| Message ID | 20231112073424.4216-1-laoar.shao@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | mm, security, bpf: Fine-grained control over memory policy adjustments with lsm bpf | expand |
On 11/11/2023 11:34 PM, Yafang Shao wrote: > Background > ========== > > In our containerized environment, we've identified unexpected OOM events > where the OOM-killer terminates tasks despite having ample free memory. > This anomaly is traced back to tasks within a container using mbind(2) to > bind memory to a specific NUMA node. When the allocated memory on this node > is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > indiscriminately kills tasks. This becomes more critical with guaranteed > tasks (oom_score_adj: -998) aggravating the issue. Is there some reason why you can't fix the callers of mbind(2)? This looks like an user space configuration error rather than a system security issue. > > The selected victim might not have allocated memory on the same NUMA node, > rendering the killing ineffective. This patch aims to address this by > disabling MPOL_BIND in container environments. > > In the container environment, our aim is to consolidate memory resource > control under the management of kubelet. If users express a preference for > binding their memory to a specific NUMA node, we encourage the adoption of > a standardized approach. Specifically, we recommend configuring this memory > policy through kubelet using cpuset.mems in the cpuset controller, rather > than individual users setting it autonomously. This centralized approach > ensures that NUMA nodes are globally managed through kubelet, promoting > consistency and facilitating streamlined administration of memory resources > across the entire containerized environment. Changing system behavior for a single use case doesn't seem prudent. You're introducing a bunch of kernel code to avoid fixing a broken user space configuration. > > Proposed Solutions > ================= > > - Introduce Capability to Disable MPOL_BIND > Currently, any task can perform MPOL_BIND without specific capabilities. > Enforcing CAP_SYS_RESOURCE or CAP_SYS_NICE could be an option, but this > may have unintended consequences. Capabilities, being broad, might grant > unnecessary privileges. We should explore alternatives to prevent > unexpected side effects. > > - Use LSM BPF to Disable MPOL_BIND > Introduce LSM hooks for syscalls such as mbind(2), set_mempolicy(2), and > set_mempolicy_home_node(2) to disable MPOL_BIND. This approach is more > flexibility and allows for fine-grained control without unintended > consequences. A sample LSM BPF program is included, demonstrating > practical implementation in a production environment. > > Future Considerations > ===================== > > In addition, there's room for enhancement in the OOM-killer for cases > involving CONSTRAINT_MEMORY_POLICY. It would be more beneficial to > prioritize selecting a victim that has allocated memory on the same NUMA > node. My exploration on the lore led me to a proposal[0] related to this > matter, although consensus seems elusive at this point. Nevertheless, > delving into this specific topic is beyond the scope of the current > patchset. > > [0]. https://lore.kernel.org/lkml/20220512044634.63586-1-ligang.bdlg@bytedance.com/ > > Yafang Shao (4): > mm, security: Add lsm hook for mbind(2) > mm, security: Add lsm hook for set_mempolicy(2) > mm, security: Add lsm hook for set_mempolicy_home_node(2) > selftests/bpf: Add selftests for mbind(2) with lsm prog > > include/linux/lsm_hook_defs.h | 8 +++ > include/linux/security.h | 26 +++++++ > mm/mempolicy.c | 13 ++++ > security/security.c | 19 ++++++ > tools/testing/selftests/bpf/prog_tests/mempolicy.c | 79 ++++++++++++++++++++++ > tools/testing/selftests/bpf/progs/test_mempolicy.c | 29 ++++++++ > 6 files changed, 174 insertions(+) > create mode 100644 tools/testing/selftests/bpf/prog_tests/mempolicy.c > create mode 100644 tools/testing/selftests/bpf/progs/test_mempolicy.c >
On Sun, Nov 12, 2023 at 2:35 AM Yafang Shao <laoar.shao@gmail.com> wrote: > > Background > ========== > > In our containerized environment, we've identified unexpected OOM events > where the OOM-killer terminates tasks despite having ample free memory. > This anomaly is traced back to tasks within a container using mbind(2) to > bind memory to a specific NUMA node. When the allocated memory on this node > is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > indiscriminately kills tasks. This becomes more critical with guaranteed > tasks (oom_score_adj: -998) aggravating the issue. > > The selected victim might not have allocated memory on the same NUMA node, > rendering the killing ineffective. This patch aims to address this by > disabling MPOL_BIND in container environments. > > In the container environment, our aim is to consolidate memory resource > control under the management of kubelet. If users express a preference for > binding their memory to a specific NUMA node, we encourage the adoption of > a standardized approach. Specifically, we recommend configuring this memory > policy through kubelet using cpuset.mems in the cpuset controller, rather > than individual users setting it autonomously. This centralized approach > ensures that NUMA nodes are globally managed through kubelet, promoting > consistency and facilitating streamlined administration of memory resources > across the entire containerized environment. > > Proposed Solutions > ================= > > - Introduce Capability to Disable MPOL_BIND > Currently, any task can perform MPOL_BIND without specific capabilities. > Enforcing CAP_SYS_RESOURCE or CAP_SYS_NICE could be an option, but this > may have unintended consequences. Capabilities, being broad, might grant > unnecessary privileges. We should explore alternatives to prevent > unexpected side effects. > > - Use LSM BPF to Disable MPOL_BIND > Introduce LSM hooks for syscalls such as mbind(2), set_mempolicy(2), and > set_mempolicy_home_node(2) to disable MPOL_BIND. This approach is more > flexibility and allows for fine-grained control without unintended > consequences. A sample LSM BPF program is included, demonstrating > practical implementation in a production environment. Without looking at the patchset in any detail yet, I wanted to point out that we do have some documented guidelines for adding new LSM hooks: https://github.com/LinuxSecurityModule/kernel/blob/main/README.md#new-lsm-hook-guidelines I just learned that there are provisions for adding this to the MAINTAINERS file, I'll be doing that shortly. My apologies for not having it in there sooner. > Future Considerations > ===================== > > In addition, there's room for enhancement in the OOM-killer for cases > involving CONSTRAINT_MEMORY_POLICY. It would be more beneficial to > prioritize selecting a victim that has allocated memory on the same NUMA > node. My exploration on the lore led me to a proposal[0] related to this > matter, although consensus seems elusive at this point. Nevertheless, > delving into this specific topic is beyond the scope of the current > patchset. > > [0]. https://lore.kernel.org/lkml/20220512044634.63586-1-ligang.bdlg@bytedance.com/
