From nobody Mon Feb  9 23:14:47 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1490629279121429.5779031626694;
 Mon, 27 Mar 2017 08:41:19 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 457B4C009DCC;
	Mon, 27 Mar 2017 15:41:17 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (unknown [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 1A39A81C13;
	Mon, 27 Mar 2017 15:41:17 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id C6E515EC69;
	Mon, 27 Mar 2017 15:41:16 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
	[10.5.11.16])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v2RFdKFW011653 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 27 Mar 2017 11:39:20 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 0139971C82; Mon, 27 Mar 2017 15:39:20 +0000 (UTC)
Received: from inaba.usersys.redhat.com (unknown [10.34.129.229])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 7BAB777554
	for <libvir-list@redhat.com>; Mon, 27 Mar 2017 15:39:18 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 457B4C009DCC
Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 457B4C009DCC
From: Andrea Bolognani <abologna@redhat.com>
To: libvir-list@redhat.com
Date: Mon, 27 Mar 2017 17:38:59 +0200
Message-Id: <1490629139-26507-8-git-send-email-abologna@redhat.com>
In-Reply-To: <1490629139-26507-1-git-send-email-abologna@redhat.com>
References: <1490629139-26507-1-git-send-email-abologna@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v2 7/7] docs: Improve documentation related to
	memory locking
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]);
 Mon, 27 Mar 2017 15:41:18 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

---
 docs/formatdomain.html.in | 39 ++++++++++++++++++++++++++-------------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 4a3123e..180bca0 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -937,14 +937,21 @@
       <dt><code>locked</code></dt>
       <dd>When set and supported by the hypervisor, memory pages belonging
         to the domain will be locked in host's memory and the host will not
-        be allowed to swap them out. For QEMU/KVM this requires
-        <code>hard_limit</code> <a href=3D"#elementsMemoryTuning">memory t=
uning</a>
-        element to be used and set to the maximum memory configured for the
-        domain plus any memory consumed by the QEMU process itself. Beware=
 of
-        setting the memory limit too high (and thus allowing the domain to=
 lock
-        most of the host's memory). Doing so may be dangerous to both the
-        domain and the host itself since the host's kernel may run out of
-        memory. <span class=3D"since">Since 1.0.6</span></dd>
+        be allowed to swap them out, which might be required for some
+        workloads such as real-time. For QEMU/KVM guests, the memory used =
by
+        the QEMU process itself will be locked too: unlike guest memory, t=
his
+        is an amount libvirt has no way of figuring out in advance, so it =
has
+        to remove the limit on locked memory altogether. Thus, enabling th=
is
+        option opens up to a potential security risk: the host will be una=
ble
+        to reclaim the locked memory back from the guest when it's running=
 out
+        of memory, which means a malicious guest allocating large amounts =
of
+        locked memory could cause a denial-of-service attach on the host.
+        Because of this, using this option is discouraged unless your work=
load
+        demands it; even then, it's highly recommended to set an
+        <code>hard_limit</code> (see
+        <a href=3D"#elementsMemoryTuning">memory tuning</a>) on memory all=
ocation
+        suitable for the specific environment at the same time to mitigate
+        the risks described above. <span class=3D"since">Since 1.0.6</span=
></dd>
        <dt><code>source</code></dt>
        <dd>In this attribute you can switch to file memorybacking or keep =
default anonymous.</dd>
        <dt><code>access</code></dt>
@@ -989,12 +996,18 @@
       <dt><code>hard_limit</code></dt>
       <dd> The optional <code>hard_limit</code> element is the maximum mem=
ory
         the guest can use. The units for this value are kibibytes (i.e. bl=
ocks
-        of 1024 bytes). <strong>However, users of QEMU and KVM are strongly
-        advised not to set this limit as domain may get killed by the kern=
el
-        if the guess is too low. To determine the memory needed for a proc=
ess
-        to run is an
+        of 1024 bytes). Users of QEMU and KVM are strongly advised not to =
set
+        this limit as domain may get killed by the kernel if the guess is =
too
+        low, and determining the memory needed for a process to run is an
         <a href=3D"http://en.wikipedia.org/wiki/Undecidable_problem">
-        undecidable problem</a>.</strong></dd>
+        undecidable problem</a>; that said, if you already set
+        <code>locked</code> in
+        <a href=3D"#elementsMemoryBacking">memory backing</a> because your
+        workload demands it, you'll have to take into account the specific=
s of
+        your deployment and figure out a value for <code>hard_limit</code>=
 that
+        balances the risk of your guest being killed because the limit was=
 set
+        too low and the risk of your host crashing because it cannot recla=
im
+        the memory used by the guest due to <code>locked</code>. Good luck=
!</dd>
       <dt><code>soft_limit</code></dt>
       <dd> The optional <code>soft_limit</code> element is the memory limi=
t to
         enforce during memory contention. The units for this value are
--=20
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list