view Documentation/SAK.txt @ 897:329ea0ccb344

balloon: try harder to balloon up under memory pressure.

Currently if the balloon driver is unable to increase the guest's
reservation it assumes the failure was due to reaching its full
allocation, gives up on the ballooning operation and records the limit
it reached as the "hard limit". The driver will not try again until
the target is set again (even to the same value).

However it is possible that ballooning has in fact failed due to
memory pressure in the host and therefore it is desirable to keep
attempting to reach the target in case memory becomes available. The
most likely scenario is that some guests are ballooning down while
others are ballooning up and therefore there is temporary memory
pressure while things stabilise. You would not expect a well behaved
toolstack to ask a domain to balloon to more than its allocation nor
would you expect it to deliberately over-commit memory by setting
balloon targets which exceed the total host memory.

This patch drops the concept of a hard limit and causes the balloon
driver to retry increasing the reservation on a timer in the same
manner as when decreasing the reservation.

Also if we partially succeed in increasing the reservation
(i.e. receive less pages than we asked for) then we may as well keep
those pages rather than returning them to Xen.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Fri Jun 05 14:01:20 2009 +0100 (2009-06-05)
parents 831230e53067
line source
1 Linux 2.4.2 Secure Attention Key (SAK) handling
2 18 March 2001, Andrew Morton <akpm@osdl.org>
4 An operating system's Secure Attention Key is a security tool which is
5 provided as protection against trojan password capturing programs. It
6 is an undefeatable way of killing all programs which could be
7 masquerading as login applications. Users need to be taught to enter
8 this key sequence before they log in to the system.
10 From the PC keyboard, Linux has two similar but different ways of
11 providing SAK. One is the ALT-SYSRQ-K sequence. You shouldn't use
12 this sequence. It is only available if the kernel was compiled with
13 sysrq support.
15 The proper way of generating a SAK is to define the key sequence using
16 `loadkeys'. This will work whether or not sysrq support is compiled
17 into the kernel.
19 SAK works correctly when the keyboard is in raw mode. This means that
20 once defined, SAK will kill a running X server. If the system is in
21 run level 5, the X server will restart. This is what you want to
22 happen.
24 What key sequence should you use? Well, CTRL-ALT-DEL is used to reboot
25 the machine. CTRL-ALT-BACKSPACE is magical to the X server. We'll
26 choose CTRL-ALT-PAUSE.
28 In your rc.sysinit (or rc.local) file, add the command
30 echo "control alt keycode 101 = SAK" | /bin/loadkeys
32 And that's it! Only the superuser may reprogram the SAK key.
36 =====
38 1: Linux SAK is said to be not a "true SAK" as is required by
39 systems which implement C2 level security. This author does not
40 know why.
43 2: On the PC keyboard, SAK kills all applications which have
44 /dev/console opened.
46 Unfortunately this includes a number of things which you don't
47 actually want killed. This is because these applications are
48 incorrectly holding /dev/console open. Be sure to complain to your
49 Linux distributor about this!
51 You can identify processes which will be killed by SAK with the
52 command
54 # ls -l /proc/[0-9]*/fd/* | grep console
55 l-wx------ 1 root root 64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console
57 Then:
59 # ps aux|grep 579
60 root 579 0.0 0.1 1088 436 ? S 00:43 0:00 gpm -t ps/2
62 So `gpm' will be killed by SAK. This is a bug in gpm. It should
63 be closing standard input. You can work around this by finding the
64 initscript which launches gpm and changing it thusly:
66 Old:
68 daemon gpm
70 New:
72 daemon gpm < /dev/null
74 Vixie cron also seems to have this problem, and needs the same treatment.
76 Also, one prominent Linux distribution has the following three
77 lines in its rc.sysinit and rc scripts:
79 exec 3<&0
80 exec 4>&1
81 exec 5>&2
83 These commands cause *all* daemons which are launched by the
84 initscripts to have file descriptors 3, 4 and 5 attached to
85 /dev/console. So SAK kills them all. A workaround is to simply
86 delete these lines, but this may cause system management
87 applications to malfunction - test everything well.