On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > On 11/11/2023 11:34 PM, Yafang Shao wrote: > > Background > > ========== > > > > In our containerized environment, we've identified unexpected OOM events > > where the OOM-killer terminates tasks despite having ample free memory. > > This anomaly is traced back to tasks within a container using mbind(2) to > > bind memory to a specific NUMA node. When the allocated memory on this node > > is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > > indiscriminately kills tasks. This becomes more critical with guaranteed > > tasks (oom_score_adj: -998) aggravating the issue. > > Is there some reason why you can't fix the callers of mbind(2)? > This looks like an user space configuration error rather than a > system security issue. It appears my initial description may have caused confusion. In this scenario, the caller is an unprivileged user lacking any capabilities. While a privileged user, such as root, experiencing this issue might indicate a user space configuration error, the concerning aspect is the potential for an unprivileged user to disrupt the system easily. If this is perceived as a misconfiguration, the question arises: What is the correct configuration to prevent an unprivileged user from utilizing mbind(2)?" > > > > > The selected victim might not have allocated memory on the same NUMA node, > > rendering the killing ineffective. This patch aims to address this by > > disabling MPOL_BIND in container environments. > > > > In the container environment, our aim is to consolidate memory resource > > control under the management of kubelet. If users express a preference for > > binding their memory to a specific NUMA node, we encourage the adoption of > > a standardized approach. Specifically, we recommend configuring this memory > > policy through kubelet using cpuset.mems in the cpuset controller, rather > > than individual users setting it autonomously. This centralized approach > > ensures that NUMA nodes are globally managed through kubelet, promoting > > consistency and facilitating streamlined administration of memory resources > > across the entire containerized environment. > > Changing system behavior for a single use case doesn't seem prudent. > You're introducing a bunch of kernel code to avoid fixing a broken > user space configuration. Currently, there is no mechanism in place to proactively prevent an unprivileged user from utilizing mbind(2). The approach adopted is to monitor mbind(2) through a BPF program and trigger an alert if its usage is detected. However, beyond this monitoring, the only recourse is to verbally communicate with the user, advising against the use of mbind(2). As a result, users will question why mbind(2) isn't outright prohibited in the first place.
On Mon, Nov 13, 2023 at 4:32 AM Paul Moore <paul@paul-moore.com> wrote: > > On Sun, Nov 12, 2023 at 2:35 AM Yafang Shao <laoar.shao@gmail.com> wrote: > > > > Background > > ========== > > > > In our containerized environment, we've identified unexpected OOM events > > where the OOM-killer terminates tasks despite having ample free memory. > > This anomaly is traced back to tasks within a container using mbind(2) to > > bind memory to a specific NUMA node. When the allocated memory on this node > > is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > > indiscriminately kills tasks. This becomes more critical with guaranteed > > tasks (oom_score_adj: -998) aggravating the issue. > > > > The selected victim might not have allocated memory on the same NUMA node, > > rendering the killing ineffective. This patch aims to address this by > > disabling MPOL_BIND in container environments. > > > > In the container environment, our aim is to consolidate memory resource > > control under the management of kubelet. If users express a preference for > > binding their memory to a specific NUMA node, we encourage the adoption of > > a standardized approach. Specifically, we recommend configuring this memory > > policy through kubelet using cpuset.mems in the cpuset controller, rather > > than individual users setting it autonomously. This centralized approach > > ensures that NUMA nodes are globally managed through kubelet, promoting > > consistency and facilitating streamlined administration of memory resources > > across the entire containerized environment. > > > > Proposed Solutions > > ================= > > > > - Introduce Capability to Disable MPOL_BIND > > Currently, any task can perform MPOL_BIND without specific capabilities. > > Enforcing CAP_SYS_RESOURCE or CAP_SYS_NICE could be an option, but this > > may have unintended consequences. Capabilities, being broad, might grant > > unnecessary privileges. We should explore alternatives to prevent > > unexpected side effects. > > > > - Use LSM BPF to Disable MPOL_BIND > > Introduce LSM hooks for syscalls such as mbind(2), set_mempolicy(2), and > > set_mempolicy_home_node(2) to disable MPOL_BIND. This approach is more > > flexibility and allows for fine-grained control without unintended > > consequences. A sample LSM BPF program is included, demonstrating > > practical implementation in a production environment. > > Without looking at the patchset in any detail yet, I wanted to point > out that we do have some documented guidelines for adding new LSM > hooks: > > https://github.com/LinuxSecurityModule/kernel/blob/main/README.md#new-lsm-hook-guidelines > > I just learned that there are provisions for adding this to the > MAINTAINERS file, I'll be doing that shortly. My apologies for not > having it in there sooner. Thanks for your information. I will learn it carefully.
On Mon, Nov 13, 2023 at 4:17 AM Yafang Shao <laoar.shao@gmail.com> wrote: > > On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > On 11/11/2023 11:34 PM, Yafang Shao wrote: > > > Background > > > ========== > > > > > > In our containerized environment, we've identified unexpected OOM events > > > where the OOM-killer terminates tasks despite having ample free memory. > > > This anomaly is traced back to tasks within a container using mbind(2) to > > > bind memory to a specific NUMA node. When the allocated memory on this node > > > is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > > > indiscriminately kills tasks. This becomes more critical with guaranteed > > > tasks (oom_score_adj: -998) aggravating the issue. > > > > Is there some reason why you can't fix the callers of mbind(2)? > > This looks like an user space configuration error rather than a > > system security issue. > > It appears my initial description may have caused confusion. In this > scenario, the caller is an unprivileged user lacking any capabilities. > While a privileged user, such as root, experiencing this issue might > indicate a user space configuration error, the concerning aspect is > the potential for an unprivileged user to disrupt the system easily. > If this is perceived as a misconfiguration, the question arises: What > is the correct configuration to prevent an unprivileged user from > utilizing mbind(2)?" > > > > > > > > > The selected victim might not have allocated memory on the same NUMA node, > > > rendering the killing ineffective. This patch aims to address this by > > > disabling MPOL_BIND in container environments. > > > > > > In the container environment, our aim is to consolidate memory resource > > > control under the management of kubelet. If users express a preference for > > > binding their memory to a specific NUMA node, we encourage the adoption of > > > a standardized approach. Specifically, we recommend configuring this memory > > > policy through kubelet using cpuset.mems in the cpuset controller, rather > > > than individual users setting it autonomously. This centralized approach > > > ensures that NUMA nodes are globally managed through kubelet, promoting > > > consistency and facilitating streamlined administration of memory resources > > > across the entire containerized environment. > > > > Changing system behavior for a single use case doesn't seem prudent. > > You're introducing a bunch of kernel code to avoid fixing a broken > > user space configuration. > > Currently, there is no mechanism in place to proactively prevent an > unprivileged user from utilizing mbind(2). The approach adopted is to > monitor mbind(2) through a BPF program and trigger an alert if its > usage is detected. However, beyond this monitoring, the only recourse > is to verbally communicate with the user, advising against the use of > mbind(2). As a result, users will question why mbind(2) isn't outright > prohibited in the first place. Is there a reason why you can't use syscall filtering via seccomp(2)? AFAIK, all the mainstream container tooling already has support for specifying seccomp filters for containers.
