* [pve-devel] [PATCH-SERIES qemu-server/manager/docs v2 0/3] close #5291: support disabling KSM for specific VMs
@ 2025-11-13 15:51 Fiona Ebner
2025-11-13 15:51 ` [pve-devel] [PATCH qemu-server v2 1/3] " Fiona Ebner
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Fiona Ebner @ 2025-11-13 15:51 UTC (permalink / raw)
To: pve-devel
Changes in v2:
* Rebase on current master.
* I did not include Friedrich's T-b because it has been 9 months and
there might've been changes to affect the result in
kernel/QEMU/qemu-server/etc. (doesn't seem to be the case from my
testing before sending the v2, but still didn't want to claim
somebody else tested this, when it's been this long)
v1: https://lore.proxmox.com/pve-devel/20250217150444.142182-1-f.ebner@proxmox.com/
KSM exposes a guest's virtual memory to side-channel attacks. Add a VM
configuration option to disable KSM for specific VMs that need to be
protected against such attacks. This makes it possible to still
benefit from KSM for other processes on the host rather than needing
to turn of KSM completely.
qemu-server:
Fiona Ebner (1):
close #5291: support disabling KSM for specific VMs
src/PVE/QemuServer.pm | 9 +++++++++
1 file changed, 9 insertions(+)
manager:
Fiona Ebner (1):
close #5291: ui: qemu: memory edit: support disabling KSM for specific
VMs
www/manager6/qemu/HardwareView.js | 11 +++++++-
www/manager6/qemu/MemoryEdit.js | 45 ++++++++++++++++++++++++++-----
2 files changed, 49 insertions(+), 7 deletions(-)
docs:
Fiona Ebner (1):
kernel samepage merging: describe how to disable for a specific VM
kernel-samepage-merging.adoc | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
Summary over all repositories:
4 files changed, 71 insertions(+), 8 deletions(-)
--
Generated by git-murpp 0.5.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH qemu-server v2 1/3] close #5291: support disabling KSM for specific VMs
2025-11-13 15:51 [pve-devel] [PATCH-SERIES qemu-server/manager/docs v2 0/3] close #5291: support disabling KSM for specific VMs Fiona Ebner
@ 2025-11-13 15:51 ` Fiona Ebner
2025-11-13 15:51 ` [pve-devel] [PATCH manager v2 2/3] close #5291: ui: qemu: memory edit: " Fiona Ebner
2025-11-13 15:51 ` [pve-devel] [PATCH docs v2 3/3] kernel samepage merging: describe how to disable for a specific VM Fiona Ebner
2 siblings, 0 replies; 6+ messages in thread
From: Fiona Ebner @ 2025-11-13 15:51 UTC (permalink / raw)
To: pve-devel
KSM exposes a guest's virtual memory to side-channel attacks. Add a VM
configuration option to disable KSM for specific VMs that need to be
protected against such attacks. This makes it possible to still
benefit from KSM for other processes on the host rather than needing
to turn of KSM completely.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/QemuServer.pm | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index 128b8f47..af333e50 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -731,6 +731,13 @@ EODESCR
"List of host cores used to execute guest processes, for example: 0,5,8-11",
optional => 1,
},
+ 'allow-ksm' => {
+ type => 'boolean',
+ description => "Allow memory pages of this guest to be merged via KSM (Kernel Samepage"
+ . " Merging).",
+ optional => 1,
+ default => 1,
+ },
};
my $cicustom_fmt = {
@@ -3781,6 +3788,8 @@ sub config_to_command {
push @$machineFlags, 'kernel_irqchip=split';
}
+ push @$machineFlags, 'mem-merge=off' if defined($conf->{'allow-ksm'}) && !$conf->{'allow-ksm'};
+
PVE::QemuServer::Virtiofs::config($conf, $vmid, $devices);
push @$cmd, @$devices;
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH manager v2 2/3] close #5291: ui: qemu: memory edit: support disabling KSM for specific VMs
2025-11-13 15:51 [pve-devel] [PATCH-SERIES qemu-server/manager/docs v2 0/3] close #5291: support disabling KSM for specific VMs Fiona Ebner
2025-11-13 15:51 ` [pve-devel] [PATCH qemu-server v2 1/3] " Fiona Ebner
@ 2025-11-13 15:51 ` Fiona Ebner
2025-11-14 21:02 ` [pve-devel] applied: " Thomas Lamprecht
2025-11-13 15:51 ` [pve-devel] [PATCH docs v2 3/3] kernel samepage merging: describe how to disable for a specific VM Fiona Ebner
