On Thu, Sep 26, 2013 at 05:25:17PM +0100, George Dunlap wrote:
> On 26/09/13 13:48, Konrad Rzeszutek Wilk wrote:
> >On Thu, Sep 26, 2013 at 10:06:31AM +0100, Ian Campbell wrote:
> >>On Wed, 2013-09-25 at 16:40 -0400, Konrad Rzeszutek Wilk wrote:
> >>>When Xen 4.3 was released we had a discussion whether we should
> >>>allow the vcpu-set command to allow the user to set more than
> >>>physical CPUs for a guest (it didn't). The author brought up:
> >>>  - Xend used to do it,
> >>IMHO xend is buggy here. If it were being maintained I encourage a patch
> >>to file this particular sharp edge off.
> >>
> >>>  - If a user wants to do it, let them do it,
> >>We do, we have an option for those who know what they are doing to use
> >>in the tiny minority of cases where they need to do this.
> >>
> >>>  - The original author of the change did not realize the
> >>>    side-effect his patch caused this and had no intention of changing it.
> >>a happy accident then.
> >>
> >>>  - The user can already boot a massively overcommitted guest by
> >>>    having a large 'vcpus=' value in the guest config and we allow
> >>>    that.
> >>IMHO this is an xl bug, I'd be happy to see a patch to fix this and
> >>require and override here too.
> >I think I posted one some time ago, but I don't recall anybody
> >commenting on it. Will repost it.
> >>>Since we were close to the release we added --ignore-host parameter
> >>>as a mechanism for a user to still set more vCPUs that the physical
> >>>machine as a stop-gate.
> >>>
> >>>This patch keeps said option but neuters the check so that we
> >>>can overcommit. In other words - by default the user is
> >>>allowed to set as many vCPUs as they would like.
> >>and why would a naive user want to do this? non-naive users can use the
> >>option if this is what they really want, and are probably grateful for
> >>the catch if they didn't intend to overcommit, which is almost always
> >>even for expert users.
> >>
> >>This change need far better rationalisation than "because xend did it"
> >>and "because we can". IMHO.
> >I am going to defer to George here. His viewpoint (I am going to
> >probably mangle it up) was that - if the user wants to do, let him/her
> >do it without us putting obstacles.
> >
> >And I think Ian Jackson was ambivalent here and was deferring to George.
> So I've gone back and read the original thread, and what I actually
> said was:
> "So I think the right thing to do long-term is to make it possible
> to do in xl.  Having a "seatbelt" restriction by default that can be
> overridden would be OK with me, but I think a warning message when
> vcpus > pcpus would suffice."
> And my summary of mine and IanC's positions at the time (which IanC
> did not dispute) was:
> "We both agree that "vcpus > pcpus" is a bad configuration.  I think
> ideally we should support it (because administrators should be
> allowed to shoot themselves in the foot) and Ian[C] seems to be
> making the case that we shouldn't support it."
> IanJ, as I understood him, agreed with me that it should be *possible*.
> As IanC points out, it is possible -- you just have to add "--ignore-host".
> So given what all of us think, keeping the "seatbelt" is probably
> the best compromise. IanC is happy that a hapless user will not
> accidentally shoot his own foot, and IanJ and I are happy that a
> skilled user can shoot her own foot if she really wants to.

Excellent. Let me prep a patch with said seatbelt option.

