| Message ID | 9bf9d9bd-03b1-2adb-17b4-5d59a86a9394@virtuozzo.com |
|---|---|
| Headers | show |
| Series | memcg accounting from OpenVZ | expand |
An netadmin inside container can use 'ip a a' and 'ip r a' to assign a large number of ipv4/ipv6 addresses and routing entries and force kernel to allocate megabytes of unaccounted memory for long-lived per-netdevice related kernel objects: 'struct in_ifaddr', 'struct inet6_ifaddr', 'struct fib6_node', 'struct rt6_info', 'struct fib_rules' and ip_fib caches. These objects can be manually removed, though usually they lives in memory till destroy of its net namespace. It makes sense to account for them to restrict the host's memory consumption from inside the memcg-limited container. One of such objects is the 'struct fib6_node' mostly allocated in net/ipv6/route.c::__ip6_ins_rt() inside the lock_bh()/unlock_bh() section: write_lock_bh(&table->tb6_lock); err = fib6_add(&table->tb6_root, rt, info, mxc); write_unlock_bh(&table->tb6_lock); In this case it is not enough to simply add SLAB_ACCOUNT to corresponding kmem cache. The proper memory cgroup still cannot be found due to the incorrect 'in_interrupt()' check used in memcg_kmem_bypass(). Obsoleted in_interrupt() does not describe real execution context properly.
This series does not apply cleanly to net-next, please respin. Thank you.
On 7/27/21 12:59 AM, David Miller wrote: > > This series does not apply cleanly to net-next, please respin. Dear David, I found that you have already approved net-related patches of this series and included them into net-next. So I'll respin v7 without these patches. Thank you, Vasily Averin
OpenVZ uses memory accounting 20+ years since v2.2.x linux kernels. Initially we used our own accounting subsystem, then partially committed it to upstream, and a few years ago switched to cgroups v1. Now we're rebasing again, revising our old patches and trying to push them upstream. We try to protect the host system from any misuse of kernel memory allocation triggered by untrusted users inside the containers. Patch-set is addressed mostly to cgroups maintainers and cgroups@ mailing list, though I would be very grateful for any comments from maintainersi of affected subsystems or other people added in cc: Compared to the upstream, we additionally account the following kernel objects: - network devices and its Tx/Rx queues - ipv4/v6 addresses and routing-related objects - inet_bind_bucket cache objects - VLAN group arrays - ipv6/sit: ip_tunnel_prl - scm_fp_list objects used by SCM_RIGHTS messages of Unix sockets - nsproxy and namespace objects itself - IPC objects: semaphores, message queues and share memory segments - mounts - pollfd and select bits arrays - signals and posix timers - file lock - fasync_struct used by the file lease code and driver's fasync queues - tty objects - per-mm LDT We have an incorrect/incomplete/obsoleted accounting for few other kernel objects: sk_filter, af_packets, netlink and xt_counters for iptables. They require rework and probably will be dropped at all. Also we're going to add an accounting for nft, however it is not ready yet. We have not tested performance on upstream, however, our performance team compares our current RHEL7-based production kernel and reports that they are at least not worse as the according original RHEL7 kernel. v5: - rebased to v5.14-rc1 - updated ack tags v4: - improved description for tty patch - minor cleanup in LDT patch - rebased to v5.12 - resent to lkml@ v3: - added new patches for other kind of accounted objects - combined patches for ip address/routing-related objects - improved description - re-ordered and rebased for linux 5.12-rc8 v2: - squashed old patch 1 "accounting for allocations called with disabled BH" with old patch 2 "accounting for fib6_nodes cache" used such kind of memory allocation - improved patch description - subsystem maintainers added to cc: Vasily Averin (16): memcg: enable accounting for net_device and Tx/Rx queues memcg: enable accounting for IP address and routing-related objects memcg: enable accounting for inet_bin_bucket cache memcg: enable accounting for VLAN group array memcg: ipv6/sit: account and don't WARN on ip_tunnel_prl structs allocation memcg: enable accounting for scm_fp_list objects memcg: enable accounting for mnt_cache entries memcg: enable accounting for pollfd and select bits arrays memcg: enable accounting for file lock caches memcg: enable accounting for fasync_cache memcg: enable accounting for new namesapces and struct nsproxy memcg: enable accounting of ipc resources memcg: enable accounting for signals memcg: enable accounting for posix_timers_cache slab memcg: enable accounting for tty-related objects memcg: enable accounting for ldt_struct objects arch/x86/kernel/ldt.c | 6 +++--- drivers/tty/tty_io.c | 4 ++-- fs/fcntl.c | 3 ++- fs/locks.c | 6 ++++-- fs/namespace.c | 7 ++++--- fs/select.c | 4 ++-- ipc/msg.c | 2 +- ipc/namespace.c | 2 +- ipc/sem.c | 9 +++++---- ipc/shm.c | 2 +- kernel/cgroup/namespace.c | 2 +- kernel/nsproxy.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/signal.c | 2 +- kernel/time/namespace.c | 4 ++-- kernel/time/posix-timers.c | 4 ++-- kernel/user_namespace.c | 2 +- mm/memcontrol.c | 2 +- net/8021q/vlan.c | 2 +- net/core/dev.c | 6 +++--- net/core/fib_rules.c | 4 ++-- net/core/scm.c | 4 ++-- net/dccp/proto.c | 2 +- net/ipv4/devinet.c | 2 +- net/ipv4/fib_trie.c | 4 ++-- net/ipv4/tcp.c | 4 +++- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_fib.c | 4 ++-- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 5 +++-- 30 files changed, 57 insertions(+), 49 deletions(-)