Proposal to change page allocation to zero on free in the -virtual kernel

Andy Whitcroft apw at canonical.com
Thu Jan 31 08:53:59 UTC 2013 

On Mon, Jan 28, 2013 at 09:45:46AM +0100, Peter Lieven wrote:
> Hi,
> 
> I would like to know if it would be a good idea to change the page allocator zeroing
> policy from zero on allocate (for GFP_USER) to zero on free for the -virtual kernel builds.
> 
> This has been initally proposed in grsecurity for security reasons, but it is extremely
> beneficial in virtual environments for 2 additional reasons:
> 
> a) live migration
> b) ksm
> 
> What is your opinion on this?

I would point out that changing the time of the page clear has some
significant effects on performance.  Some time ago admittedly, we did some
work to pre-clear pages and the practical upshot of this was to reduce
not improve performance.  This occured because the act of clearing the
page necessarily either cycles the entire page into cache or (if you
use uncached writes) flushes the entire page from cache at the time of
the clear.  It was shown to be highly beneficial for this to occur when
the page was about to be used (and preferabally with an already cache hot
page) as placing the page in cache was generally beneficial for whoever was
about to use it.  Your proposal here would clear the page at essentially
the worst time for cache performance.

The KSM mergability does seem like a win, the live migration benefits I
would of thought were much less visible and this is a much rarer event in
the life of a VM.  These would benefits would be traded for the likely
execution performance hit.  Overall I would expect you to be trading
off memory size against runtime performance, you would definatly need
some comparitive numbers on the benefits and costs before you could even
consider such a change.

I would also reiterate Stefan's point here that currently it is not
possible to trivially have different policies in this regard for the main
kernels and the -virtual kernel as they are the same bits.  It might
be possible to make this parameterisable if the benefits were proven,
but I suspect you are going to find a significant throughput penalty.
I guess that would make this something you would want to be able to opt
into depending on your environment, on your cost performance balance as a
"cloud" operator.

Finally, for very sensitive VMs there may be some value in at least
scrubbing the pages before returning them to hypervisorpenalties.

-apw

More information about the ubuntu-devel mailing list