On 11/13/2023 12:50 AM, Ondrej Mosnacek wrote: > On Mon, Nov 13, 2023 at 4:17 AM Yafang Shao <laoar.shao@gmail.com> wrote: >> On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: >>> On 11/11/2023 11:34 PM, Yafang Shao wrote: >>>> Background >>>> ========== >>>> >>>> In our containerized environment, we've identified unexpected OOM events >>>> where the OOM-killer terminates tasks despite having ample free memory. >>>> This anomaly is traced back to tasks within a container using mbind(2) to >>>> bind memory to a specific NUMA node. When the allocated memory on this node >>>> is exhausted, the OOM-killer, prioritizing tasks based on oom_score, >>>> indiscriminately kills tasks. This becomes more critical with guaranteed >>>> tasks (oom_score_adj: -998) aggravating the issue. >>> Is there some reason why you can't fix the callers of mbind(2)? >>> This looks like an user space configuration error rather than a >>> system security issue. >> It appears my initial description may have caused confusion. In this >> scenario, the caller is an unprivileged user lacking any capabilities. >> While a privileged user, such as root, experiencing this issue might >> indicate a user space configuration error, the concerning aspect is >> the potential for an unprivileged user to disrupt the system easily. >> If this is perceived as a misconfiguration, the question arises: What >> is the correct configuration to prevent an unprivileged user from >> utilizing mbind(2)?" >> >>>> The selected victim might not have allocated memory on the same NUMA node, >>>> rendering the killing ineffective. This patch aims to address this by >>>> disabling MPOL_BIND in container environments. >>>> >>>> In the container environment, our aim is to consolidate memory resource >>>> control under the management of kubelet. If users express a preference for >>>> binding their memory to a specific NUMA node, we encourage the adoption of >>>> a standardized approach. Specifically, we recommend configuring this memory >>>> policy through kubelet using cpuset.mems in the cpuset controller, rather >>>> than individual users setting it autonomously. This centralized approach >>>> ensures that NUMA nodes are globally managed through kubelet, promoting >>>> consistency and facilitating streamlined administration of memory resources >>>> across the entire containerized environment. >>> Changing system behavior for a single use case doesn't seem prudent. >>> You're introducing a bunch of kernel code to avoid fixing a broken >>> user space configuration. >> Currently, there is no mechanism in place to proactively prevent an >> unprivileged user from utilizing mbind(2). The approach adopted is to >> monitor mbind(2) through a BPF program and trigger an alert if its >> usage is detected. However, beyond this monitoring, the only recourse >> is to verbally communicate with the user, advising against the use of >> mbind(2). As a result, users will question why mbind(2) isn't outright >> prohibited in the first place. > Is there a reason why you can't use syscall filtering via seccomp(2)? > AFAIK, all the mainstream container tooling already has support for > specifying seccomp filters for containers. That looks like a practical solution from here.
On Mon, Nov 13, 2023 at 4:50 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > On Mon, Nov 13, 2023 at 4:17 AM Yafang Shao <laoar.shao@gmail.com> wrote: > > > > On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > > > On 11/11/2023 11:34 PM, Yafang Shao wrote: > > > > Background > > > > ========== > > > > > > > > In our containerized environment, we've identified unexpected OOM events > > > > where the OOM-killer terminates tasks despite having ample free memory. > > > > This anomaly is traced back to tasks within a container using mbind(2) to > > > > bind memory to a specific NUMA node. When the allocated memory on this node > > > > is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > > > > indiscriminately kills tasks. This becomes more critical with guaranteed > > > > tasks (oom_score_adj: -998) aggravating the issue. > > > > > > Is there some reason why you can't fix the callers of mbind(2)? > > > This looks like an user space configuration error rather than a > > > system security issue. > > > > It appears my initial description may have caused confusion. In this > > scenario, the caller is an unprivileged user lacking any capabilities. > > While a privileged user, such as root, experiencing this issue might > > indicate a user space configuration error, the concerning aspect is > > the potential for an unprivileged user to disrupt the system easily. > > If this is perceived as a misconfiguration, the question arises: What > > is the correct configuration to prevent an unprivileged user from > > utilizing mbind(2)?" > > > > > > > > > > > > > The selected victim might not have allocated memory on the same NUMA node, > > > > rendering the killing ineffective. This patch aims to address this by > > > > disabling MPOL_BIND in container environments. > > > > > > > > In the container environment, our aim is to consolidate memory resource > > > > control under the management of kubelet. If users express a preference for > > > > binding their memory to a specific NUMA node, we encourage the adoption of > > > > a standardized approach. Specifically, we recommend configuring this memory > > > > policy through kubelet using cpuset.mems in the cpuset controller, rather > > > > than individual users setting it autonomously. This centralized approach > > > > ensures that NUMA nodes are globally managed through kubelet, promoting > > > > consistency and facilitating streamlined administration of memory resources > > > > across the entire containerized environment. > > > > > > Changing system behavior for a single use case doesn't seem prudent. > > > You're introducing a bunch of kernel code to avoid fixing a broken > > > user space configuration. > > > > Currently, there is no mechanism in place to proactively prevent an > > unprivileged user from utilizing mbind(2). The approach adopted is to > > monitor mbind(2) through a BPF program and trigger an alert if its > > usage is detected. However, beyond this monitoring, the only recourse > > is to verbally communicate with the user, advising against the use of > > mbind(2). As a result, users will question why mbind(2) isn't outright > > prohibited in the first place. > > Is there a reason why you can't use syscall filtering via seccomp(2)? > AFAIK, all the mainstream container tooling already has support for > specifying seccomp filters for containers. seccomp is relatively heavyweight, making it less suitable for enabling in our production environment. In contrast, LSM offer a more lightweight and flexible alternative. Moreover, the act of binding to a specific NUMA node appears akin to a privileged operation, warranting the consideration of a dedicated LSM hook.