2 siblings, 1 reply; 6+ messages in thread
From: Fiona Ebner @ 2025-11-13 15:51 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
www/manager6/qemu/HardwareView.js | 11 +++++++-
www/manager6/qemu/MemoryEdit.js | 45 ++++++++++++++++++++++++++-----
2 files changed, 49 insertions(+), 7 deletions(-)
diff --git a/www/manager6/qemu/HardwareView.js b/www/manager6/qemu/HardwareView.js
index f1f715eb..cf5e2a0f 100644
--- a/www/manager6/qemu/HardwareView.js
+++ b/www/manager6/qemu/HardwareView.js
@@ -73,7 +73,7 @@ Ext.define('PVE.qemu.HardwareView', {
defaultValue: '512',
tdCls: 'pve-itype-icon-memory',
group: 2,
- multiKey: ['memory', 'balloon', 'shares'],
+ multiKey: ['memory', 'balloon', 'shares', 'allow-ksm'],
renderer: function (value, metaData, record, ri, ci, store, pending) {
var res = '';
@@ -92,6 +92,12 @@ Ext.define('PVE.qemu.HardwareView', {
} else if (balloon === 0) {
res += ' [balloon=0]';
}
+
+ let allowKsm = me.getObjectValue('allow-ksm', undefined, pending);
+ if (allowKsm !== undefined) {
+ res += ' [allow-ksm=' + allowKsm + ']';
+ }
+
return res;
},
},
@@ -214,6 +220,9 @@ Ext.define('PVE.qemu.HardwareView', {
numa: {
visible: false,
},
+ 'allow-ksm': {
+ visible: false,
+ },
balloon: {
visible: false,
},
diff --git a/www/manager6/qemu/MemoryEdit.js b/www/manager6/qemu/MemoryEdit.js
index 1fa2f7fa..ff4a7545 100644
--- a/www/manager6/qemu/MemoryEdit.js
+++ b/www/manager6/qemu/MemoryEdit.js
@@ -33,23 +33,39 @@ Ext.define('PVE.qemu.MemoryInputPanel', {
},
onGetValues: function (values) {
- var _me = this;
+ let res = {};
- var res = {};
+ let deleteSet = new Set([]);
+
+ // properties that can be passed as-is
+ let propagate = ['allow-ksm', 'memory'];
+
+ propagate.forEach(function (prop) {
+ if (values.delete?.split(',').includes(prop)) {
+ deleteSet.add(prop);
+ }
+ if (prop in values) {
+ res[prop] = values[prop];
+ }
+ });
- res.memory = values.memory;
res.balloon = values.balloon;
if (!values.ballooning) {
res.balloon = 0;
- res.delete = 'shares';
+ deleteSet.add('shares');
} else if (values.memory === values.balloon) {
delete res.balloon;
- res.delete = 'balloon,shares';
+ deleteSet.add('balloon');
+ deleteSet.add('shares');
} else if (Ext.isDefined(values.shares) && values.shares !== '') {
res.shares = values.shares;
} else {
- res.delete = 'shares';
+ deleteSet.add('shares');
+ }
+
+ if (deleteSet.size > 0) {
+ res.delete = deleteSet.keys().toArray().join(',');
}
return res;
@@ -133,6 +149,22 @@ Ext.define('PVE.qemu.MemoryInputPanel', {
},
},
},
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'allow-ksm',
+ labelWidth: labelWidth,
+ fieldLabel: gettext('Allow KSM'),
+ checked: true,
+ uncheckedValue: '0',
+ defaultValue: '1',
+ deleteDefaultValue: true,
+ autoEl: {
+ tag: 'div',
+ 'data-qtip': gettext(
+ 'Allow the Kernel Samepage Merging daemon to merge memory pages of this VM.',
+ ),
+ },
+ },
];
if (me.insideWizard) {
@@ -183,6 +215,7 @@ Ext.define('PVE.qemu.MemoryEdit', {
shares: data.shares,
memory: data.memory || '512',
balloon: data.balloon > 0 ? data.balloon : data.memory || '512',
+ 'allow-ksm': data['allow-ksm'] ?? true,
};
ipanel.setValues(values);
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH docs v2 3/3] kernel samepage merging: describe how to disable for a specific VM
2025-11-13 15:51 [pve-devel] [PATCH-SERIES qemu-server/manager/docs v2 0/3] close #5291: support disabling KSM for specific VMs Fiona Ebner
2025-11-13 15:51 ` [pve-devel] [PATCH qemu-server v2 1/3] " Fiona Ebner
2025-11-13 15:51 ` [pve-devel] [PATCH manager v2 2/3] close #5291: ui: qemu: memory edit: " Fiona Ebner
@ 2025-11-13 15:51 ` Fiona Ebner
2025-11-14 21:08 ` [pve-devel] applied: " Thomas Lamprecht
2 siblings, 1 reply; 6+ messages in thread
From: Fiona Ebner @ 2025-11-13 15:51 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
kernel-samepage-merging.adoc | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/kernel-samepage-merging.adoc b/kernel-samepage-merging.adoc
index 5f55403..e2e70d7 100644
--- a/kernel-samepage-merging.adoc
+++ b/kernel-samepage-merging.adoc
@@ -34,7 +34,11 @@ be a legal requirement.
