summaryrefslogtreecommitdiff
path: root/open_issues/trust_the_behavior_of_translators.mdwn
diff options
context:
space:
mode:
Diffstat (limited to 'open_issues/trust_the_behavior_of_translators.mdwn')
-rw-r--r--open_issues/trust_the_behavior_of_translators.mdwn181
1 files changed, 0 insertions, 181 deletions
diff --git a/open_issues/trust_the_behavior_of_translators.mdwn b/open_issues/trust_the_behavior_of_translators.mdwn
deleted file mode 100644
index 454c638b..00000000
--- a/open_issues/trust_the_behavior_of_translators.mdwn
+++ /dev/null
@@ -1,181 +0,0 @@
-[[!meta copyright="Copyright © 2012 Free Software Foundation, Inc."]]
-
-[[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable
-id="license" text="Permission is granted to copy, distribute and/or modify this
-document under the terms of the GNU Free Documentation License, Version 1.2 or
-any later version published by the Free Software Foundation; with no Invariant
-Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license
-is included in the section entitled [[GNU Free Documentation
-License|/fdl]]."]]"""]]
-
-[[!tag open_issue_hurd]]
-
-Apart from the issue of [[translators_set_up_by_untrusted_users]], here is
-another problem described.
-
-
-# IRC, freenode, #hurd, 2012-02-17
-
-(Preceded by the [[memory_object_model_vs_block-level_cache]] discussion.)
-
- <slpz> what should do Mach with a translator that doesn't clean pages in a
- reasonable amount of time?
- <slpz> (I'm talking about pages flushed to a pager by the pageout daemon)
- <braunr> slpz: i don't know what it should do, but currently, it uses the
- default pager
-
-[[default_pager]].
-
- <slpz> braunr: I know, but I was thinking about an alternative, for the
- case in which a translator in not behaving properly
- <slpz> perhaps freeing the page, removing the map, and letting it die in a
- segmentation fault could be an option
- <braunr> slpz: what if the translator can't do it properly because of
- system resource exhaustion ?
- <braunr> (i.e. it doesn't have enough cpu time)
- <slpz> braunr: that's the biggest question
- <slpz> let's suppose that Mach selects a page, sends it to the pager for
- cleaning it up, reinjects the page into the active queue, and later it
- founds the page again and it's still dirty
- <slpz> but it needs to free some pages because memory it's really, really
- scarce
- <slpz> Linux just sits there waiting for I/O completion for that page
- (trusts its own drivers)
- <slpz> but we could be dealing with rogue translator...
- <braunr> yes
- <braunr> we may need some sort of "authentication" mechanism for pagers
- <braunr> so that "system pagers" are trusted and others not
- <braunr> using something like the device master port but for pagers
- <braunr> a special port passed to trusted pagers only
- <slpz> hum... that could be used to workaround the untrusted translator
- crossing problem while walking a directory tree
-
-[[translators_set_up_by_untrusted_users]].
-
- <slpz> but I think differentiating between trusted and untrusted
- translators was rejected for philosophical reasons
- <slpz> (but I'm not sure)
- <mcsim> slpz: probably there should be something like oom killer?
- <mcsim> braunr: even if translator is trusted it could have a bug which
- make it ask more and more memory, so system have something to do with
- it. Also, this way TCB is increased, so providing port for trusted
- translators may hurt security.
- <mcsim> I've read that Genode has "guarded allocators" which help resource
- accounting by limiting of memory that could be used. Probably something
- like this could be used in Hurd to limit translators.
- <antrik> I don't remember how Viengoos deals with this :-(
-
-[[microkernel/Viengoos]].
-
- <braunr> mcsim: the main feature lacking in mach is resource accounting :p
-
-[[resource_management_problems]].
-
- <slpz> mcsim: yes, I think there should be a Hurdish oom killer, paying
- special attention to external pagers
-
-[[microkernel/mach/external_pager_mechanism]].
-
- <braunr> the oom killer selects untrusted processes by definition (since
- pagers are in kernel)
- <mcsim> slpz: and what is better: oom killer or resource accounting?
- <mcsim> Under resource accounting I mean mechanism when process can't get
- more resources than it is allowed.
- <braunr> resource accounting of course
- <braunr> but it's not just about that
- <braunr> really, how does the kernel deal when a pager refuses to honor a
- paging request ?