On Mon 13-11-23 11:15:06, Yafang Shao wrote: > On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > On 11/11/2023 11:34 PM, Yafang Shao wrote: > > > Background > > > ========== > > > > > > In our containerized environment, we've identified unexpected OOM events > > > where the OOM-killer terminates tasks despite having ample free memory. > > > This anomaly is traced back to tasks within a container using mbind(2) to > > > bind memory to a specific NUMA node. When the allocated memory on this node > > > is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > > > indiscriminately kills tasks. This becomes more critical with guaranteed > > > tasks (oom_score_adj: -998) aggravating the issue. > > > > Is there some reason why you can't fix the callers of mbind(2)? > > This looks like an user space configuration error rather than a > > system security issue. > > It appears my initial description may have caused confusion. In this > scenario, the caller is an unprivileged user lacking any capabilities. > While a privileged user, such as root, experiencing this issue might > indicate a user space configuration error, the concerning aspect is > the potential for an unprivileged user to disrupt the system easily. > If this is perceived as a misconfiguration, the question arises: What > is the correct configuration to prevent an unprivileged user from > utilizing mbind(2)?" How is this any different than a non NUMA (mbind) situation? You can still have an unprivileged user to allocate just until the OOM triggers and disrupt other workload consuming more memory. Sure the mempolicy based OOM is less precise and it might select a victim with only a small consumption on a target NUMA node but fundamentally the situation is very similar. I do not think disallowing mbind specifically is solving a real problem.
On Tue, Nov 14, 2023 at 6:15 PM Michal Hocko <mhocko@suse.com> wrote: > > On Mon 13-11-23 11:15:06, Yafang Shao wrote: > > On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > > > On 11/11/2023 11:34 PM, Yafang Shao wrote: > > > > Background > > > > ========== > > > > > > > > In our containerized environment, we've identified unexpected OOM events > > > > where the OOM-killer terminates tasks despite having ample free memory. > > > > This anomaly is traced back to tasks within a container using mbind(2) to > > > > bind memory to a specific NUMA node. When the allocated memory on this node > > > > is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > > > > indiscriminately kills tasks. This becomes more critical with guaranteed > > > > tasks (oom_score_adj: -998) aggravating the issue. > > > > > > Is there some reason why you can't fix the callers of mbind(2)? > > > This looks like an user space configuration error rather than a > > > system security issue. > > > > It appears my initial description may have caused confusion. In this > > scenario, the caller is an unprivileged user lacking any capabilities. > > While a privileged user, such as root, experiencing this issue might > > indicate a user space configuration error, the concerning aspect is > > the potential for an unprivileged user to disrupt the system easily. > > If this is perceived as a misconfiguration, the question arises: What > > is the correct configuration to prevent an unprivileged user from > > utilizing mbind(2)?" > > How is this any different than a non NUMA (mbind) situation? In a UMA system, each gigabyte of memory carries the same cost. Conversely, in a NUMA architecture, opting to confine processes within a specific NUMA node incurs additional costs. In the worst-case scenario, if all containers opt to bind their memory exclusively to specific nodes, it will result in significant memory wastage. > You can > still have an unprivileged user to allocate just until the OOM triggers > and disrupt other workload consuming more memory. Sure the mempolicy > based OOM is less precise and it might select a victim with only a small > consumption on a target NUMA node but fundamentally the situation is > very similar. I do not think disallowing mbind specifically is solving a > real problem. How would you recommend addressing this more effectively?
On 11/14/2023 3:59 AM, Yafang Shao wrote: > On Tue, Nov 14, 2023 at 6:15 PM Michal Hocko <mhocko@suse.com> wrote: >> On Mon 13-11-23 11:15:06, Yafang Shao wrote: >>> On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: >>>> On 11/11/2023 11:34 PM, Yafang Shao wrote: >>>>> Background >>>>> ========== >>>>> >>>>> In our containerized environment, we've identified unexpected OOM events >>>>> where the OOM-killer terminates tasks despite having ample free memory. >>>>> This anomaly is traced back to tasks within a container using mbind(2) to >>>>> bind memory to a specific NUMA node. When the allocated memory on this node >>>>> is exhausted, the OOM-killer, prioritizing tasks based on oom_score, >>>>> indiscriminately kills tasks. This becomes more critical with guaranteed >>>>> tasks (oom_score_adj: -998) aggravating the issue. >>>> Is there some reason why you can't fix the callers of mbind(2)? >>>> This looks like an user space configuration error rather than a >>>> system security issue. >>> It appears my initial description may have caused confusion. In this >>> scenario, the caller is an unprivileged user lacking any capabilities. >>> While a privileged user, such as root, experiencing this issue might >>> indicate a user space configuration error, the concerning aspect is >>> the potential for an unprivileged user to disrupt the system easily. >>> If this is perceived as a misconfiguration, the question arises: What >>> is the correct configuration to prevent an unprivileged user from >>> utilizing mbind(2)?" >> How is this any different than a non NUMA (mbind) situation? > In a UMA system, each gigabyte of memory carries the same cost. > Conversely, in a NUMA architecture, opting to confine processes within > a specific NUMA node incurs additional costs. In the worst-case > scenario, if all containers opt to bind their memory exclusively to > specific nodes, it will result in significant memory wastage. That still sounds like you've misconfigured your containers such that they expect to get more memory than is available, and that they have more control over it than they really do. >> You can >> still have an unprivileged user to allocate just until the OOM triggers >> and disrupt other workload consuming more memory. Sure the mempolicy >> based OOM is less precise and it might select a victim with only a small >> consumption on a target NUMA node but fundamentally the situation is >> very similar. I do not think disallowing mbind specifically is solving a >> real problem. > How would you recommend addressing this more effectively? >
