[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: Domgrps/SchedGrps Merge RFC: domgrps-vmm



On Feb 11, 2008, at 5:07 PM, Mike D. Day wrote:
diff -urN xen-unstable/xen/arch/powerpc/powerpc64/ hypercall_table.S xen-unstable-domgrps/xen/arch/powerpc/powerpc64/ hypercall_table.S --- xen-unstable/xen/arch/powerpc/powerpc64/hypercall_table.S 2007-08-06 17:59:54.000000000 -0400 +++ xen-unstable-domgrps/xen/arch/powerpc/powerpc64/ hypercall_table.S 2007-11-19 18:42:00.000000000 -0500
@@ -41,6 +41,7 @@
        .quad 0 /* do_hvm_op */
        .quad do_sysctl             /* 35 */
        .quad do_domctl
+        .quad do_domgrpctl
        .rept NR_hypercalls-((.-__hypercall_table)/8)
        .quad do_ni_hypercall
        .endr

Rather than creating a new hypercall, it may be best to implement all
the grouping and grouping control as part of a sub-command of the
domctrl hypercall. Then we don't need to add this extra hypercall into
the table of every platform.

Ack. There would be no functionality or flexibility lost by making group operations part of the domctl hypercall and doing so would also shave off a few LOC. The reasons I had for make domgrpctl operations a separate hypercall are now moot.

+
+    if (d->group)
+        grp = d->group;
+    else
+        grp = find_grp_by_id(NULL_GROUP_ID);
+

Wondering why we have to search for the null group. Why can't the null
group be statically initialized and then always referred to by a
pointer?

Ack. The searching for the null group is an artifact of an older design.

In fact, what is the role of the null group? I see that it is
a real domain group and it is created automatically. Also it can't be
created by a hypercall.

The purpose of the null group is to provide a means of efficiently addressing all domains that aren't explicitly in a group. Although it's a real group, it isn't intended to be used as one from a user perspective. Perhaps it would be useful for xm to display domains in the null group as "ungrouped."

All domains that do not belong to a group actually belong to the null
group. Could it also be just as easy for each domain to have an
identity group (itself), to which it belongs in the absence of any
other group membership? Or is there a specific purpose to the null
group?

The current null group implementation isn't the only way to provide an efficient means to identify ungrouped domains, so I'm open to alternatives. That said, is there a win to automatically creating a group for each domain? When needed, a group can be created for an existing domain.

The null group should not provide any privileges or otherwise induce relationships between members. The null group was intended primarily as a convenient tool for security policy analysis where it's useful to ensure the same property(ies) apply to all ungrouped domains.

+#define SERIALIZE_LINKED_LIST(op_name, list_name)              \
+    rcu_read_lock(&grp->op_name##_read_lock);                   \
+    memset(&info->op_name, 0, sizeof(domid_t)*MAX_GROUP_SIZE);  \
+    if (!list_empty(&grp->op_name)) {                           \
+        i = 0;                                                 \
+        list_for_each_entry(dom, &grp->op_name, list_name) {    \
+            info->op_name[i] = dom->domain_id;                   \
+                   i++;                                                \
+       }                                                       \
+    } else                                                     \
+       info->op_name[i] = NULL_GROUP_ID;                    \
+    rcu_read_unlock(&grp->op_name##_read_lock);

This should really be cleaned up and made into an inline function. It
also refers to a variable declared outside of the macro and parameters
(info). It's not clear what's happening inside the macro.

Ack.

+#define RM_DOM_FROM_LIST(list_name, entry)     \
+    spin_lock(&grp->list_name##_update_lock);   \
+    if (!list_empty(&grp->list_name))           \
+        list_del(&dom->entry);                  \
+    spin_unlock(&grp->list_name##_update_lock);
+

Another good candidate for inlining.

Ack.

+
+       /* skip it if dom is already a member */
+       if (dom_in_member_list(dom->domain_id, grp))
+               goto out;
+       
+       /* remove dom from old group */
+       if (dom->group != NULL)
+               del_dom_from_grp(dom);

So a domain can only belong to one group at a time. Would it ever be
useful for a domain to belong to more than one group? This type of
restriction seems to work against the idea of a general grouping
concept. For example, all domains that belong to a scheduling group
(assuming we eventually merge domgrp and schedgrp) would automatically
be removed from a scheduling group if added to any other type of
group.

I agree with Samuel; it makes sense that a domain would be removed from its schedgrp when changing its domgrp.

In addition to the aesthetic issues Samuel mentioned (domains appearing in multiple listings), domgrps intentionally disallows membership in multiple groups because of the complications it would create. Consider the following example with 3 domains and 2 groups. DomA and domB are in grpX; domB and domC are in grpY. In this scenario XSM security policy expresses two properties: (1) group members can communicate with each other and (2) there is no cross- group communication. However, from an information flow perspective grpX and grpY are effectively a single group because domB is a member of both and can be used to pass information between groups. While it is possible to detect this policy conflict, doing so loses the simplicity gains of integrating groups with security policy.

In short, allowing domains to join multiple groups creates many more problems than it solves and there are extremely few good use cases (if any) where it's a win. Contrary to popular belief, my goal is to add as little code to Xen as possible. :)

This argues for keeping different types of groups under different
grouping infrastructures unless we can figure out a way for a domain
to have multiple group memberships. It may be too complicated to do so.

To increase flexibility, I propose allowing domains to opt in to/out of schedgrps (or any other feature that is integrated with the domgrp mechanism). Can you describe a likely scenario where this extra ability doesn't meet your needs?

+int pause_grp(dgid_t dgid)
+{
+       int ret = 0;
+       struct domain *member;
+       struct domain_group *grp;
+
+       if (dgid == 0) {
+               ret = -EPERM;
+               goto out;
+       }
+
+       grp = find_grp_by_id(dgid);
+
+       if (grp == NULL) {
+               ret = -ESRCH;
+               goto out;
+       }
+
+       spin_lock_recursive(&grp->grp_big_lock);
+       rcu_read_lock(&grp->member_list_read_lock);
+       /* could ignore interupts during this loop to increase atomicity */
+       list_for_each_entry(member, &grp->member_list, member) {
+               if (member != current->domain && member->domain_id != 0)
+                       domain_pause_by_systemcontroller(member);
+       }
+       rcu_read_unlock(&grp->member_list_read_lock);
+       spin_unlock_recursive(&grp->grp_big_lock);
+      out:
+       return ret;
+}
+

Groups are paused in the order in which they are added to the group,
right? (FIFO). What do we do when we have groups which are dependant
upon each other in certain ways.

In an earlier domgrps prototype I had a means for expressing dependencies that was read in from a group configuration file and was propagated into the VMM. This allowed fine-grained dependencies to be expressed and handled at the VMM level. However, I decided to remove it from the VMM because of the complexity it added. Although there are certainly advantages to having that information in the VMM, my opinion today is that that functionality belongs in the control plane.

For example, the stub domain and HVM domain. At first glance, it seems
that you would want to pause the hvm domain before pausing its stub
domain. And then the reverse on resume: unpause the stub domain, then
unpause the hvm domain. (I could have it backward). But the point is,
group operations may have inter-domain dependencies that are not
accounted for simply by the order in which the domains are added to a
group.  This is true for pause, unpause, start, migrate, etc., on down
the line of possible group operations.

I agree. The configuration-file based approach I mentioned earlier allowed users to specify reactions to various events and error conditions to include the events you listed above. That functionality is not submitted as part of this patch, but it certainly has a place in future work.

I greatly appreciate the feedback.

-Chris

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.