- <braunr> whether it is buggy or malicious
- <braunr> is it really possible to keep all pagers out of the TCB ?
- <antrik> mcsim: we definitely want proper resource accounting in the long
- run. the question is how to deal with the situation that resources are
- reallocated to other tasks, so some pages have to be freed
- <antrik> I really don't remember how Neal proposed to deal with this
- <slpz> mcsim: Better: resource accounting (in which resources are accounted
- to the user tasks which are requesting them, as in the Viengoos
- model). Good enough an realistic: oom killer
- <antrik> I'm not sure an OOM killer for non-system pagers is terribly
- helpful. in typical use, the vast majority of paging is done by trusted
- pagers...
- <antrik> and without proper client resource accounting, there are enough
- other ways a rogue/broken process can eat system resources -- I'm not
- convinced that untrusted pagers have a major impact on the overall
- situation
- <mcsim> If pager can't free resources because of lack, for example, of cpu
- time it's priority could be increased to give it second chance to free
- the page. But if it doesn't manage to free resources it could be killed.
- <antrik> I think the current approach with default pager taking over is
- good enough for dealing with untrusted pagers. the real problem are even
- trusted pager frequently failing to deal with the requests
- <braunr> i agree with antrik
- <braunr> and i'm opposed to an oom killer
- <braunr> it's really not a proper fix for our problems
- <braunr> mcsim: what if needs 3 attempts before succeeding ?
- <braunr> +it
- <braunr> and increasing priority without a good reason (e.g. no priority
- inversion) leads to unfairness
- <braunr> we don't want to deal with tricky problems like malicious pagers
- using that to starve other tasks
- <mcsim> braunr: this is just temporary decision (for example for half of
- second of user time), to increase probability that task was killed not
- because of it lacked resources.
- <braunr> mcsim: tunables should only affect the efficiency of an operation,
- not its success
-
-
-## IRC, freenode, #hurd, 2012-02-19
-
- <antrik> neal: the specific question is how to ensure processes free memory
- fast enough when their allocation becomes lower due to resource pressure
- <neal> antrik: you can't really.
- <neal> antrik: the memory manager can act on the application's behalf if
- the application marks pages as discardable or pagable.
- <neal> antrik: if the memory manager makes an upcall to the application to
- free some memory and it doesn't, you have to penalize it.
- <neal> antrik: You shouldn't the process like exokernel
- <neal> antrik: It's the developers fault, not the user's
- <neal> antrik: What you need are controls that ensure that the user stays
- in control
- <neal> ...shouldn't *kill* the process...
- <antrik> neal: well, how can I penalize a process that eats to much
- physical memory?
- <neal> in the future, you don't give it as much slack memory
- <antrik> marking as pagable means a system pager will push them to the swap
- partition?
- <antrik> ah, OK
- <neal> yes
- <neal> and you page it more aggressively, i.e., you don't give it a chance
- to free memory
- <neal> The situation is:
- <neal> you have memory pressure
- <neal> you choose a victim process and ask it to free memory
- <neal> now, you need to wait
- <neal> if you wait and it doesn't free memory, you give it bad karma
- <neal> if you wait and it frees memory, you're good
- <neal> but during that window, a bad process can delay recovery
- <neal> so, in the future, we give bad processes less time
- <neal> but, we still send a message asking it to free memory
- <neal> we just hope it was a bug
- <antrik> so the major difference to the approach we have in Mach is that
- instead of just redeclaring some pages as anonymous memory that will be
- paged to swap by the default pager eventually if the pager in question
- fails to handle them properly, we wait some time for the process to free
- (any) memory, and only then start paging out some of it's pages to swap
- <neal> there's also discardable memory
- <antrik> hm... there is some notion of "precious" pages in Mach... I wonder
- whether that is also used to decide about discarding pages instead of
- pushing them to swap?
- <neal> antrik: A precious page is ro data that shouldn't be dropped
- <antrik> ah
- <antrik> but I guess that means non-precious RO data (such as a cache) can
- be dropped without asking the pager, right?
- <neal> yes
- <antrik> I wonder whether such a karma system can be introduced in Mach as
- well to deal with problematic pagers
-
-
-## IRC, freenode, #hurd, 2012-02-21
-
- <neal> antrik: One of the main differences between Mach and Viengoos is
- that in Mach servers are responsible for managing memory whereas in
- Viengoos applications are primarily responsible for managing memory.