Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp4097959pxm; Tue, 1 Mar 2022 11:09:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJyx1ElfbpO1sxyxAX2dymrq92CQNpDa2ba+qQoze88MleXQ3cyRo8zaa/L++dQEi3KermBT X-Received: by 2002:a17:906:fd7:b0:6d6:e276:e6a5 with SMTP id c23-20020a1709060fd700b006d6e276e6a5mr4329156ejk.545.1646161799530; Tue, 01 Mar 2022 11:09:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646161799; cv=none; d=google.com; s=arc-20160816; b=oHJ9jjnOEQbcSSqcIVb8nPZqNAg6yKW1gdW1iw56nKHbzN8RG0qU3k8lEJv6Qx3UYD 4F/wNAgWRydTUbbpHb/+eOsSg175hqrp/+n5gA8fpZOzzPRQB0nGBVYZ3OOGNKaaWW5Z a09vHxUOXcGOZmCeAfBGX5Z7Mk98L0FneUFU2jYGshDmyhtc53Ygeme/1mLdHg7X2LI+ DBOAJzR1ekkyI5/APik+5ZecggyFdMBlJZ+KfKyv2wzT/tT/2dSUT0ztkhfVBV/SD+Gj xUl663he5kY6QYip90Ow2QgqP7AXWd4w+lrEDz5gaOvHWho9mVgZ+N/0XBs+2edqvjfL wWbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:references:mime-version :message-id:in-reply-to:date:dkim-signature; bh=c0dbKsIdJk+qHikmULBiKTfiJVqKnwC4QHGDZyjez5c=; b=TaqpByEQqjhIPGQCDMcxNaeJNWYVWi3ARRGZpwqP011maGDFYvWoyUMhA1WLdP52yX q+3O7G8lIp1RLDBivPbJuJwIbcXSwK0lD+EU7BZ+l/KgzcURbASx4tBLpwpesi230K/r g3SVhGc1sdwIBmzof+1s+neU9h6Bz14Gy/EjscM2utQiVfy5hkt/gQdaT7Viyot5Elhf LnSduCouxW1cyTAna5Gc4pVRfqIMOSGBgEgygf0I8+7HncbbwSVb8ou8o/PpqY41q8Dj 8oXGxLfvPfz+incjhhOKdkD/XxNe73VOUeSXp/qIxT9wld88Dt/RI4vvpWRg8PE8EPse c2JA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=c0CY58qw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ky20-20020a170907779400b006cf9cdc2a35si8061815ejc.479.2022.03.01.11.09.34; Tue, 01 Mar 2022 11:09:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=c0CY58qw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236762AbiCASKG (ORCPT + 99 others); Tue, 1 Mar 2022 13:10:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60266 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232297AbiCASKD (ORCPT ); Tue, 1 Mar 2022 13:10:03 -0500 Received: from mail-pf1-x449.google.com (mail-pf1-x449.google.com [IPv6:2607:f8b0:4864:20::449]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13D4A45501 for ; Tue, 1 Mar 2022 10:09:21 -0800 (PST) Received: by mail-pf1-x449.google.com with SMTP id n135-20020a628f8d000000b004e16d5bdcdbso10216638pfd.20 for ; Tue, 01 Mar 2022 10:09:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=c0dbKsIdJk+qHikmULBiKTfiJVqKnwC4QHGDZyjez5c=; b=c0CY58qwtC+TXIekm9RwFv9mu85r2tPUGknQ7lP4mK62Dv4iMMRx2WwvSmym01I/rt x4a6ZJclsNaz5N4C9aAN1fTg3nik/jMjRCN73yPx/fcUzal7hJfreK83kZc1NY0MZB8d EVJ5QjIoD9KxKwfsA+8JKkej0did5a3WXbLWwN8dsYyndAwDQx6OXWDTJHo5LnA6Vgxu IQjaqRQeuuKMxfjT0X9hu5QyWkWFwifmszCxuDSnaYBgYLDf8fhU2Ip32/r41UnVH3Su cAjn4su1Pwdt+j2mgeQqJOJ/z9T8D8s/rO0Ku6ZgWJjzH3C60V6N8sBqCdpXtVzALVJh JN5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=c0dbKsIdJk+qHikmULBiKTfiJVqKnwC4QHGDZyjez5c=; b=lmPa8hpl/i5dtx9TUo+XfyotH37LUUDJlkpCvDXOWyfSJQEMpghA7eo/i1KKTFiAps fajrnd8/kyGCrG/iZ9IYFNhs65TfUYDBkTa3bkNuY++C+cULAlkpEpZL8LcY9hhaor6i