On 19.11.21 14:36, David Hildenbrand wrote:

On 19.11.21 08:22, David Stevens wrote:

quoted

On Thu, Nov 18, 2021 at 8:17 PM David Hildenbrand [off-list ref] wrote:

quoted

On 18.11.21 10:11, David Stevens wrote:

quoted

From: David Stevens <redacted>

Hi David,

quoted

Add a module parameters to virtio_balloon to allow specifying whether or
not the driver should call adjust_managed_page_count. If the parameter
is set, it overrides the default behavior inferred from the deflate on
OOM flag. This allows the balloon to operate without changing the amount
of memory visible to userspace via /proc/meminfo or sysinfo, even on a
system that cannot set the default on OOM flag.

The motivation for this patch is to allow userspace to more accurately
take advantage of virtio_balloon's cooperative memory control on a
system without the ability to use deflate on OOM. As it stands,
userspace has no way to know how much memory may be available on such a
system, which makes tasks such as sizing caches impossible.

But that user space also has no idea "when" that memory will become
available, it could be never.

Isn't this statement always true with respect to
MemTotal/sysinfo.totalram? The kernel allocates and reserves memory,
so there will always be some amount of memory that will never be
available to userspace.

Please note that early allocation, most importantly the memmap,
are not accounted to MemTotal. This memory is similarly not managed
by the buddy. (thus the name adjust_managed_page_count())

But yes, there will always be some memory that will be accounted to
MemTotal that can never get freed. With memory ballooning it can easily
be in the range of gigabytes.

quoted

And if you look at things from the context of
a specific userspace process, there will be other processes running
and using memory. So while that statement is true with respect to this
change, that is also true without this change. The specific details
might be changed by the proposed parameter, but it wouldn't be
introducing any fundamentally new behavior to Linux.

Please note that the hyper-v balloon just recently switched to using
adjust_managed_page_count() proper accounting reasons:

commit d1df458cbfdb0c3384c03c7fbcb1689bc02a746c
Author: Vitaly Kuznetsov [off-list ref]
Date:   Wed Dec 2 17:12:45 2020 +0100

    hv_balloon: do adjust_managed_page_count() when ballooning/un-ballooning
    
    Unlike virtio_balloon/virtio_mem/xen balloon drivers, Hyper-V balloon driver
    does not adjust managed pages count when ballooning/un-ballooning and this leads
    to incorrect stats being reported, e.g. unexpected 'free' output.
    
    Note, the calculation in post_status() seems to remain correct: ballooned out
    pages are never 'available' and we manually add dm->num_pages_ballooned to
    'commited'.

quoted

quoted

This problem is similar to memory hotplug,
where we don't know "when" more memory might get hotplugged.

There are some meaningful differences with respect to hotplug. First,
with the balloon, the kernel knows exactly what the maximum amount of
memory the guest could have is.

Not quite. There are hypervisors that add more memory using
DIMMs (and as far as I heard virtio-mem) when required but
always fake-unplug memory using virtio-balloon.

quoted

Since the VM was created with that
specific amount of memory, assuming that the host will be able to
provide that amount of memory to the guest if the guest needs it is a
relatively safe assumption (and if the system administrator doesn't
want to make that assumption, they can skip using this parameter). On
the other hand, with hotplug, the only maximum value the kernel has is
the theoretical limit allowed by the hardware. That is clearly a
different sort of limit, and of markedly less value.

So what you actually want to expose to user space is the initial VM size.
We cannot reliably say what the maximum in the future will be
(memory hotplug), it can even be lower than the initial VM size. So it's
a pure heuristic after all.

quoted

Second, there's also the difference as to the nature of the event. If
someone went through the trouble to configure a VM to use the
virtio_balloon, then I think it's fair to say that inflating/deflating
the balloon is a 'normal' event that can happen with some regularity.

I disagree. Libvirt adds virtio-balloon as default to each and every VM.
Some people use virtiio-balloon to logically unplug memory, to eventually
never hotplug it again.

quoted

On the other hand, I don't think anyone would say that hotplug of
physical memory is a normal event.

Well, I would say that :) The hyper-v balloon is a good example, and the
xen balloon also hotplugs actual memory on demand. And it's
becoming more popular in the virtio world with virtio-mem as well
(which some cloud providers already support).

quoted

quoted

With deflate-on-OOM this behavior makes sense, because the guest can use
that memory whenever it wants -- it's actually available as soon as we
need it.