Disabling KSM
~~~~~~~~~~~~~
-To see if KSM is active, you can check the output of:
+KSM can be disabled on a node or on a per-VM basis.
+
+.Disabe KSM on a Node
+
+To see if KSM is active on a node, you can check the output of:
----
# systemctl status ksmtuned
@@ -52,3 +56,11 @@ Finally, to unmerge all the currently merged pages, run:
# echo 2 > /sys/kernel/mm/ksm/run
----
+.Disabe KSM for a Specific VM
+
+The `allow-ksm` VM configuration option controls whether memory page merging is
+allowed for a given VM. The option defaults to true and can be disabled with:
+
+----
+# qm set <vmid> --allow-ksm 0
+----
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] applied: [PATCH manager v2 2/3] close #5291: ui: qemu: memory edit: support disabling KSM for specific VMs
2025-11-13 15:51 ` [pve-devel] [PATCH manager v2 2/3] close #5291: ui: qemu: memory edit: " Fiona Ebner
@ 2025-11-14 21:02 ` Thomas Lamprecht
0 siblings, 0 replies; 6+ messages in thread
From: Thomas Lamprecht @ 2025-11-14 21:02 UTC (permalink / raw)
To: pve-devel, Fiona Ebner
On Thu, 13 Nov 2025 16:51:08 +0100, Fiona Ebner wrote:
>
Applied, thanks!
[2/3] close #5291: ui: qemu: memory edit: support disabling KSM for specific VMs
commit: 41f67a6df027bced63d399aa3285dc5320f42c66
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] applied: [PATCH docs v2 3/3] kernel samepage merging: describe how to disable for a specific VM
2025-11-13 15:51 ` [pve-devel] [PATCH docs v2 3/3] kernel samepage merging: describe how to disable for a specific VM Fiona Ebner
@ 2025-11-14 21:08 ` Thomas Lamprecht
0 siblings, 0 replies; 6+ messages in thread
From: Thomas Lamprecht @ 2025-11-14 21:08 UTC (permalink / raw)
To: pve-devel, Fiona Ebner
On Thu, 13 Nov 2025 16:51:09 +0100, Fiona Ebner wrote:
>
Applied, thanks!
[3/3] kernel samepage merging: describe how to disable for a specific VM
commit: 2b7c17fcdf28724ff38f1eda8bb4fbfbaab4e040
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-11-14 21:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-11-13 15:51 [pve-devel] [PATCH-SERIES qemu-server/manager/docs v2 0/3] close #5291: support disabling KSM for specific VMs Fiona Ebner
2025-11-13 15:51 ` [pve-devel] [PATCH qemu-server v2 1/3] " Fiona Ebner
2025-11-13 15:51 ` [pve-devel] [PATCH manager v2 2/3] close #5291: ui: qemu: memory edit: " Fiona Ebner
2025-11-14 21:02 ` [pve-devel] applied: " Thomas Lamprecht
2025-11-13 15:51 ` [pve-devel] [PATCH docs v2 3/3] kernel samepage merging: describe how to disable for a specific VM Fiona Ebner
2025-11-14 21:08 ` [pve-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox