[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 2/2] tools/xenstore: set open file descriptor limit for xenstored


  • To: Julien Grall <julien@xxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Tue, 31 Aug 2021 13:37:41 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=MBvN3aq+SJvErWD4ddk0gs1AEeQaeueGWymeNsTX3CI=; b=kyJPSjLnvxg9CkwVN4kwN23XmpIdrTLxauDUNbpoT0TRtBZcSrCGOe7ikIJwiheHLg9kkv8b2Sgj/C+BcFPLg6p1/F68MGugO8Cc9DtTyFOxgPcUj5UYcwGj+hn1jwDZpZ3oRH05qMo1UKuzXwIcrqEq+6Dxb+8eb7YKaY0G4FwkQiJtb9W+LVTlOKXBBfvbN++HY1z/EpI0yttmjlSRovlwGaBHQmNe+JCadQaCymzAIliTc22cRKf/sFJVy+BCgIWfQzQ65ac5J06JKYbVjX2lFj22hw8jlQKJ2iJeDzqQJeYNofbDodEBcE/68QEXcS5u7k5PSWjhJZTx3kZRzg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G6yJp30lnT3gUfY0oT/aQiwDPFgBD6nFiX47n8OsEYRj+HDZ1uUI3+JzLnRz5m59AWSl2kr4v32I3S7i1qCkCNjEMfB7c3IGvVxhEk5WBEMtJ7812cTfJLXSb3CkJlxY4q7RVBMBhK9bAKUEyTaGW1fm7+vQCqDYSMJKBY3wYtw/YGm8o7IP7HMeWgLDB7k+smfQs4dDmSkSQxTUefXCWQWCcIeoQRuJUtBfw9uiYNNcq4n60AnWn2T6HiK7qY5CsUaDby+0bM+dkoyeS1npxUQe88Edgo7oHDGgrEwLjnXWqJKhOzPkBjqBAQOG9ZbQTEVM7XjnWm+4JK30MJc2Xg==
  • Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Tue, 31 Aug 2021 12:37:56 +0000
  • Ironport-hdrordr: A9a23:jByUTaAzJYSiytDlHela55DYdb4zR+YMi2TDt3oddfUzSL3/qy nOpoV96faQslwssR4b9uxoVJPvfZqYz+8X3WBzB8bHYOCFgguVxehZhOOP/9SjIVydygc078 xdmsNFebjN5DZB7PoT4GODYqkdKNvsytHXuQ8JpU0dPD2DaMtbnndE4h7wKDwOeOHfb6BJaa Z14KB81kKdUEVSVOuXLF8fUdPOotXa/aiWHSLvV3YcmXKzZSrD0s+BLySl
  • Ironport-sdr: e6fnvc10pe5PxK+00A0BUpl1yxSIz4Oy1E/bPUeMhpd5tvWqWwVbHyzBqJB5Y1spN/8INIHKYm 4mddnNKszO4x5VANdkTdWE6359EMYMoLQZhaq8WueEdPzU1alfOq11PI01AMwEGK5taDPIGcvZ VGwWfqoL+dUTJaBfz0ZmNV63Zkq028yVbfVR2jPTRAnUm5wEJmyfDj1/WAqjqb/QXXZVBovzVS cAABvtgIu8lCQKXPn460sxLtC/cOudLGqEsu4B/MAy8fs7dH9ht3w+2eiEi5glvKdKRIpahG3i TPj0d/5eb/5gdlzD1LyreU7G
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 31/08/2021 13:30, Julien Grall wrote:
> Hi Juergen,
>
> On 31/08/2021 13:11, Juergen Gross wrote:
>> On 30.07.21 19:14, Julien Grall wrote:
>>> Hi Ian,
>>>
>>> On 30/07/2021 14:35, Ian Jackson wrote:
>>>> Juergen Gross writes ("[PATCH v3 2/2] tools/xenstore: set open file
>>>> descriptor limit for xenstored"):
>>>>> Add a configuration item for the maximum number of domains xenstored
>>>>> should support and set the limit of open file descriptors
>>>>> accordingly.
>>>>>
>>>>> For HVM domains there are up to 5 socket connections per domain (2 by
>>>>> the xl daemon process, and 3 by qemu). So set the ulimit for
>>>>> xenstored
>>>>> to 5 * XENSTORED_MAX_DOMAINS + 100 (the "+ 100" is for some headroom,
>>>>> like logging, event channel device, etc.).
>>>> ...
>>>>> +## Type: integer
>>>>> +## Default: 32768
>>>>> +#
>>>>> +# Select maximum number of domains supported by xenstored.
>>>>> +# Only evaluated if XENSTORETYPE is "daemon".
>>>>> +#XENSTORED_MAX_N_DOMAINS=32768
>>>>
>>>> I approve of doing something about the fd limit.  I have some qualms
>>>> about the documentation.
>>>>
>>>> The documentation doesn't say what happens if this limit is exceeded.
>>>> Also the default of 32758 suggests that we actually support that many
>>>> domains.  I don't think we do...
>>>>
>>>> I didn't find anything in SUPPORT.md about how many guests we support
>>>> but I wouldn't want this setting here to imply full support for 32768
>>>> domains.
>>>>
>>>> If you don't want to tackle this can of works, maybe add this:
>>>>
>>>>    # This just controls some resource limits for xenstored; if the
>>>>    # limit is exceeded, xenstored will stop being able to function
>>>>    # properly for additional guests.  The default value is so large
>>>>    # that it won't be exceeded in a supported configuration, but
>>>>    # should not be taken to mean that the whole Xen system is
>>>>    # guaranteed to work properly with that many guests.
>>>>
>>>> Julien, did you ask for this to be made configurable ?  Having written
>>>> the text above, I wonder if it wouldn't just be better to
>>>> unconditionally set it to "unlimited" rather than offering footgun
>>>> dressed up like a tuneable...
>>>
>>> So in v1 (see [1]), Juergen wanted to raise the limit. I assumed
>>> this meant that the default limit (configured by the system may not
>>> be enough).
>>>
>>> I felt this was wrong to impose an higher limit on everyone when an
>>> admin may know the maximum number of domains.
>>>
>>> By "unlimited", do you mean the calling "ulimit" (or whatever is
>>> used for configuring FDs) with unlimited?
>>>
>>> If so, I would be OK with that. My main was was to move the raising
>>> the limit outside Xenstored because:
>>>   1) This is easier for an admin to tweak it (in particular the OOM)
>>>   2) It feels wrong to me that the daemon chose the limits
>>>   3) An admin can enforce it
>>
>> Coming back to this series, I'm puzzled now.
>>
>> Julien, you didn't want me to raise the limit to a specific number
>> covering the maximum possible number of domains, because you thought
>> this might result in xenstored hogging huge numbers of file descriptors
>> in case of a bug. Why is unlimited better then? This will make the
>> possible number even larger.
>
> I don't think I suggested the unlimited number is better... My main
> objection in your original approach is you set an arbitrary limit you
> in Xenstored (which may not apply at all) and don't offer a way to the
> admin to tweak it.
>
> If the limit is set outside of Xenstored, then it becomes much easier
> for someone to just tweak the init script. I don't have a strong
> opinion on whether the default limit should be "unlimited" or a fixed
> number.

xenstored is TCB.  It needs a large number of FDs, and can be trusted
with unlimited.

Also, like xenconsoled, we can calculate an upper bound, which is
derived from the ABI limit of 32k domids.

All you're haggling over is the error semantics in the case of:
1) the upper bound calculation is wrong, or
2) there is an fd leak

Personally, I think a fixed calculation is right, so fd leaks can be
spotted more obviously.

An admin knob is not helpful - higher than the upper bound is just
wasteful, while lower will cause malfunctions.

~Andrew




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.