From: Dylan Whyte <d.whyte@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH pve-docs] fix #3884: Add section for kernel samepage merging
Date: Fri, 25 Feb 2022 17:29:48 +0100 [thread overview]
Message-ID: <20220225162948.231125-1-d.whyte@proxmox.com> (raw)
Adds a section to the "Host System Administration" section of the
Administration Guide, discussing KSM and its security risks
Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>
---
kernel-samepage-merging.adoc | 54 ++++++++++++++++++++++++++++++++++++
sysadmin.adoc | 2 ++
2 files changed, 56 insertions(+)
create mode 100644 kernel-samepage-merging.adoc
diff --git a/kernel-samepage-merging.adoc b/kernel-samepage-merging.adoc
new file mode 100644
index 0000000..5f55403
--- /dev/null
+++ b/kernel-samepage-merging.adoc
@@ -0,0 +1,54 @@
+[[kernel_samepage_merging]]
+Kernel Samepage Merging (KSM)
+-----------------------------
+ifdef::wiki[]
+:pve-toplevel:
+endif::wiki[]
+
+Kernel Samepage Merging (KSM) is an optional memory deduplication feature
+offered by the Linux kernel, which is enabled by default in {pve}. KSM
+works by scanning a range of physical memory pages for identical content, and
+identifying the virtual pages that are mapped to them. If identical pages are
+found, the corresponding virtual pages are re-mapped so that they all point to
+the same physical page, and the old pages are freed. The virtual pages are
+marked as "copy-on-write", so that any writes to them will be written to a new
+area of memory, leaving the shared physical page intact.
+
+Implications of KSM
+~~~~~~~~~~~~~~~~~~~
+
+KSM can optimize memory usage in virtualization environments, as multiple VMs
+running similar operating systems or workloads could potentially share a lot of
+common memory pages.
+
+However, while KSM can reduce memory usage, it also comes with some security
+risks, as it can expose VMs to side-channel attacks. Research has shown that it
+is possible to infer information about a running VM via a second VM on the same
+host, by exploiting certain characteristics of KSM.
+
+Thus, if you are using {pve} to provide hosting services, you should consider
+disabling KSM, in order to provide your users with additional security.
+Furthermore, you should check your country's regulations, as disabling KSM may
+be a legal requirement.
+
+Disabling KSM
+~~~~~~~~~~~~~
+
+To see if KSM is active, you can check the output of:
+
+----
+# systemctl status ksmtuned
+----
+
+If it is, it can be disabled immediately with:
+
+----
+# systemctl disable --now ksmtuned
+----
+
+Finally, to unmerge all the currently merged pages, run:
+
+----
+# echo 2 > /sys/kernel/mm/ksm/run
+----
+
diff --git a/sysadmin.adoc b/sysadmin.adoc
index 361fe02..cc75671 100644
--- a/sysadmin.adoc
+++ b/sysadmin.adoc
@@ -70,6 +70,8 @@ include::certificate-management.adoc[]
include::system-booting.adoc[]
+include::kernel-samepage-merging.adoc[]
+
endif::wiki[]
--
2.30.2
next reply other threads:[~2022-02-25 16:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-25 16:29 Dylan Whyte [this message]
2022-04-21 14:03 ` Dylan Whyte
2022-04-22 9:41 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220225162948.231125-1-d.whyte@proxmox.com \
--to=d.whyte@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal