linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: "Franklin “Snaipe” Mathieu" <snaipe@arista.com>
To: Hugh Dickins <hughd@google.com>
Cc: ovt@google.com, corbet@lwn.net, akpm@linux-foundation.org,
	 brauner@kernel.org, linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org,  linux-mm@kvack.org
Subject: Re: [PATCH] shmem: add support for user extended attributes
Date: Tue, 15 Aug 2023 09:46:22 +0200	[thread overview]
Message-ID: <CAK8sBDM5aid1vkCKhBxqUHXrG_FbDRN0noLtPkcPv=jXb7NTNg@mail.gmail.com> (raw)
In-Reply-To: <986c412c-669a-43fe-d72a-9e81bca8211@google.com>

On Tue, Aug 15, 2023 at 5:52 AM Hugh Dickins <hughd@google.com> wrote:
>
> Thanks for the encouragement.  At the time that I wrote that (20 July)
> I did not expect to get around to it for months.  But there happens to
> have been various VFS-involving works going on in mm/shmem.c recently,
> targeting v6.6: which caused me to rearrange priorities, and join the
> party with tmpfs user xattrs, see
>
> https://lore.kernel.org/linux-fsdevel/e92a4d33-f97-7c84-95ad-4fed8e84608c@google.com/
>
> Which Christian Brauner quickly put into his vfs.git (vfs.tmpfs branch):
> so unless something goes horribly wrong, you can expect them in v6.6.

That's great to hear, thanks!

> There's a lot that you wrote above which I have no understanding of
> whatsoever (why would user xattrs stop rmdir failing?? it's okay, don't
> try to educate me, I don't need to know, I'm just glad if they help you).
>
> Though your mention of "unprivileged" does make me shiver a little:
> Christian will understand the implications when I do not, but I wonder
> if my effort to limit the memory usage of user xattrs to "inode space"
> can be be undermined by unprivileged mounts with unlimited (or default,
> that's bad enough) nr_inodes.
>
> If so, that won't endanger the tmpfs user xattrs implementation, since
> the problem would already go beyond those: can an unprivileged mount of
> tmpfs allow its user to gobble up much more memory than is good for the
> rest of the system?

I don't actually know; I'm no expert in that area. That said, these
tmpfses are themselves attached to an unprivileged mount namespace, so
it would certainly be my assumption that in the case of an OOM
condition, the OOM killer would keep trying to kill processes in that
mount namespace until nothing else references it and all tmpfs mounts
can be reclaimed, but then again, that's only my assumption and not
necessarily reality.

That said, I got curious and decided to experiment; I booted a kernel
in a VM with 1GiB of memory and ran the following commands:

    $ unshare -Umfr bash
    # mount -t tmpfs tmp /mnt -o size=1g
    # dd if=/dev/urandom of=/mnt/oversize bs=1M count=1000

After about a second, the OOM killer woke up and killed bash then dd,
causing the mount namespace to be collected (and with it the tmpfs).
So far, so good.

I got suspicious that what I was seeing was that these were the only
reasonable candidates for the OOM killer, because there were no other
processes in that VM besides them & init, so I modified slightly the
experiment:

    $ dd if=/dev/zero of=/dev/null bs=10M count=10000000000 &
    $ unshare -Umfr bash
    # mount -t tmpfs tmp /mnt -o size=1g
    # dd if=/dev/urandom of=/mnt/oversize bs=1M count=1000

The intent being that the first dd would have a larger footprint than
the second because of the large block size, yet it shouldn't be killed
if the tmpfs usage was accounted for in processes in the mount
namespace. What happened however is that both the outer dd and the
outer shell got terminated, causing init to exit and with it the VM.

So, it's likely that there's some more work to do in that area; I'd
certainly expect the OOM killer to take the overall memory footprint
of mount namespaces into account when selecting which processes to
kill. It's also possible my experiment was flawed and not
representative of a real-life scenario, as I clearly have interacted
with misbehaving containers before, which got killed when they wrote
too much to tmpfs. But then again, my experiment also didn't take
memory cgroups into account.

--
Snaipe


  reply	other threads:[~2023-08-15  7:47 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-20  6:54 [PATCH] shmem: add support for user extended attributes Oleksandr Tymoshenko
2023-07-20 16:56 ` Hugh Dickins
2023-07-20 17:09   ` Oleksandr Tymoshenko
2023-07-20 17:42     ` Hugh Dickins
2023-08-14  8:23   ` Snaipe
2023-08-15  3:51     ` Hugh Dickins
2023-08-15  7:46       ` Franklin “Snaipe” Mathieu [this message]
2023-08-15  8:23         ` Christian Brauner
2023-08-21 17:52           ` Hugh Dickins
2023-08-22  9:01             ` Christian Brauner
2023-08-22 17:50             ` Oleksandr Tymoshenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAK8sBDM5aid1vkCKhBxqUHXrG_FbDRN0noLtPkcPv=jXb7NTNg@mail.gmail.com' \
    --to=snaipe@arista.com \
    --cc=akpm@linux-foundation.org \
    --cc=brauner@kernel.org \
    --cc=corbet@lwn.net \
    --cc=hughd@google.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=ovt@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).