Details

Reviewers

markj
olce
corvink

Group Reviewers

bhyve

Summary

This change introduces a new per-UID limit for controlling the
number of vmm instances, in anticipation of unprivileged bhyve.
This limit allows us to control the maximum amount of kernel memory allocated
by the vmm driver and prevent potential memory exhaustion attacks.
The initial value of the limit was chosen arbitrarily and may be
adjusted in the future.

Sponsored by: The FreeBSD Foundation
Sponsored by: Klara, Inc.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

bnovkov created this revision.Thu, Nov 13, 11:13 AM

Herald added a reviewer: olce. · View Herald TranscriptThu, Nov 13, 11:13 AM

Herald added subscribers: olce, imp. · View Herald Transcript

bnovkov requested review of this revision.Thu, Nov 13, 11:13 AM

Harbormaster completed remote builds in B68594: Diff 166350.Thu, Nov 13, 11:13 AM

bnovkov added a child revision: D53729: vmm: Add ability to destroy VMs on close.Thu, Nov 13, 11:13 AM

corvink added a subscriber: corvink.Fri, Nov 14, 6:54 AM

corvink added inline comments.

sys/dev/vmm/vmm_dev.c
990	Why changing this to thread?
1187	It would be great to explain in the commit message why we want to restrict the number of vmms and especially, why we're choosing this default value.

Address @corvink 's comments.

bnovkov added inline comments.Mon, Nov 17, 2:47 PM

sys/dev/vmm/vmm_dev.c
990	Whoops, that was a leftover from an unrelated previous attempt, thanks for catching it!
1187	I've expanded the commit message, but the limit itself is fairly arbitrary. I'm open to suggestions if you think there's a more reasonable value.

corvink accepted this revision.Tue, Nov 18, 6:53 AM

corvink added inline comments.

sys/dev/vmm/vmm_dev.c
1187	I just prefer that we're adding a short reason why choosing this default limit. If it's just a random pick, it's fine but it's worth mentioning in the commit message that it's just a random pick. So, if someone ever wonders why we've chosen this limit he can check the commit message.

This revision is now accepted and ready to land.Tue, Nov 18, 6:53 AM

usr.bin/procstat/procstat_rlimit.c should be updated too.

sys/dev/vmm/vmm_dev.c
20	This sorts after queue.h.
1187	I agree, there should be a comment. Thinking a bit more, having a max of 1024 is a bit silly, it's possibly too low on large count-count machines. Maybe let's just have it be 4mp_ncpus or 8mp_ncpus? Also this needs to be overridable with a tunable, like hw.vmm.maxcpu above.
sys/kern/kern_resource.c
1776

Address @markj 's comments

This revision now requires review to proceed.Fri, Nov 21, 10:07 AM

bnovkov marked 4 inline comments as done.Fri, Nov 21, 10:09 AM

markj added inline comments.Fri, Nov 21, 3:07 PM

sys/dev/vmm/vmm_dev.c
1008	You'd need to decrement the counter again in the error cases below. Better would be to postpone it.

Defer incrementing the vmm counter.

markj added inline comments.Mon, Nov 24, 5:04 PM

sys/dev/vmm/vmm_dev.c
1032	You need to destroy the cdev here too. vmmdev_destroy() won't do it for you.

bnovkov updated this revision to Diff 167036.Mon, Nov 24, 5:18 PM

bnovkov marked an inline comment as done.

bnovkov added inline comments.

sys/dev/vmm/vmm_dev.c
1032	whoops, that was silly, fixed!

There are already inline comments asking for a comment on the current limit. If possible, I think it would be great also to explain the point of this resource limit. In particular, which resources a VMM consumes that is not already accounted into existing resource limits, such as for memory: RLIMIT_AS, RLIMIT_RSS, RLIMIT_STACK, or CPU: RLIMIT_CPU? I suspect some kernel memory? Are there hardware limitations to the number of VMs that can be created?

sys/dev/vmm/vmm_dev.c
906–907	Small in-passing question: Can `sc->ucred` really be `NULL` here? I'm asking to be able to verify that `chgvmmcnt()` calls are indeed paired correctly.

Address @olce 's comments.

In D53728#1231626, @olce wrote:

There are already inline comments asking for a comment on the current limit. If possible, I think it would be great also to explain the point of this resource limit. In particular, which resources a VMM consumes that is not already accounted into existing resource limits, such as for memory: RLIMIT_AS, RLIMIT_RSS, RLIMIT_STACK, or CPU: RLIMIT_CPU? I suspect some kernel memory? Are there hardware limitations to the number of VMs that can be created?

Thank you for the suggestion, the limit covers kernel memory allocated by the vmm driver (both the MI and platform-specific parts) and is meant to prevent resource exhaustion.
I've reworded the commit message to include this point.

sys/dev/vmm/vmm_dev.c
906–907	hm, I don't think it can since it'll always get set in `vm_create`. The same goes for `sc->vm` as well. Looking at the commit history, I am not sure why these check have been placed. I've converted the `sc->ucred` check into an assertion and will do the same for `sc->vm` in a separate patch.

olce accepted this revision.Tue, Dec 2, 8:56 AM

This revision is now accepted and ready to land.Tue, Dec 2, 8:56 AM

kern: Introduce RLIMIT_VMM
AcceptedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 167384

sys/dev/vmm/vmm_dev.c

sys/kern/kern_resource.c

sys/sys/resource.h

sys/sys/resourcevar.h

usr.bin/procstat/procstat_rlimit.c

kern: Introduce RLIMIT_VMMAcceptedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 167384

sys/dev/vmm/vmm_dev.c

sys/kern/kern_resource.c

sys/sys/resource.h

sys/sys/resourcevar.h

usr.bin/procstat/procstat_rlimit.c

kern: Introduce RLIMIT_VMM
AcceptedPublic
Actions

Revision Contents
Changeset List