On Wed, Nov 15, 2023 at 12:58 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > On 11/14/2023 3:59 AM, Yafang Shao wrote: > > On Tue, Nov 14, 2023 at 6:15 PM Michal Hocko <mhocko@suse.com> wrote: > >> On Mon 13-11-23 11:15:06, Yafang Shao wrote: > >>> On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > >>>> On 11/11/2023 11:34 PM, Yafang Shao wrote: > >>>>> Background > >>>>> ========== > >>>>> > >>>>> In our containerized environment, we've identified unexpected OOM events > >>>>> where the OOM-killer terminates tasks despite having ample free memory. > >>>>> This anomaly is traced back to tasks within a container using mbind(2) to > >>>>> bind memory to a specific NUMA node. When the allocated memory on this node > >>>>> is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > >>>>> indiscriminately kills tasks. This becomes more critical with guaranteed > >>>>> tasks (oom_score_adj: -998) aggravating the issue. > >>>> Is there some reason why you can't fix the callers of mbind(2)? > >>>> This looks like an user space configuration error rather than a > >>>> system security issue. > >>> It appears my initial description may have caused confusion. In this > >>> scenario, the caller is an unprivileged user lacking any capabilities. > >>> While a privileged user, such as root, experiencing this issue might > >>> indicate a user space configuration error, the concerning aspect is > >>> the potential for an unprivileged user to disrupt the system easily. > >>> If this is perceived as a misconfiguration, the question arises: What > >>> is the correct configuration to prevent an unprivileged user from > >>> utilizing mbind(2)?" > >> How is this any different than a non NUMA (mbind) situation? > > In a UMA system, each gigabyte of memory carries the same cost. > > Conversely, in a NUMA architecture, opting to confine processes within > > a specific NUMA node incurs additional costs. In the worst-case > > scenario, if all containers opt to bind their memory exclusively to > > specific nodes, it will result in significant memory wastage. > > That still sounds like you've misconfigured your containers such > that they expect to get more memory than is available, and that > they have more control over it than they really do. And again: What configuration method is suitable to limit user control over memory policy adjustments, besides the heavyweight seccomp approach? -- Regards Yafang
On Wed 15-11-23 09:52:38, Yafang Shao wrote: > On Wed, Nov 15, 2023 at 12:58 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > On 11/14/2023 3:59 AM, Yafang Shao wrote: > > > On Tue, Nov 14, 2023 at 6:15 PM Michal Hocko <mhocko@suse.com> wrote: > > >> On Mon 13-11-23 11:15:06, Yafang Shao wrote: > > >>> On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > >>>> On 11/11/2023 11:34 PM, Yafang Shao wrote: > > >>>>> Background > > >>>>> ========== > > >>>>> > > >>>>> In our containerized environment, we've identified unexpected OOM events > > >>>>> where the OOM-killer terminates tasks despite having ample free memory. > > >>>>> This anomaly is traced back to tasks within a container using mbind(2) to > > >>>>> bind memory to a specific NUMA node. When the allocated memory on this node > > >>>>> is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > > >>>>> indiscriminately kills tasks. This becomes more critical with guaranteed > > >>>>> tasks (oom_score_adj: -998) aggravating the issue. > > >>>> Is there some reason why you can't fix the callers of mbind(2)? > > >>>> This looks like an user space configuration error rather than a > > >>>> system security issue. > > >>> It appears my initial description may have caused confusion. In this > > >>> scenario, the caller is an unprivileged user lacking any capabilities. > > >>> While a privileged user, such as root, experiencing this issue might > > >>> indicate a user space configuration error, the concerning aspect is > > >>> the potential for an unprivileged user to disrupt the system easily. > > >>> If this is perceived as a misconfiguration, the question arises: What > > >>> is the correct configuration to prevent an unprivileged user from > > >>> utilizing mbind(2)?" > > >> How is this any different than a non NUMA (mbind) situation? > > > In a UMA system, each gigabyte of memory carries the same cost. > > > Conversely, in a NUMA architecture, opting to confine processes within > > > a specific NUMA node incurs additional costs. In the worst-case > > > scenario, if all containers opt to bind their memory exclusively to > > > specific nodes, it will result in significant memory wastage. > > > > That still sounds like you've misconfigured your containers such > > that they expect to get more memory than is available, and that > > they have more control over it than they really do. > > And again: What configuration method is suitable to limit user control > over memory policy adjustments, besides the heavyweight seccomp > approach? This really depends on the workloads. What is the reason mbind is used in the first place? Is it acceptable to partition the system so that there is a numa node reserved for NUMA aware workloads? If not, have you considered (already proposed numa=off)?
On Wed, Nov 15, 2023 at 4:45 PM Michal Hocko <mhocko@suse.com> wrote: > > On Wed 15-11-23 09:52:38, Yafang Shao wrote: > > On Wed, Nov 15, 2023 at 12:58 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > > > On 11/14/2023 3:59 AM, Yafang Shao wrote: > > > > On Tue, Nov 14, 2023 at 6:15 PM Michal Hocko <mhocko@suse.com> wrote: > > > >> On Mon 13-11-23 11:15:06, Yafang Shao wrote: > > > >>> On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > >>>> On 11/11/2023 11:34 PM, Yafang Shao wrote: > > > >>>>> Background > > > >>>>> ========== > > > >>>>> > > > >>>>> In our containerized environment, we've identified unexpected OOM events > > > >>>>> where the OOM-killer terminates tasks despite having ample free memory. > > > >>>>> This anomaly is traced back to tasks within a container using mbind(2) to > > > >>>>> bind memory to a specific NUMA node. When the allocated memory on this node > > > >>>>> is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > > > >>>>> indiscriminately kills tasks. This becomes more critical with guaranteed > > > >>>>> tasks (oom_score_adj: -998) aggravating the issue. > > > >>>> Is there some reason why you can't fix the callers of mbind(2)? > > > >>>> This looks like an user space configuration error rather than a > > > >>>> system security issue. > > > >>> It appears my initial description may have caused confusion. In this > > > >>> scenario, the caller is an unprivileged user lacking any capabilities. > > > >>> While a privileged user, such as root, experiencing this issue might > > > >>> indicate a user space configuration error, the concerning aspect is > > > >>> the potential for an unprivileged user to disrupt the system easily. > > > >>> If this is perceived as a misconfiguration, the question arises: What > > > >>> is the correct configuration to prevent an unprivileged user from > > > >>> utilizing mbind(2)?" > > > >> How is this any different than a non NUMA (mbind) situation? > > > > In a UMA system, each gigabyte of memory carries the same cost. > > > > Conversely, in a NUMA architecture, opting to confine processes within > > > > a specific NUMA node incurs additional costs. In the worst-case > > > > scenario, if all containers opt to bind their memory exclusively to > > > > specific nodes, it will result in significant memory wastage. > > > > > > That still sounds like you've misconfigured your containers such > > > that they expect to get more memory than is available, and that > > > they have more control over it than they really do. > > > > And again: What configuration method is suitable to limit user control > > over memory policy adjustments, besides the heavyweight seccomp > > approach? > > This really depends on the workloads. What is the reason mbind is used > in the first place? It can improve their performance. > Is it acceptable to partition the system so that > there is a numa node reserved for NUMA aware workloads? As highlighted in the commit log, our preference is to configure this memory policy through kubelet using cpuset.mems in the cpuset controller, rather than allowing individual users to set it independently. > If not, have you > considered (already proposed numa=off)? The challenge at hand isn't solely about whether users should bind to a memory node or the deployment of workloads. What we're genuinely dealing with is the fact that users can bind to a specific node without our explicit agreement or authorization.
