On Tue, Feb 28, 2023 at 10:18 AM Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote: > > On Tue, Feb 28, 2023 at 5:50 AM Michal Hocko <mhocko@xxxxxxxx> wrote: > > > > On Mon 27-02-23 11:50:48, Suren Baghdasaryan wrote: > > > On Mon, Feb 27, 2023 at 11:11 AM Michal Hocko <mhocko@xxxxxxxx> wrote: > > > > > > > > On Mon 27-02-23 09:49:59, Suren Baghdasaryan wrote: > > > > > On Mon, Feb 27, 2023 at 5:34 AM Michal Hocko <mhocko@xxxxxxxx> wrote: > > > > > > > > > > > > On Fri 24-02-23 13:07:57, Suren Baghdasaryan wrote: > > > > > > > On Fri, Feb 24, 2023 at 4:47 AM Michal Hocko <mhocko@xxxxxxxx> wrote: > > > > [...] > > > > > > > > Btw. it seems that there is is only a limit on a single trigger per fd > > > > > > > > but no limits per user so it doesn't sound too hard to end up with too > > > > > > > > much polling even with a larger timeouts. To me it seems like we need to > > > > > > > > contain the polling thread to be bound by the cpu controller. > > > > > > > > > > > > > > Hmm. We have one "psimon" thread per cgroup (+1 system-level one) and > > > > > > > poll_min_period for each thread is chosen as the min() of polling > > > > > > > periods between triggers created in that group. So, a bad trigger that > > > > > > > causes overly aggressive polling and polling thread being throttled, > > > > > > > might affect other triggers in that cgroup. > > > > > > > > > > > > Yes, and why that would be a problem? > > > > > > > > > > If unprivileged processes are allowed to add new triggers then a > > > > > malicious process can add a bad trigger and affect other legit > > > > > processes. That sounds like a problem to me. > > > > > > > > Hmm, I am not sure we are on the same page. My argument was that the > > > > monitoring kernel thread should be bound by the same cpu controller so > > > > even if it was excessive it would be bound to the cgroup constrains. > > > > > > Right. But if cgroup constraints are violated then the psimon thread's > > > activity will be impacted by throttling. In such cases won't that > > > affect other "good" triggers served by that thread even if they are > > > using higher polling periods? > > > > That is no different from any other part of the workload running within > > the same cpu bound cgroup running overboard with the cpu consumption. I > > do not see why psimon or anything else should be any different. > > > > Actually the only difference here is that the psi monitoring is > > outsourced to a kernel thread which is running ourside of any constrains. > > I am not sure where do we stand with kernel thread cpu cgroup accounting > > and I suspect this is not a trivial thing to do ATM. Hence longer term > > plan. > > Yeah, that sounds right. > In the meantime I think the prudent thing to do is to add > CAP_SYS_RESOURCE check for cgroup interface for consistency with > system-wide one. After that we can change the min period to be > anything more than 0 and let userspace privileged services implement > policies to limit trigger cpu consumption (might be via cpu > controller, limiting the number of triggers/their periods, etc). > Sudarshan, I'll post the CAP_SYS_RESOURCE change shortly and you can > follow up with the change to the min trigger period. Patch to require CAP_SYS_RESOURCE for writing per-cgroup psi files is posted at https://lore.kernel.org/all/20230301014651.1370939-1-surenb@xxxxxxxxxx/ > Thanks for the input folks! > > > -- > > Michal Hocko > > SUSE Labs