Re: [RFC] tentative prctl task isolation interface

[Marcelo Tosatti <mtosatti@redhat.com>]

On Thu, Jan 21, 2021 at 01:20:59PM -0300, Marcelo Tosatti wrote:
> 
> Adding Nitesh to CC.
> 
> On Thu, Jan 21, 2021 at 12:51:41PM -0300, Marcelo Tosatti wrote:
> > Hi Alex,
> > 
> > On Fri, Jan 15, 2021 at 10:35:14AM -0800, Alex Belits wrote:
> > > On 1/15/21 05:24, Christoph Lameter wrote:
> > > 
> > > > ----------------------------------------------------------------------
> > > > On Thu, 14 Jan 2021, Marcelo Tosatti wrote:
> > > > 
> > > > > > How does one do a oneshot flush of OS activities?
> > > > > 
> > > > >          ret = prctl(PR_TASK_ISOLATION_REQUEST, ISOL_F_QUIESCE, 0, 0, 0);
> > > > >          if (ret == -1) {
> > > > >                  perror("prctl PR_TASK_ISOLATION_REQUEST");
> > > > >                  exit(0);
> > > > >          }
> > > > > 
> > > > > > 
> > > > > > I.e. I have a polling loop over numerous shared and I/o devices in user
> > > > > > space and I want to make sure that the system is quite before I enter the
> > > > > > loop.
> > > > > 
> > > > > You could configure things in two ways: with syscalls allowed or not.
> > > > 
> > > > Well syscalls that do not cause deferred processing like getting the time
> > > > or determining the current cpu should be ok to use.
> > > 
> > > Some of those syscalls go through vdso, and don't enter the kernel --
> > > nothing specific is necessary to allow them, and it would be pointless and
> > > difficult to prevent them.
> > > 
> > > For syscalls that enter the kernel, it's often difficult to predict, if they
> > > will or won't cause deferred processing, so I am afraid, it won't be
> > > possible to provide a "safe" class of syscalls for this purpose and not end
> > > up with something minimal like reading /sys and /proc. Right now isolation
> > > only "allows" syscalls that exit isolation.
> > 
> > Christoph wrote:
> > 
> > "> Features that I think may be needed:
> > > 
> > > F_ISOL_QUIESCE                -> quiet down now but allow all OS activities. OS
> > >                       activites reset flag
> > > 
> > > F_ISOL_BAREMETAL_HARD -> No OS interruptions. Fault on syscalls that
> > >                       require such actions in the future.
> > > 
> > > F_ISOL_BAREMETAL_WARN -> Similar. Create a warning in the syslog when OS
> > >                               services require delayed processing etc
> > >                               but continue while resetting the flag.
> > "
> > 
> > It seems the only difference between HARD and WARN (lets call it SOFT) 
> > would be whether a notification is sent to userspace.
> > 
> > The definition 
> > 
> > "F_ISOL_BAREMETAL_HARD -> No OS interruptions. Fault on syscalls that
> >                        require such actions in the future."
> > 
> > fails in the static_key_enable case: Alex's idea is to queue the i-cache
> > flush if the remote task/cpu is in isolated mode (and perform the flush 
> > when entering the kernel).
> > 
> > So even if userspace uses syscalls that do not require delayed
> > processing, there are events which are out of control of the
> > application and might require it.
> > 
> > So lets assume the application performs a number of syscalls on a
> > given time critical codepath. 
> > 
> > Either the system is configured so that 
> > the number/frequency of static_key_enable's is limited, or the cost of
> > i-cache flushes must be accounted on that critical codepath.
> > 
> > Anyway, trying to improve Christoph's definition:
> > 
> > F_ISOL_QUIESCE                -> flush any pending operations that might cause
> > 				 the CPU to be interrupted (ex: free's
> > 				 per-CPU queues, sync MM statistics
> > 				 counters, etc).
> > 
> > F_ISOL_ISOLATE		      -> inform the kernel that userspace is
> > 				 entering isolated mode (see description
> > 				 below on "ISOLATION MODES").
> > 
> > F_ISOL_UNISOLATE              -> inform the kernel that userspace is
> > 				 leaving isolated mode.
> > 
> > F_ISOL_NOTIFY		      -> notification mode of isolation breakage
> > 				 modes.
> > 
> > 
> > Isolation modes:
> > ---------------
> > 
> > There are two main types of isolation modes: 
> > 
> > - SOFT mode: does not prevent activities which might generate interruptions
> > (such as CPU hotplug).
> > 
> > - HARD mode: prevents all blockable activities that might generate interruptions.
> > Administrators can override this via /sys.
> > 
> > Notifications:
> > -------------
> > 
> > Notification mode of isolation breakage can be configured as follows:
> > 
> > - None (default): No notification is performed by the kernel on isolation
> >   breakage.
> > 
> > - Syslog: Isolation breakage is reported to syslog. 
> > 
> > (new modes can be added, for example signals).
> > 
> > A new feature can be added to disallow syscalls (by default syscalls
> > are enabled, with reporting of pending activities that might cause
> > an interruption in a VDSO).

After discussion with Juri and Daniel, it became clearer that supporting
unmodified applications would be quite useful:

	- enter isolation mode
	- run unmodified application
	- leave isolation mode

This could work via an additional mode which goes through the quiesce
operation at every syscall return. Since this includes freeing per-CPU
pagevecs (therefore allocating per-CPU pagevecs at the next syscall),
it might considerably slowdown system startup (and cause MM related 
spinlocks contention).

Better ideas are appreciated.