On Wed, Nov 15, 2023 at 5:33 PM Yafang Shao <laoar.shao@gmail.com> wrote: > > On Wed, Nov 15, 2023 at 4:45 PM Michal Hocko <mhocko@suse.com> wrote: > > > > On Wed 15-11-23 09:52:38, Yafang Shao wrote: > > > On Wed, Nov 15, 2023 at 12:58 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > > > > > On 11/14/2023 3:59 AM, Yafang Shao wrote: > > > > > On Tue, Nov 14, 2023 at 6:15 PM Michal Hocko <mhocko@suse.com> wrote: > > > > >> On Mon 13-11-23 11:15:06, Yafang Shao wrote: > > > > >>> On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > >>>> On 11/11/2023 11:34 PM, Yafang Shao wrote: > > > > >>>>> Background > > > > >>>>> ========== > > > > >>>>> > > > > >>>>> In our containerized environment, we've identified unexpected OOM events > > > > >>>>> where the OOM-killer terminates tasks despite having ample free memory. > > > > >>>>> This anomaly is traced back to tasks within a container using mbind(2) to > > > > >>>>> bind memory to a specific NUMA node. When the allocated memory on this node > > > > >>>>> is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > > > > >>>>> indiscriminately kills tasks. This becomes more critical with guaranteed > > > > >>>>> tasks (oom_score_adj: -998) aggravating the issue. > > > > >>>> Is there some reason why you can't fix the callers of mbind(2)? > > > > >>>> This looks like an user space configuration error rather than a > > > > >>>> system security issue. > > > > >>> It appears my initial description may have caused confusion. In this > > > > >>> scenario, the caller is an unprivileged user lacking any capabilities. > > > > >>> While a privileged user, such as root, experiencing this issue might > > > > >>> indicate a user space configuration error, the concerning aspect is > > > > >>> the potential for an unprivileged user to disrupt the system easily. > > > > >>> If this is perceived as a misconfiguration, the question arises: What > > > > >>> is the correct configuration to prevent an unprivileged user from > > > > >>> utilizing mbind(2)?" > > > > >> How is this any different than a non NUMA (mbind) situation? > > > > > In a UMA system, each gigabyte of memory carries the same cost. > > > > > Conversely, in a NUMA architecture, opting to confine processes within > > > > > a specific NUMA node incurs additional costs. In the worst-case > > > > > scenario, if all containers opt to bind their memory exclusively to > > > > > specific nodes, it will result in significant memory wastage. > > > > > > > > That still sounds like you've misconfigured your containers such > > > > that they expect to get more memory than is available, and that > > > > they have more control over it than they really do. > > > > > > And again: What configuration method is suitable to limit user control > > > over memory policy adjustments, besides the heavyweight seccomp > > > approach? > > > > This really depends on the workloads. What is the reason mbind is used > > in the first place? > > It can improve their performance. > > > Is it acceptable to partition the system so that > > there is a numa node reserved for NUMA aware workloads? > > As highlighted in the commit log, our preference is to configure this > memory policy through kubelet using cpuset.mems in the cpuset > controller, rather than allowing individual users to set it > independently. > > > If not, have you > > considered (already proposed numa=off)? > > The challenge at hand isn't solely about whether users should bind to > a memory node or the deployment of workloads. What we're genuinely > dealing with is the fact that users can bind to a specific node > without our explicit agreement or authorization. BYW, the same principle should also apply to sched_setaffinity(2). While there's already a security_task_setscheduler() in place, it's undeniable that we should also consider adding a security_set_mempolicy() for consistency.
On Wed 15-11-23 17:33:51, Yafang Shao wrote: > On Wed, Nov 15, 2023 at 4:45 PM Michal Hocko <mhocko@suse.com> wrote: > > > > On Wed 15-11-23 09:52:38, Yafang Shao wrote: > > > On Wed, Nov 15, 2023 at 12:58 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > > > > > On 11/14/2023 3:59 AM, Yafang Shao wrote: > > > > > On Tue, Nov 14, 2023 at 6:15 PM Michal Hocko <mhocko@suse.com> wrote: > > > > >> On Mon 13-11-23 11:15:06, Yafang Shao wrote: > > > > >>> On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > >>>> On 11/11/2023 11:34 PM, Yafang Shao wrote: > > > > >>>>> Background > > > > >>>>> ========== > > > > >>>>> > > > > >>>>> In our containerized environment, we've identified unexpected OOM events > > > > >>>>> where the OOM-killer terminates tasks despite having ample free memory. > > > > >>>>> This anomaly is traced back to tasks within a container using mbind(2) to > > > > >>>>> bind memory to a specific NUMA node. When the allocated memory on this node > > > > >>>>> is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > > > > >>>>> indiscriminately kills tasks. This becomes more critical with guaranteed > > > > >>>>> tasks (oom_score_adj: -998) aggravating the issue. > > > > >>>> Is there some reason why you can't fix the callers of mbind(2)? > > > > >>>> This looks like an user space configuration error rather than a > > > > >>>> system security issue. > > > > >>> It appears my initial description may have caused confusion. In this > > > > >>> scenario, the caller is an unprivileged user lacking any capabilities. > > > > >>> While a privileged user, such as root, experiencing this issue might > > > > >>> indicate a user space configuration error, the concerning aspect is > > > > >>> the potential for an unprivileged user to disrupt the system easily. > > > > >>> If this is perceived as a misconfiguration, the question arises: What > > > > >>> is the correct configuration to prevent an unprivileged user from > > > > >>> utilizing mbind(2)?" > > > > >> How is this any different than a non NUMA (mbind) situation? > > > > > In a UMA system, each gigabyte of memory carries the same cost. > > > > > Conversely, in a NUMA architecture, opting to confine processes within > > > > > a specific NUMA node incurs additional costs. In the worst-case > > > > > scenario, if all containers opt to bind their memory exclusively to > > > > > specific nodes, it will result in significant memory wastage. > > > > > > > > That still sounds like you've misconfigured your containers such > > > > that they expect to get more memory than is available, and that > > > > they have more control over it than they really do. > > > > > > And again: What configuration method is suitable to limit user control > > > over memory policy adjustments, besides the heavyweight seccomp > > > approach? > > > > This really depends on the workloads. What is the reason mbind is used > > in the first place? > > It can improve their performance. > > > Is it acceptable to partition the system so that > > there is a numa node reserved for NUMA aware workloads? > > As highlighted in the commit log, our preference is to configure this > memory policy through kubelet using cpuset.mems in the cpuset > controller, rather than allowing individual users to set it > independently. OK, I have missed that part. > > If not, have you > > considered (already proposed numa=off)? > > The challenge at hand isn't solely about whether users should bind to > a memory node or the deployment of workloads. What we're genuinely > dealing with is the fact that users can bind to a specific node > without our explicit agreement or authorization. mbind outside of the cpuset shouldn't be possible (policy_nodemask). So if you are configuring cpusets already then mbind should add much to a problem. I can see how you can have problems when you do not have any NUMA partitioning in place because mixing NUMA aware and unaware workloads doesn't really work out well when the memory is short on supply.