Well, by some definition of 'need'. It's available as soon as the
kernel is about to OOM some process. By that point, we've probably
already evicted a lot of caches, and the end user is going to be
having a bad time. If we get to this point, given how poorly Linux
usually behaves under low memory conditions, I think it is not an
unreasonable viewpoint to prefer to OOM kill something, rather than to
pull a paltry 1MB out of the balloon, at least on systems that are
relatively resilient to OOMs.

Don't get me wrong, I am absolutely not a fan of deflate-on-oom. I think
it was a mistake, but apparently, there are some actual users.

quoted

quoted

quoted

When deflate on OOM is not enabled, the current behavior of the
virtio_balloon more or less resembles hotplugging individual pages, at
least from an accounting perspective. This is basically hardcoding the
requirement that totalram_pages must be available to the guest
immediately, regardless of what the host does. While that is a valid
policy, on Linux (which supports memory overcommit) with virtio_balloon
(which is designed to facilitate overcommit in the host), it is not the
only possible policy.

The param added by this patch allows the guest to operate under the
assumption that pages in the virtio_balloon will generally be made
available when needed. This assumption may not always hold, but when it
is violated, the guest will just fall back to the normal mechanisms for
dealing with overcommitted memory.

Independent of what policy the guest wants, the virtio_balloon device
does not consider pages in the balloon as contributing to the guest's
total amount of memory if deflate on OOM is not enabled. Ensure that the
reported stats are consistent with this by adjusting totalram if a
guest without deflate on OOM is skipping the calls to
adjust_managed_page_count.

What about simply exposing the number of inflated balloon pages
("logically offline pages") e.g., via /proc/meminfo to user space? It's
then up to smart user space trying to be smart about memory that's not
available right now and might never become available eventually in the
future -- but still that user space wants to optimize for some eventuality.

That approach would require a lot of changes to userspace - probably
nearly everywhere that uses _SC_PHYS_PAGES or get_phys_pages, or
anywhere that parses /proc/meminfo. Actually properly using "logically
offline pages" would require an additional API for monitoring changes
to the value, and updating to that sort of listener API would not be a
localized change, especially since most programs do not account for
memory hotplug and just use the amount of physical memory during
initialization. Realistically, nearly all of the callers would simply
add together "logically offline pages" and MemTotal.

I'd appreciate a more generic approach for user space to figure out the
"initial memory size" in a virtualized environment than adding
some module parameter to virtio-balloon -- if that makes sense.

MemTotal as is expresses how much memory the buddy currently manages,
for example, excluding early allocations during boot, excluding actually
unplugged memory and excluding logically unplugged memory. Adjusting that
value makes perfect sense for virtio-balloon without deflate-on-oom.

Instead of changing MemTotal semantics, I'd say we introduce some other
mechanism to figure out the initial VM size -- "logically offline" memory
is just an example. "MemMax" might be misleading and easily wrong.
"MemInitial" might be an feasible option.

Yes, some special user space applications would have to be adjusted.

quoted

It's also not clear to me what utility the extra information would
provide to userspace. If userspace wants to know how much memory is
available, they should use MemAvailable. If userspace wants to have a
rough estimate for the maximum amount of memory in the system, they
would add together MemTotal and "logically offline pages". The value
of MemTotal with a no-deflate-on-oom virtio-balloon is a value with a
vague meaning that lies somewhere between the "maximum amount of
memory" and the "current amount of memory". I don't really see any
situations where it should clearly be used over one of MemAvailable or
MemTotal + "logically offline pages".

The issue is that any application that relies on MemTotal in a virtualized
environment is most probably already suboptimal in some cases. You can
rely on it and actually later someone will unplug (inflate balloon)
memory or plug (deflate balloon) memory. Even MemAvailable is suboptimal
because what about two applications that rely on that information at
the same time?

BTW, the general issue here is that "we don't know what the hypervisor
will do".

Maybe "MemMax" actually could make sense, where we expose the maximum
"MemTotal" we had so far since we were up an running. So the semantics
wouldn't be "maximum possible", because we don't know that, but instead
"maximum we had".

-- 
Thanks,

David / dhildenb

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization