Received: by 10.192.165.148 with SMTP id m20csp1152310imm; Thu, 10 May 2018 06:30:37 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq6SfrbUyJ2050ldkCoB96Lie/wcC4jDKnimmopFurFaC6AQyzPk119Vq/5kji1eP8N+UHB X-Received: by 2002:a63:ab45:: with SMTP id k5-v6mr1124272pgp.199.1525959037295; Thu, 10 May 2018 06:30:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525959037; cv=none; d=google.com; s=arc-20160816; b=HL0DilILG/K3Be/RtO1fDWAMduLPhiPFsGvobTdNkE1i6g1uGDQs5lzu6rtjwPeFh0 c1WsRCkb0q62l8uVNg+phr1LmF4DYLTvert+Qrb1jXO+EWC1WyCGWFWR4RXEKY4q2aAW I/v4WtAjYU/4SLr+Pa7lZLD3wZv6ZWm0LA1/wmb2AzVWZbP51MU9VdIOipOkTSjRTQ2X Wv4OOpMpmD7SwdMLa8bAF9HlZsewdxxOr2QARy/VgPYTd//FuK5tPX+lXrC/QhyYb2RX SgpKYz78FX2kYdwmnzL/mOVmLmVQ0QD/rUME71vzonH83l0rSvdxHLMPA4PxYca76qZH OekQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=ii3wcjuBZpEOM5L69rpMCUU5wrao2srV0c2ffCMs30A=; b=CDKd1O9o+dA+Kk6kPg+AWZKCqDZyadLxqSdOjd6um6Aa3ExOZOY17LVC4np/q+9zm1 ZhKSfi+3OBu0QM97S1eVE724yoc6dtXNVgzEC9fQ66vJX8xSz0HV0HLcONXzFQcWOLXM m4vxIKCVit4NRbywbdOfAo5YJBOvhAFZUrMRVotpSf7FRjLWCg6dKGiXJDRwoziAz3eY qWKfYbfpVeml3Xv8my9dIYBdnj2KqqOvul5bqp0lQzSdMGYt5ZX+bpTwAMimKh3xiek9 IUA9mt/OgrXJBU/EZjmMV6C2wI3F2njtVAZmKQphc7jN9vb3g9t77mlupZgdhCodTf39 Xe0g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z33-v6si774714plb.380.2018.05.10.06.30.21; Thu, 10 May 2018 06:30:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935509AbeEJNaH (ORCPT + 99 others); Thu, 10 May 2018 09:30:07 -0400 Received: from mx2.suse.de ([195.135.220.15]:45083 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935285AbeEJNaF (ORCPT ); Thu, 10 May 2018 09:30:05 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 8404EADA5; Thu, 10 May 2018 13:30:04 +0000 (UTC) Date: Thu, 10 May 2018 15:30:03 +0200 From: Michal Hocko To: Roman Gushchin Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@fb.com, Johannes Weiner , Vladimir Davydov , Tejun Heo Subject: Re: [PATCH v3 1/2] mm: introduce memory.min Message-ID: <20180510133003.GH5325@dhcp22.suse.cz> References: <20180503114358.7952-1-guro@fb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180503114358.7952-1-guro@fb.com> User-Agent: Mutt/1.9.5 (2018-04-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu 03-05-18 12:43:57, Roman Gushchin wrote: > Memory controller implements the memory.low best-effort memory > protection mechanism, which works perfectly in many cases and > allows protecting working sets of important workloads from > sudden reclaim. > > But its semantics has a significant limitation: it works > only as long as there is a supply of reclaimable memory. > This makes it pretty useless against any sort of slow memory > leaks or memory usage increases. This is especially true > for swapless systems. If swap is enabled, memory soft protection > effectively postpones problems, allowing a leaking application > to fill all swap area, which makes no sense. > The only effective way to guarantee the memory protection > in this case is to invoke the OOM killer. > > It's possible to handle this case in userspace by reacting > on MEMCG_LOW events; but there is still a place for a fail-safe > in-kernel mechanism to provide stronger guarantees. > > This patch introduces the memory.min interface for cgroup v2 > memory controller. It works very similarly to memory.low > (sharing the same hierarchical behavior), except that it's > not disabled if there is no more reclaimable memory in the system. Originally I was pushing for the hard guarantee before we landed with the best effort one. The assumption back then was that properly configured systems shouldn't see problems IIRC. It is not entirely clear to me what is the role of the low limit wrt. leaking application from the above description TBH. I presume you have a process without any low&hard limit which leaks and basically breaks the low limit expectation because of the lack of reclaimable memory and our memcg_low_reclaim fallback. If that is the case then the hard limit should indeed protect the respective memcg from reclaim. But what is the actuall guarantee? We can reclaim that memory by the OOM killer, because there is no protection from killing a memcg under the min limit. So what is the actual semantic? Also how is an admin supposed to configure those limits? low limit doesn't reall protect in some cases so why should it be used at all? I see how min matches max and low matches high, so there is a nice symmetry but aren't we adding additional complexity to the API? Isn't the real problem that the other guy (leaking application) doesn't have any cap? Please note I haven't looked at the implementation yet but I would like to make sure I understand the whole concept first. -- Michal Hocko SUSE Labs