[[!meta copyright="Copyright © 2008, 2009, 2010, 2013, 2024 Free Software Foundation, Inc."]] [[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable id="license" text="Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled [[GNU Free Documentation License|/fdl]]."]]"""]] [[!tag open_issue_gnumach open_issue_hurd open_issue_viengoos]] [[microkernel/Mach]] interfaces do not allow for proper resource accounting, when a server allocates resources on behalf of a client. Mach can't do a good job at resource management, as it doesn't have enough information how resources are used: which data is important and which is discardable, for example. This is the fundamental failing of the Mach/Hurd architecture. The Hurd operates via many server to client relationships, in which servers request resources on behalf of their clients. For example at any given time, `extfs` could have many different clients (emacs, vim, git etc.) requesting data, creating files, deleting files, re-naming files, etc. Suppose one rogue client out of 50 is continually requesting increasingly more memory, which is exhasting the machine's resources. As far as Mach knows, `ext2fs` is wasting RAM. It doesn't know that one `ext2fs`' client program is at fault. There is no way for Mach to fix this, since it should not kill `ext2fs`, and it cannot know which `ext2fs` client to kill. This server/client architecture is a problem that exists elsewhere. A good example is `X`. Firefox might allocate a lot of pixmaps, which causes `X` to use more memory. Linux actually used to kill X, because of this several years ago. This problem is much worse on a multiserver system, because we have many server/client relationships. A simple fix that would limit these issues is to introduce fixed limits on various kinds of resource usage. A proper fix requires a way to attribute all resource usage to the clients -- either by avoiding server-side allocation or by keeping track of who is requesting resources. Both of these changes requires lots of changes to low-level code. These issues are what Neal Walfield explored with his kernel: [[microkernel/viengoos]]. # Kernel Inside the [[kernel]], there is commonly a need to allocate resources according to externally induced demand, dynamically. For example, for memory-management data structures (page tables), process table entries, thread control blocks, [[capability]] tables, incoming network packages, blocks that are read in from disk, the keyboard type-ahead buffer for a in-kernel keyboard driver. Some of these are due to actions driven by user-space requests, others are due to actions internal to the the kernel itself. Some of these buffers can be sized statically (keyboard type-ahead buffer), and are thus unproblematic. Others are not, and should thus be attributed to their user space entities. In the latter (ideal) case, all resources -- that is, including those needed inside the kernel -- that a user space task needs for execution are provided by itself (and, in turn, provided by its parent / principal), and the kernel itself does not need to allocate any resources dynamically out of an its own memory pool. This avoids issues like [[microkernel/Mach]]'s [[zalloc_panics]] upon user space processes allocating too many [[microkernel/mach/port]]s, for example. [[!toggleable id=fof_plos09 text="""[[!template id=note text="*[[fof\_plos09|microkernel/barrelfish]]*: {{$microkernel/barrelfish#fof_plos09}}"]]"""]] [[!toggleable id=sel4 text="""[[!template id=note text="[[*sel4*|microkernel/l4]]: {{$microkernel/l4#sel4}}"]]"""]] In [[!toggle id=fof_plos09 text="[fof\_plos09]"]], the authors describe in section 3 how they model their [[capability]] system according to [[!toggle id=sel4 text="[sel4]"]] using a *retype* operation that *takes an existing capability and produces one or more derived capabilities [...] used to create new kernel-level memory objects (such as page tables or execution contexts) from capabilities to raw regions of RAM*. This is, of course, non-trivial to implement, and also requires changing the [[RPC]] interfaces, for example, but it is a valid approach, a research topic. ([[!taglink open_issue_documentation]]: compare this to Linux [`vmsplice`'s SPLICE_F_GIFT flag](http://www.kernel.org/doc/man-pages/online/pages/man2/vmsplice.2.html#DESCRIPTION).) ## IRC, freenode, #hurd, 2011-07-31 < braunr> one of the biggest problems on the hurd is that, when a client makes a call, kernel (and other) resources are allocated on behalf of the server performaing the requested action < braunr> performing* < braunr> this makes implementing scheduling and limits difficult < CTKArcher> And could changing the kernel change anything to that ? < braunr> yes but you'd probably need to change its interface as well < braunr> iirc, the critique describes resource containers < braunr> but no work has been done on the current hurd (hence the hurdng attempts) ## IRC, freenode, #hurd, 2013-08-13 In context of . teythoon: actually, thread migration isn't required for resource accounting [[Mach_migrating_threads]]. braunr: but it solves it for free, doesn't it? teythoon: no it's really more complicated than that # Further Examples * [[hurd/critique]] * [[IO_accounting]] * [[translators_set_up_by_untrusted_users]], and [[pagers]] * [[configure_max_command_line_length]] ## [[hurd/translator/exec]] server ### IRC, freenode, #hurd, 2013-08-05 unzipping stuff in the exec server enables a dos on filesystem translators https://teythoon.cryptobitch.de/gsoc/heap/hello-1g.bz2 is /hurd/hello padded with a gig of zeros, compressed with bzip2 if set as an passive translator, it stalls other requests to the filesystem, at least it does if ext2fs is used teythoon: ? teythoon: what's the dos here ? I can prevent you from doing anything with the root filesystem I'm kind of surprised myself, maybe a lock is held during the exec of the translator? the filesystem the hello-1g.bz2 translator is bound to is affected teythoon: i don't understand have you tried starting something from another file system ? the lock may simply be in the exec server itself no, starting other things works fine but on the other hand, a find / is stalled :/ *sigh* don't worry there is a solution :p :) and it only requires deleting code