On 11/15/2023 6:26 AM, Yafang Shao wrote: > On Wed, Nov 15, 2023 at 5:33 PM Yafang Shao <laoar.shao@gmail.com> wrote: >> On Wed, Nov 15, 2023 at 4:45 PM Michal Hocko <mhocko@suse.com> wrote: >>> On Wed 15-11-23 09:52:38, Yafang Shao wrote: >>>> On Wed, Nov 15, 2023 at 12:58 AM Casey Schaufler <casey@schaufler-ca.com> wrote: >>>>> On 11/14/2023 3:59 AM, Yafang Shao wrote: >>>>>> On Tue, Nov 14, 2023 at 6:15 PM Michal Hocko <mhocko@suse.com> wrote: >>>>>>> On Mon 13-11-23 11:15:06, Yafang Shao wrote: >>>>>>>> On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: >>>>>>>>> On 11/11/2023 11:34 PM, Yafang Shao wrote: >>>>>>>>>> Background >>>>>>>>>> ========== >>>>>>>>>> >>>>>>>>>> In our containerized environment, we've identified unexpected OOM events >>>>>>>>>> where the OOM-killer terminates tasks despite having ample free memory. >>>>>>>>>> This anomaly is traced back to tasks within a container using mbind(2) to >>>>>>>>>> bind memory to a specific NUMA node. When the allocated memory on this node >>>>>>>>>> is exhausted, the OOM-killer, prioritizing tasks based on oom_score, >>>>>>>>>> indiscriminately kills tasks. This becomes more critical with guaranteed >>>>>>>>>> tasks (oom_score_adj: -998) aggravating the issue. >>>>>>>>> Is there some reason why you can't fix the callers of mbind(2)? >>>>>>>>> This looks like an user space configuration error rather than a >>>>>>>>> system security issue. >>>>>>>> It appears my initial description may have caused confusion. In this >>>>>>>> scenario, the caller is an unprivileged user lacking any capabilities. >>>>>>>> While a privileged user, such as root, experiencing this issue might >>>>>>>> indicate a user space configuration error, the concerning aspect is >>>>>>>> the potential for an unprivileged user to disrupt the system easily. >>>>>>>> If this is perceived as a misconfiguration, the question arises: What >>>>>>>> is the correct configuration to prevent an unprivileged user from >>>>>>>> utilizing mbind(2)?" >>>>>>> How is this any different than a non NUMA (mbind) situation? >>>>>> In a UMA system, each gigabyte of memory carries the same cost. >>>>>> Conversely, in a NUMA architecture, opting to confine processes within >>>>>> a specific NUMA node incurs additional costs. In the worst-case >>>>>> scenario, if all containers opt to bind their memory exclusively to >>>>>> specific nodes, it will result in significant memory wastage. >>>>> That still sounds like you've misconfigured your containers such >>>>> that they expect to get more memory than is available, and that >>>>> they have more control over it than they really do. >>>> And again: What configuration method is suitable to limit user control >>>> over memory policy adjustments, besides the heavyweight seccomp >>>> approach? What makes seccomp "heavyweight"? The overhead? The infrastructure required? >>> This really depends on the workloads. What is the reason mbind is used >>> in the first place? >> It can improve their performance. How much? You've already demonstrated that using mbind can degrade their performance. >> >>> Is it acceptable to partition the system so that >>> there is a numa node reserved for NUMA aware workloads? >> As highlighted in the commit log, our preference is to configure this >> memory policy through kubelet using cpuset.mems in the cpuset >> controller, rather than allowing individual users to set it >> independently. >> >>> If not, have you >>> considered (already proposed numa=off)? >> The challenge at hand isn't solely about whether users should bind to >> a memory node or the deployment of workloads. What we're genuinely >> dealing with is the fact that users can bind to a specific node >> without our explicit agreement or authorization. > BYW, the same principle should also apply to sched_setaffinity(2). > While there's already a security_task_setscheduler() in place, it's > undeniable that we should also consider adding a > security_set_mempolicy() for consistency. "A foolish consistency is the hobgoblin of little minds" - Ralph Waldo Emerson
On Thu, Nov 16, 2023 at 1:09 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > On 11/15/2023 6:26 AM, Yafang Shao wrote: > > On Wed, Nov 15, 2023 at 5:33 PM Yafang Shao <laoar.shao@gmail.com> wrote: > >> On Wed, Nov 15, 2023 at 4:45 PM Michal Hocko <mhocko@suse.com> wrote: > >>> On Wed 15-11-23 09:52:38, Yafang Shao wrote: > >>>> On Wed, Nov 15, 2023 at 12:58 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > >>>>> On 11/14/2023 3:59 AM, Yafang Shao wrote: > >>>>>> On Tue, Nov 14, 2023 at 6:15 PM Michal Hocko <mhocko@suse.com> wrote: > >>>>>>> On Mon 13-11-23 11:15:06, Yafang Shao wrote: > >>>>>>>> On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > >>>>>>>>> On 11/11/2023 11:34 PM, Yafang Shao wrote: > >>>>>>>>>> Background > >>>>>>>>>> ========== > >>>>>>>>>> > >>>>>>>>>> In our containerized environment, we've identified unexpected OOM events > >>>>>>>>>> where the OOM-killer terminates tasks despite having ample free memory. > >>>>>>>>>> This anomaly is traced back to tasks within a container using mbind(2) to > >>>>>>>>>> bind memory to a specific NUMA node. When the allocated memory on this node > >>>>>>>>>> is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > >>>>>>>>>> indiscriminately kills tasks. This becomes more critical with guaranteed > >>>>>>>>>> tasks (oom_score_adj: -998) aggravating the issue. > >>>>>>>>> Is there some reason why you can't fix the callers of mbind(2)? > >>>>>>>>> This looks like an user space configuration error rather than a > >>>>>>>>> system security issue. > >>>>>>>> It appears my initial description may have caused confusion. In this > >>>>>>>> scenario, the caller is an unprivileged user lacking any capabilities. > >>>>>>>> While a privileged user, such as root, experiencing this issue might > >>>>>>>> indicate a user