From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi1-f197.google.com (mail-oi1-f197.google.com [209.85.167.197]) by kanga.kvack.org (Postfix) with ESMTP id 9BBF06B0003 for ; Tue, 13 Nov 2018 13:18:23 -0500 (EST) Received: by mail-oi1-f197.google.com with SMTP id c2-v6so4971047oia.6 for ; Tue, 13 Nov 2018 10:18:23 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id l134-v6sor10547664oig.109.2018.11.13.10.18.21 for (Google Transport Security); Tue, 13 Nov 2018 10:18:22 -0800 (PST) Received: from mail-oi1-f170.google.com (mail-oi1-f170.google.com. [209.85.167.170]) by smtp.gmail.com with ESMTPSA id u128-v6sm8225328oig.21.2018.11.13.10.18.19 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Nov 2018 10:18:19 -0800 (PST) Received: by mail-oi1-f170.google.com with SMTP id e19-v6so11160803oii.13 for ; Tue, 13 Nov 2018 10:18:19 -0800 (PST) MIME-Version: 1.0 References: <20181113175930.3g65rlhbaimstq7g@soleen.tm1wkky2jk1uhgkn0ivaxijq1c.bx.internal.cloudapp.net> In-Reply-To: <20181113175930.3g65rlhbaimstq7g@soleen.tm1wkky2jk1uhgkn0ivaxijq1c.bx.internal.cloudapp.net> From: Timofey Titovets Date: Tue, 13 Nov 2018 21:17:42 +0300 Message-ID: Subject: Re: [PATCH V3] KSM: allow dedup all tasks memory Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: owner-linux-mm@kvack.org List-ID: To: pasha.tatashin@soleen.com Cc: oleksandr@natalenko.name, Jann Horn , linux-doc@vger.kernel.org, Linux Kernel , linux-mm@kvack.org, Matthew Wilcox =D0=B2=D1=82, 13 =D0=BD=D0=BE=D1=8F=D0=B1. 2018 =D0=B3. =D0=B2 20:59, Pavel= Tatashin : > > On 18-11-13 15:23:50, Oleksandr Natalenko wrote: > > Hi. > > > > > Yep. However, so far, it requires an application to explicitly opt in > > > to this behavior, so it's not all that bad. Your patch would remove > > > the requirement for application opt-in, which, in my opinion, makes > > > this way worse and reduces the number of applications for which this > > > is acceptable. > > > > The default is to maintain the old behaviour, so unless the explicit > > decision is made by the administrator, no extra risk is imposed. > > The new interface would be more tolerable if it honored MADV_UNMERGEABLE: > > KSM default on: merge everything except when MADV_UNMERGEABLE is > excplicitly set. > > KSM default off: merge only when MADV_MERGEABLE is set. > > The proposed change won't honor MADV_UNMERGEABLE, meaning that > application programmers won't have a way to prevent sensitive data to be > every merged. So, I think, we should keep allow an explicit opt-out > option for applications. > We just did not have VM/Madvise flag for that currently. Same as THP. Because all logic written with assumption, what we have exactly 2 states. Allow/Disallow (More like not allow). And if we try to add, that must be something like: MADV_FORBID_* to disallow something completely. And same for THP (because currently apps just refuse to start if THP enabled, because of no = way to forbid thp). Thanks. > > > > > As far as I know, basically nobody is using KSM at this point. There > > > are blog posts from several cloud providers about these security risk= s > > > that explicitly state that they're not using memory deduplication. > > > > I tend to disagree here. Based on both what my company does and what UK= SM > > users do, memory dedup is a desired option (note "option" word here, no= t the > > default choice). > > Lightweight containers is a use case for KSM: when many VMs share the > same small kernel. KSM is used in production by large cloud vendors. > > Thank you, > Pasha >