| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Jul 2020 16:11:01 +0000
From: Salil Mehta <salil.mehta@...wei.com>
To: James Morse <james.morse@....com>
CC: "linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>,
"maz@...nel.org" <maz@...nel.org>,
"will@...nel.org" <will@...nel.org>,
"catalin.marinas@....com" <catalin.marinas@....com>,
"christoffer.dall@....com" <christoffer.dall@....com>,
"andre.przywara@....com" <andre.przywara@....com>,
"mark.rutland@....com" <mark.rutland@....com>,
"lorenzo.pieralisi@....com" <lorenzo.pieralisi@....com>,
"sudeep.holla@....com" <sudeep.holla@....com>,
"qemu-arm@...gnu.org" <qemu-arm@...gnu.org>,
"peter.maydell@...aro.org" <peter.maydell@...aro.org>,
"richard.henderson@...aro.org" <richard.henderson@...aro.org>,
"imammedo@...hat.com" <imammedo@...hat.com>,
"mst@...hat.com" <mst@...hat.com>,
"drjones@...hat.com" <drjones@...hat.com>,
"pbonzini@...hat.com" <pbonzini@...hat.com>,
"eric.auger@...hat.com" <eric.auger@...hat.com>,
"gshan@...hat.com" <gshan@...hat.com>,
"david@...hat.com" <david@...hat.com>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Linuxarm <linuxarm@...wei.com>,
"mehta.salil.lnk@...il.com" <mehta.salil.lnk@...il.com>
Subject: RE: [PATCH RFC 0/4] Changes to Support *Virtual* CPU Hotplug for
ARM64
Hi James,
Thanks for taking time to respond. Please find my replies inline
Thanks
> From: James Morse [mailto:james.morse@....com]
> Sent: Wednesday, July 8, 2020 1:30 PM
> To: Salil Mehta <salil.mehta@...wei.com>
>
> Hi Salil,
>
> On 07/07/2020 10:52, Salil Mehta wrote:
> >> From: Salil Mehta
>
>
> Disambiguation: by cpu-hotplug here, you don't mean
> CONFIG_HOTPLUG_CPU backed by PSCI, which is commonly what we mean in the arm
> world. You
> mean: package hot-add. A bunch of CPUs (and maybe more) that weren't present
> at boot have
> turned up.
Exactly, and hence the terminology of the possible, present and disabled comes
from there.
Present : which are present at boot time of the guest and were presented as
'ENABLED'(set in the flag) in the ACPI MADT Table cpu interface entry
by QEMU
Disabled : which were not-present at boot time of the guest and were presented
as 'DISABLED'(not set in the flag) in the ACPI MADT Table cpu interface
entry by QEMU
Possible : (Present + Disabled)
This series is meant to support infrastructure to hot-(un)plug of virtual cpus
at QEMU level. It does not assumes any Hardware cpu hotplug support present at
the host machine rather it is an attempt to make virtual cpu hotplug support
fairly independent of the hardware.
> >> Changes to support virtual cpu hotplug in QEMU[1] have been introduced to the
> >> community as RFC. These are under review.
> >>
> >> To support virtual cpu hotplug guest kernel must:
>
> Surely number 1 is: know its a virtual machine, and that whatever needs
> doing/describing
> on a real machine, doesn't need doing or describing here...
>
> We add support for virtual machines after support for the physical machine. Is
> anyone building hardware that supports this?
Do we really care about it if we could make virtual layer independent of the
Hardware by pre-sizing the resources(vcpus, GIC etc.) at QEMU level? :)
AFAIK, right now there is *no* known real benefit of the physical cpu hotplug
except for some of the cases which are really hard to solve *physically* and
perhaps require more comprehensive system architecture defined, like
1. Scalable servers, where cards could be purchased to add resources and compute
on demand. This might be useful for small to medium enterprises who would
like to start with something small but would want to scale up in time as their
business grows. You would want to keep some resources closely coupled because
of 'N' reasons
2. Die/SoC Hotplug, similar to above but more granular. This could be used for
saving power as well.
Again any of above looks to be a far-fetched idea right now.
But there are definite benefits and use-cases(as described in QEMU patches) to
support *virtual* cpu hotplug. Plus, we need to keep the way we support hotplug
consistent with x86. Yes, there are some inherent differences between APIC of x86
and GIC of ARM but those workaround are in the QEMU and the guest kernel is
agnostic about them and so is the host kernel. Why not let virtualizer deal
with this?
BTW, if you are aware of any physical cpu hotplug implementations then please
do let us know.
> We can assume some will exist during the lifetime of a stable-kernel. The
> stable-kernel
> will claim to support this, but in reality it will crash and burn in exciting
> ways.
> (e.g. parts of the interrupt controller in the hot-added package would need
> configuring.
> We'd either lock up during boot when we try, but its not there ... or not do
> it when the
> package is added because we assumed this was a VM)
Sure, but right now we are not even aware of the physical cpu hotplug requirements
(and look to be far-fetched) but *virtual* cpu hotplug requirement are very clear.
As far as I can tell, the changes being presented are non-intrusive to the host
and guest kernel but if there are any aspects of the patches which make you feel
otherwise then please do clarify objectively that it will make our life easier.
As such, broadly 2 types of changes are being presented in the patch:
1. Arch specific
a. Reshuffling of the code where and how the present/disabled cpus are being
counted and their corresponding mask set.
b. Their cpu operations
2. Generic ACPI CPU hotplug hooks which lands in arch specific code. These must
be implemented in any case.
Changes in 1a. and 1b.(part of patches 01/04, 02/04, 03/04) are mere reshuffling
to be frank. And rest changes in 2. are the hooks being called by hotplug
specific framework.
> I don't think linux can support this for virtual machines until it works for
> real machines
> too. We don't have a reliable way of determining we are running in a VM.
x86 supports both physical and vcpu hotplug. And I could not see any code for
x86 cpu hotplug support inside kernel which assumes this. Neither does this code
under review.
IMHO, the changes should be such that we should not require that distinction.
This patch-set has changes which are quite generic.
> This at least needs the ACPI spec updating to describe what work the OS has to
> do when a
> package comes online, and what it can't touch until then.
> I don't think this work would happen without someone building such a system.
Fair enough, I understand this point. But do you think this reason is good
enough to block a *real* use case (which is in demand because it helps the
business part) for the one which might actually never happen? :)
Not having *virtual* cpu hotplug feature support does impacts use cases of
the business and the deployment. And when you could see x86 has a wonderful way
to realize those use-cases but ARM cannot support it just because its system
architecture does not supports it. It means we are deadlocked?
Although I do understand your point and that we need more thought on this
part as well but it is important that we match the x86 server features and
above deadlock is blocking the real useful cases which are being demanded by
customers. They don’t want to get away from the look-and-feel of the x86 in
terms of the way they are used and configured but actually want to use ARM
servers.
> >> 1. Identify disabled/present vcpus and set/unset the present mask of the vcpu
> >> during initialization and hotplug event. It must also set the possible mask
> >> (which includes disabled vcpus) during init of guest kernel.
> >> 2. Provide architecture specific ACPI hooks, for example to map/unmap the
> >> logical cpuid to hwids/MPIDR. Linux kernel already has generic ACPI cpu
> >> hotplug framework support.
>
> >> Changes introduced in this patch-set also ensures that initialization of the
> >> cpus when virtual cpu hotplug is not supported remains un-affected.
>
> But on a platform with physical cpu hotplug, really-bad-things will happen.
Ok. But then if we have physical hotplug support then we will *exactly* know
how it is different than the x86 in terms of using the generic ACPI cpu hotplug
framework and also in terms of any changes which might require at the architecture
specific code than the ones which have been suggested here. Can't we deal that
grey not so clear part later?
> There is no description here of what problem you are trying to solve. I don't
> believe 'cpu hotlpug' is an end in itself.
>
> ~
>
> Aha, its in the qemu cover letter:
> | This allows scaling the guest VM compute capacity on-demand which would be
> | useful for the following example scenarios,
> | 1. Vertical Pod Autoscaling[3][4] in the cloud: Part of the orchestration
> | framework which could adjust resource requests (CPU and Mem requests) for
> | the containers in a pod, based on usage.
> |2. Pay-as-you-grow Business Model: Infrastructure provider could allocate and
> | restrict the total number of compute resources available to the guest VM
> | according to the SLA(Service Level Agreement). VM owner could request for
> | more compute to be hot-plugged for some cost.
>
> Controlling CPU time makes perfect sense. But doesn't cgroup already do exactly
> this?
I am not sure I clearly understood what you mean by 'cpu time' here?
But few points:
1. We cannot achieve 2. by any way if you don’t have actual support of cpu hotplug.
User wants x86 kind of infrastructure where his existing framework or scripts
for Libvirt etc could work even with ARM platforms.