space configuration error, the concerning aspect is > >>>>>>>> the potential for an unprivileged user to disrupt the system easily. > >>>>>>>> If this is perceived as a misconfiguration, the question arises: What > >>>>>>>> is the correct configuration to prevent an unprivileged user from > >>>>>>>> utilizing mbind(2)?" > >>>>>>> How is this any different than a non NUMA (mbind) situation? > >>>>>> In a UMA system, each gigabyte of memory carries the same cost. > >>>>>> Conversely, in a NUMA architecture, opting to confine processes within > >>>>>> a specific NUMA node incurs additional costs. In the worst-case > >>>>>> scenario, if all containers opt to bind their memory exclusively to > >>>>>> specific nodes, it will result in significant memory wastage. > >>>>> That still sounds like you've misconfigured your containers such > >>>>> that they expect to get more memory than is available, and that > >>>>> they have more control over it than they really do. > >>>> And again: What configuration method is suitable to limit user control > >>>> over memory policy adjustments, besides the heavyweight seccomp > >>>> approach? > > What makes seccomp "heavyweight"? The overhead? The infrastructure required? > > >>> This really depends on the workloads. What is the reason mbind is used > >>> in the first place? > >> It can improve their performance. > > How much? You've already demonstrated that using mbind can degrade their performance. Pls. calm down and read the whole discussion carefully. It is not easy to understand.
On Thu, Nov 16, 2023 at 1:00 AM Michal Hocko <mhocko@suse.com> wrote: > > On Wed 15-11-23 17:33:51, Yafang Shao wrote: > > On Wed, Nov 15, 2023 at 4:45 PM Michal Hocko <mhocko@suse.com> wrote: > > > > > > On Wed 15-11-23 09:52:38, Yafang Shao wrote: > > > > On Wed, Nov 15, 2023 at 12:58 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > > > > > > > On 11/14/2023 3:59 AM, Yafang Shao wrote: > > > > > > On Tue, Nov 14, 2023 at 6:15 PM Michal Hocko <mhocko@suse.com> wrote: > > > > > >> On Mon 13-11-23 11:15:06, Yafang Shao wrote: > > > > > >>> On Mon, Nov 13, 2023 at 12:45 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > > >>>> On 11/11/2023 11:34 PM, Yafang Shao wrote: > > > > > >>>>> Background > > > > > >>>>> ========== > > > > > >>>>> > > > > > >>>>> In our containerized environment, we've identified unexpected OOM events > > > > > >>>>> where the OOM-killer terminates tasks despite having ample free memory. > > > > > >>>>> This anomaly is traced back to tasks within a container using mbind(2) to > > > > > >>>>> bind memory to a specific NUMA node. When the allocated memory on this node > > > > > >>>>> is exhausted, the OOM-killer, prioritizing tasks based on oom_score, > > > > > >>>>> indiscriminately kills tasks. This becomes more critical with guaranteed > > > > > >>>>> tasks (oom_score_adj: -998) aggravating the issue. > > > > > >>>> Is there some reason why you can't fix the callers of mbind(2)? > > > > > >>>> This looks like an user space configuration error rather than a > > > > > >>>> system security issue. > > > > > >>> It appears my initial description may have caused confusion. In this > > > > > >>> scenario, the caller is an unprivileged user lacking any capabilities. > > > > > >>> While a privileged user, such as root, experiencing this issue might > > > > > >>> indicate a user space configuration error, the concerning aspect is > > > > > >>> the potential for an unprivileged user to disrupt the system easily. > > > > > >>> If this is perceived as a misconfiguration, the question arises: What > > > > > >>> is the correct configuration to prevent an unprivileged user from > > > > > >>> utilizing mbind(2)?" > > > > > >> How is this any different than a non NUMA (mbind) situation? > > > > > > In a UMA system, each gigabyte of memory carries the same cost. > > > > > > Conversely, in a NUMA architecture, opting to confine processes within > > > > > > a specific NUMA node incurs additional costs. In the worst-case > > > > > > scenario, if all containers opt to bind their memory exclusively to > > > > > > specific nodes, it will result in significant memory wastage. > > > > > > > > > > That still sounds like you've misconfigured your containers such > > > > > that they expect to get more memory than is available, and that > > > > > they have more control over it than they really do. > > > > > > > > And again: What configuration method is suitable to limit user control > > > > over memory policy adjustments, besides the heavyweight seccomp > > > > approach? > > > > > > This really depends on the workloads. What is the reason mbind is used > > > in the first place? > > > > It can improve their performance. > > > > > Is it acceptable to partition the system so that > > > there is a numa node reserved for NUMA aware workloads? > > > > As highlighted in the commit log, our preference is to configure this > > memory policy through kubelet using cpuset.mems in the cpuset > > controller, rather than allowing individual users to set it > > independently. > > OK, I have missed that part. > > > > If not, have you > > > considered (already proposed numa=off)? > > > > The challenge at hand isn't solely about whether users should bind to > > a memory node or the deployment of workloads. What we're genuinely > > dealing with is the fact that users can bind to a specific node > > without our explicit agreement or authorization. > > mbind outside of the cpuset shouldn't be possible (policy_nodemask). So > if you are configuring cpusets already then mbind should add much to a > problem. I can see how you can have problems when you do not have any > NUMA partitioning in place because mixing NUMA aware and unaware > workloads doesn't really work out well when the memory is short on > supply. Right, we're trying to move NUMA aware workloads to dedicated servers.