linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: Shakeel Butt <shakeelb@google.com>
To: Luis Chamberlain <mcgrof@kernel.org>
Cc: Vasily Averin <vvs@virtuozzo.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	 Vlastimil Babka <vbabka@suse.cz>, NeilBrown <neilb@suse.de>,
	Michal Hocko <mhocko@suse.com>,
	 Roman Gushchin <roman.gushchin@linux.dev>,
	Linux MM <linux-mm@kvack.org>,
	netdev@vger.kernel.org,  "David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Tejun Heo <tj@kernel.org>,
	 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Eric Dumazet <edumazet@google.com>,
	 Kees Cook <keescook@chromium.org>,
	Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
	 David Ahern <dsahern@kernel.org>,
	linux-kernel@vger.kernel.org, kernel@openvz.org
Subject: Re: [PATCH RFC] net: memcg accounting for veth devices
Date: Tue, 1 Mar 2022 10:09:17 -0800	[thread overview]
Message-ID: <20220301180917.tkibx7zpcz2faoxy@google.com> (raw)
In-Reply-To: <YhzeCkXEvga7+o/A@bombadil.infradead.org>

On Mon, Feb 28, 2022 at 06:36:58AM -0800, Luis Chamberlain wrote:
> On Mon, Feb 28, 2022 at 10:17:16AM +0300, Vasily Averin wrote:
> > Following one-liner running inside memcg-limited container consumes
> > huge number of host memory and can trigger global OOM.
> >
> > for i in `seq 1 xxx` ; do ip l a v$i type veth peer name vp$i ; done
> >
> > Patch accounts most part of these allocations and can protect host.
> > ---[cut]---
> > It is not polished, and perhaps should be splitted.
> > obviously it affects other kind of netdevices too.
> > Unfortunately I'm not sure that I will have enough time to handle it  
> properly
> > and decided to publish current patch version as is.
> > OpenVz workaround it by using per-container limit for number of
> > available netdevices, but upstream does not have any kind of
> > per-container configuration.
> > ------

> Should this just be a new ucount limit on kernel/ucount.c and have veth
> use something like inc_ucount(current_user_ns(), current_euid(),  
> UCOUNT_VETH)?

> This might be abusing ucounts though, not sure, Eric?


For admins of systems running multiple workloads, there is no easy way
to set such limits for each workload. Some may genuinely need more veth
than others. From admin's perspective it is preferred to have minimal
knobs to set and if these objects are charged to memcg then the memcg
limits would limit them. There was similar situation for inotify
instances where fs sysctl inotify/max_user_instances already limits the
inotify instances but we memcg charged them to not worry about setting
such limits. See ac7b79fd190b ("inotify, memcg: account inotify
instances to kmemcg").


  reply	other threads:[~2022-03-01 18:09 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-28  7:17 [PATCH RFC] net: memcg accounting for veth devices Vasily Averin
2022-02-28 14:36 ` Luis Chamberlain
2022-03-01 18:09   ` Shakeel Butt [this message]
2022-03-01 18:28     ` Luis Chamberlain
2022-03-01 20:50       ` Eric W. Biederman
2022-03-01 21:25         ` Luis Chamberlain
2022-03-01 21:31           ` Luis Chamberlain
2022-03-02 14:43           ` Eric W. Biederman
2022-03-02 21:52             ` Luis Chamberlain
2022-03-02 13:30         ` King, Colin
2022-04-11  9:40     ` problem with accounting of allocations called from __net_init hooks Vasily Averin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220301180917.tkibx7zpcz2faoxy@google.com \
    --to=shakeelb@google.com \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=ebiederm@xmission.com \
    --cc=edumazet@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=keescook@chromium.org \
    --cc=kernel@openvz.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mcgrof@kernel.org \
    --cc=mhocko@suse.com \
    --cc=neilb@suse.de \
    --cc=netdev@vger.kernel.org \
    --cc=roman.gushchin@linux.dev \
    --cc=tj@kernel.org \
    --cc=vbabka@suse.cz \
    --cc=vvs@virtuozzo.com \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).