2. We want to push admin of vcpu and its resource allocation down to the layer
where it should belong i.e. QEMU and not the guest itself. There could be cases
when user would not want even admin to enter his VM and use guest command line
to configure the machine. And using a privileged mode of the guest to restrict
the user himself to perform the same operation from his command line is
inherently insecure and not an ideal solution.
> If a VM is restricted to 1xCPU of cpu-time, it can online as many vcpu as it
> likes, its
> not going to get more than 1xCPU of cpu-time.
Forgive me, if I am missing something terribly simple here but could you please
clarify more. I am not able to catch what you mean here by cpu-time?
> I understand that this is how kubernetes reconfigures a VM on x86, but I'm fairly
> sure x86
> had physical cpu hotplug before, so the firmware/OS responsibilities were well
> understood.
On the last part, yes physical cpu hotplug is supported in x86 but if you see the
QEMU code, clearly the only difference is the Local APIC which is per vcpu and can
be deferred realized till the time the vcpu is hotplugged. This is the key difference
with ARM GIC which requires its redistributors and CPU interfaces all to be present
and realized at the time of GIC init time. We solve this problem by pre-sizing the
vgic with the possible vcpus at QEMU.
>
>
> I think this series creates a support nightmare for the future.
Could you be more specific please in pointing in the patches which part or assumption
Is objectionable?
> This has come up before:
> https://lore.kernel.org/kvmarm/82879258-46a7-a6e9-ee54-fc3692c1cdc3@arm.com
> /
Yes, we are aware of that. Please check the Reference [2] of this patch-set I have
mentioned that discussion. This patch-set has changed the implementation and is
now working with different set of QEMU changes based upon Marc's suggestions.
So both QEMU and kernel part has been re-written in the past 6 months.
Link: https://lists.cs.columbia.edu/pipermail/kvmarm/2018-July/032316.html
Thanks,
Salil
> Thanks,
>
> James
>
>
> >> Repository:
> >> (*) Kernel changes are at,
> >> https://github.com/salil-mehta/linux.git virt-cpuhp-arm64/rfc-v1
> >> (*) QEMU changes for vcpu hotplug could be cloned from below site,
> >> https://github.com/salil-mehta/qemu.git virt-cpuhp-armv8/rfc-v1
> >>
> >>
> >> THINGS TO DO:
> >> 1. Handling of per-cpu variables especially the first-chunk allocations
> >> (which are NUMA aware) when the vcpu is hotplugged needs further attention
> >> and review.
> >> 2. NUMA related stuff has not been fully tested both in QEMU and kernel.
> >> 3. Comprehensive Testing including when cpu hotplug is not supported.
> >> 4. Docs
> >>
> >> DISCLAIMER:
> >> This is not a complete work but an effort to present the arm vcpu hotplug
> >> implementation to the community. This RFC is being used as a way to verify
> >> the idea mentioned above and to support changes presented for QEMU[1] to
> >> support vcpu hotplug. As of now this is *not* a production level code and
> might
> >> have bugs. Only a basic testing has been done on HiSilicon Kunpeng920 ARM64
> >> based SoC for Servers to verify the proof-of-concept that has been found
> working!
> >>
> >> Best regards
> >> Salil.
> >>
> >> REFERENCES:
> >> [1] https://www.mail-archive.com/qemu-devel@nongnu.org/msg712010.html
> >> [2] https://lkml.org/lkml/2019/6/28/1157
> >> [3] https://lists.cs.columbia.edu/pipermail/kvmarm/2018-July/032316.html
> >>
> >> Organization of Patches:
> >> [Patch 1-3]
> >> (*) Changes required during guest boot time to support vcpu hotplug
> >> (*) Max cpu overflow checks
> >> (*) Changes required to pre-setup cpu-operations even for disabled cpus
> >> [Patch 4]
> >> (*) Arch changes required by guest kernel ACPI CPU Hotplug framework.
> >>
> >>
> >> Salil Mehta (4):
> >> arm64: kernel: Handle disabled[(+)present] cpus in MADT/GICC during
> >> init
> >> arm64: kernel: Bound the total(present+disabled) cpus with nr_cpu_ids
> >> arm64: kernel: Init cpu operations for all possible vcpus
> >> arm64: kernel: Arch specific ACPI hooks(like logical cpuid<->hwid
> >> etc.)
> >>
> >> arch/arm64/kernel/smp.c | 153 ++++++++++++++++++++++++++++++++--------
> >> 1 file changed, 123 insertions(+), 30 deletions(-)
> >>
> >> --
> >> 2.17.1
> >>
> >
Powered by blists - more mailing lists