, when using the paravirtualized > mode (linux) and using the hvm mode with paravirtualized hvm drivers???I never used HVM, but I doubt they would be able to grab memory from the pool directly.> - Are there differences between the versions of the or the available > xen-linux-kernels?Yes, but not related to the way resources are granted/revoked to/from domUs.> > - It''s not so hard to have a Xen Kernel without ballooning. For example > look at Fedora 9. It brings a Xen-PV Kernel without ballooning!Yes, but again, ballooning support only means that the domU is able to support the adding/removing of memory by the dom0. If this support doesn''t exist in the domU then you can''t increase/decrease the memory. In this case, maxmem has no effect and only the specified memory is actually used.> > > At very last: Is there any detailed documentation for this?Not sure, what I mentioned above is from my personal experience. -- Joost _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users