From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wei Liu Subject: QEMU bumping memory bug analysis Date: Fri, 5 Jun 2015 17:43:54 +0100 Message-ID: <20150605164354.GK29102@zion.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xen.org Cc: wei.liu2@citrix.com, Ian Campbell , Stefano Stabellini , George Dunlap , Andrew Cooper , Ian Jackson , dslutz@verizon.com List-Id: xen-devel@lists.xenproject.org Hi all This bug is now considered a blocker for 4.6 release. The premises of the problem remain the same (George's translated version): 1. QEMU may need extra pages from Xen to implement option ROMS, and so at the moment it calls set_max_mem() to increase max_pages so that it can allocate more pages to the guest. libxl doesn't know what max_pages a domain needs prior to qemu start-up. 2. Libxl doesn't know max_pages even after qemu start-up, because there is no mechanism to communicate between qemu and libxl. 3. QEMU calls xc_domain_setmaxmem to increase max_pages by N pages. Those pages are only accounted for in the hypervisor. Libxl (currently) does not extract that value from the hypervisor. Several solutions were proposed: 1. Add a new record type in libxc migration stream and call setmaxmem in the middle of xc migration stream. Main objections are calling xc_domain_setmaxmem in the middle of xc migration stream is layer violation. Also this prevents us from disaggregating domain construction to a less privileged domain. 2. Use libxl toolstack save restore blob to tranmit max pages information to remote end. This is considered a bodge and has been proven not to work because toolstack blob restore happens after xc_domain_restore. 3. Add a libxl layer that wraps necessary information, take over Andrew's work on libxl migration v2. Having a libxl layer that's not part of migration v2 is a waste of effort. There are several obstacles for libxl migration v2 at the moment. Libxl layer in migration v2 still has unresolved issues. It has inter-dependency with Remus / COLO. Most importantly it doesn't inherently solve the problem. It still requires the current libxl JSON blob to contain information about max pages (or information used to derive max pages). Andrew, correct me if I'm wrong. 4. Add a none user configurable field in current libxl JSON structure to record max pages information. This is not desirable. All fields in libxl JSON should be user configurable. 5. Add a user configurable field in current libxl JSON structure to record how much more memory this domain needs. Admin is required to fill in that value manually. In the mean time we revert the change in QEMU and declare QEMU with that change buggy. No response to this so far. But in fact I consider this the most viable solution. It's a simple enough solution that is achievable within 4.6 time frame. It doesn't prevent us from doing useful work in the future (disaggregated architecture with stricter security policy). It provides a way to work around buggy QEMU (admin sets that value to prevent QEMU from bumping memory limit). It's orgthogonal to migration v2 which means it won't be blocked by migration v2 or block migration v2. I tend to go with solution 5. Speak up if you don't agree with my analysis or you think I miss some aspects. For long term we need to: 1. Establish libxl as the arbitrator how much pages a domain can have. Anything else doing stuff behind arbitrator's back is considered buggy. This principle probably apply to other aspects of a domain as well. 2. Work out a solution communicate between QEMU and libxl. This can be expanded to cover other components in a Xen setup, but currently we only have QEMU. Wei.