tco/+m7p2QXwPPnozQZjFI5BZJPlQfpvIaCaelvvFHD/gxh/L1dRa/LKnzIRXW0m9GTu 7Ql3DA+AsWFkhhbzMhTlEamjaAiltruFl7NpZNIJeGINkB4HENS0KQ286EsJtvzkjGQW yjAJJQoIz9frjzopECVq/KKpDZ5xnbAz79z4bCaAPXXeaEKpOW4Bp/DSJMdpiOLdrCre xSqw== X-Gm-Message-State: AOAM531BoC93tcjleD5r64j387KB0C+l4/ZOI6ifApdwGjRIShqOFmI7 EsACmh0IJtv+lURB6rbehjfyy8zoVcAirg== X-Received: from shakeelb.svl.corp.google.com ([2620:15c:2cd:202:6e75:6cb3:9d81:deae]) (user=shakeelb job=sendgmr) by 2002:a17:902:860a:b0:14b:341e:5ffb with SMTP id f10-20020a170902860a00b0014b341e5ffbmr26428871plo.6.1646158160480; Tue, 01 Mar 2022 10:09:20 -0800 (PST) Date: Tue, 1 Mar 2022 10:09:17 -0800 In-Reply-To: Message-Id: <20220301180917.tkibx7zpcz2faoxy@google.com> Mime-Version: 1.0 References: Subject: Re: [PATCH RFC] net: memcg accounting for veth devices From: Shakeel Butt To: Luis Chamberlain Cc: Vasily Averin , "Eric W. Biederman" , Vlastimil Babka , NeilBrown , Michal Hocko , Roman Gushchin , Linux MM , netdev@vger.kernel.org, "David S. Miller" , Jakub Kicinski , Tejun Heo , Greg Kroah-Hartman , Eric Dumazet , Kees Cook , Hideaki YOSHIFUJI , David Ahern , linux-kernel@vger.kernel.org, kernel@openvz.org Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes X-Spam-Status: No, score=-10.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 28, 2022 at 06:36:58AM -0800, Luis Chamberlain wrote: > On Mon, Feb 28, 2022 at 10:17:16AM +0300, Vasily Averin wrote: > > Following one-liner running inside memcg-limited container consumes > > huge number of host memory and can trigger global OOM. > > > > for i in `seq 1 xxx` ; do ip l a v$i type veth peer name vp$i ; done > > > > Patch accounts most part of these allocations and can protect host. > > ---[cut]--- > > It is not polished, and perhaps should be splitted. > > obviously it affects other kind of netdevices too. > > Unfortunately I'm not sure that I will have enough time to handle it > properly > > and decided to publish current patch version as is. > > OpenVz workaround it by using per-container limit for number of > > available netdevices, but upstream does not have any kind of > > per-container configuration. > > ------ > Should this just be a new ucount limit on kernel/ucount.c and have veth > use something like inc_ucount(current_user_ns(), current_euid(), > UCOUNT_VETH)? > This might be abusing ucounts though, not sure, Eric? For admins of systems running multiple workloads, there is no easy way to set such limits for each workload. Some may genuinely need more veth than others. From admin's perspective it is preferred to have minimal knobs to set and if these objects are charged to memcg then the memcg limits would limit them. There was similar situation for inotify instances where fs sysctl inotify/max_user_instances already limits the inotify instances but we memcg charged them to not worry about setting such limits. See ac7b79fd190b ("inotify, memcg: account inotify instances to kmemcg").