Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp6722052iob; Wed, 11 May 2022 04:05:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy+O5hop5fH2t0mLk0o+ctgI5rLW0h6oRq2nk229HQuxvG0OtIwjJOWka33r/gQLRxBuegE X-Received: by 2002:a05:6402:2709:b0:428:3ed9:abe3 with SMTP id y9-20020a056402270900b004283ed9abe3mr28416500edd.51.1652267107291; Wed, 11 May 2022 04:05:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652267107; cv=none; d=google.com; s=arc-20160816; b=LhAouA8y5LLiBTtN3xOCQ/00RsI7kQcWLAemLT0lscX0UyM/EnDrvei0AoxehpwGEu 5CWl+OwRFpCZI9JqrVZ3v4nbrlwN+AZNaWJKFL3Uru6Kv1QlarTWqb7z/UvC4YnFIjLs NmPOO66ApdQxH2jj37neKk/KIKHGaKPCkkCUeH0FPduAHYK+EsvnjwRklh6XV5Ab4ymY samOyosS/tSlsb/KHQiBoHicXupKwbuwTuK8lbxdhao6MDUWvjVAe4L5zTiML4ZrD7PL EAeI6TYsmd+jan53KKarqGVdeCqzD+qLhRu7+UrjMaU3msCpPBO4PXYib0hz71Cfko0e SaGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:dkim-signature:date; bh=6EZaCYycNo4v1thOOsKX7LyDVmSBgy8fN7c/00WhTOU=; b=DgTETVDqKcq24o7x6uvbDNmLl4uQiepsc/DoxOTjtybsO9SdTTtYEOSq2katQajzpY HvCr0VgINxQE4rLBqhG2mpztk+D/tA6hDSg22fR+GOlaPB+4zIk52HpAZCgo3nxo8XRb HCKtqRiJacCU4FyuQkCtOuKyLW1JZkAgVfDB+x0mLcX19Omtv6/pK5nV5aOJJjVwgNbc A6DhE/9FvDlWRjR3ezntni0Jtp42ENOkljxEdWdAKjt3jcpxcc7LDif2CX+YS5WVjUhv GnswS/GEz3UG/4xhhd8kJfzpFHOBufKhAGlXEr79yaSmlV6hoCl8iNtxlRE9diy9+moN 1VEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b="Y8/hQZ/6"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i14-20020aa7dd0e000000b00427b431e10asi1918151edv.469.2022.05.11.04.04.42; Wed, 11 May 2022 04:05:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b="Y8/hQZ/6"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241598AbiEKCxU (ORCPT + 99 others); Tue, 10 May 2022 22:53:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52680 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237773AbiEKCxH (ORCPT ); Tue, 10 May 2022 22:53:07 -0400 Received: from out1.migadu.com (out1.migadu.com [IPv6:2001:41d0:2:863f::]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 19EA353E13; Tue, 10 May 2022 19:51:29 -0700 (PDT) Date: Tue, 10 May 2022 19:51:21 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1652237487; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=6EZaCYycNo4v1thOOsKX7LyDVmSBgy8fN7c/00WhTOU=; b=Y8/hQZ/6e3GqoUyTGMgKv8zpHgfl7UpP52ogzB+dc8QtUdLIo9pf89o+40NUuyD8IIojlR eIg3/D0bMirUjmWu3P974MtXHdS7/Ks4kjQE/BY0QuMDbpbeUtd7v377Hga3ZsLqHplrN9 /yalC9ohO8n+ZoB6rPbUIZ0nKi8Pe2E= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Roman Gushchin To: Vasily Averin Cc: Shakeel Butt , kernel@openvz.org, Florian Westphal , linux-kernel@vger.kernel.org, Vlastimil Babka , Michal Hocko , cgroups@vger.kernel.org, netdev@vger.kernel.org, "David S. Miller" , Jakub Kicinski , Paolo Abeni , Luis Chamberlain , Kees Cook , Iurii Zaikin , linux-fsdevel@vger.kernel.org Subject: Re: [PATCH memcg v2] memcg: accounting for objects allocated for new netdevice Message-ID: References: <53613f02-75f2-0546-d84c-a5ed989327b6@openvz.org> <354a0a5f-9ec3-a25c-3215-304eab2157bc@openvz.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <354a0a5f-9ec3-a25c-3215-304eab2157bc@openvz.org> X-Migadu-Flow: FLOW_OUT X-Migadu-Auth-User: linux.dev X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 02, 2022 at 03:15:51PM +0300, Vasily Averin wrote: > Creating a new netdevice allocates at least ~50Kb of memory for various > kernel objects, but only ~5Kb of them are accounted to memcg. As a result, > creating an unlimited number of netdevice inside a memcg-limited container > does not fall within memcg restrictions, consumes a significant part > of the host's memory, can cause global OOM and lead to random kills of > host processes. > > The main consumers of non-accounted memory are: > ~10Kb 80+ kernfs nodes > ~6Kb ipv6_add_dev() allocations > 6Kb __register_sysctl_table() allocations > 4Kb neigh_sysctl_register() allocations > 4Kb __devinet_sysctl_register() allocations > 4Kb __addrconf_sysctl_register() allocations > > Accounting of these objects allows to increase the share of memcg-related > memory up to 60-70% (~38Kb accounted vs ~54Kb total for dummy netdevice > on typical VM with default Fedora 35 kernel) and this should be enough > to somehow protect the host from misuse inside container. > > Other related objects are quite small and may not be taken into account > to minimize the expected performance degradation. > > It should be separately mentonied ~300 bytes of percpu allocation > of struct ipstats_mib in snmp6_alloc_dev(), on huge multi-cpu nodes > it can become the main consumer of memory. > > This patch does not enables kernfs accounting as it affects > other parts of the kernel and should be discussed separately. > However, even without kernfs, this patch significantly improves the > current situation and allows to take into account more than half > of all netdevice allocations. > > Signed-off-by: Vasily Averin > --- > v2: 1) kernfs accounting moved into separate patch, suggested by > Shakeel and mkoutny@. > 2) in ipv6_add_dev() changed original "sizeof(struct inet6_dev)" > to "sizeof(*ndev)", according to checkpath.pl recommendation: > CHECK: Prefer kzalloc(sizeof(*ndev)...) over kzalloc(sizeof > (struct inet6_dev)...) It seems it's a bit too late, but just for the record: Acked-by: Roman Gushchin Thanks!