bhyve with hostile guest

ghislain ghislain at ghislain.net
Wed May 24 15:54:50 UTC 2017 

Hi,

 Well windows or linux guests are perhaps considered hostiles anyway so... :p

 I have an issue, i do not like the way linux evolves and i am looking at moving to another OS but i have legacy system
to still mange that i wanted to virtualize. So of course i stumbled on bhyve. I start my journey into freeBSD and at the
same time virtualisation world (as i am thinking switching from linux world i need to smooth it with linux guests) and i
had a little question about hostile guests.

 On some system like jails, containers, cgroups etc.. there exist some limit you can set to the cpu usage, ram usage and
disk IO a guest can do so it do not take over the host complete ressource starving all other guest from them.

  I wanted to know if bhyve have some mechanics to limit usage of a guest that would go rogue (hacked or simply a bug in
a script), typical limits are

- network bandwidth
- IO bandwidth / iops
- Ram amount => this one seems pretty obvious
- CPU => on this one i am not sure with the -H if we can share part of a CPU and what mode, hard limits, limit with
overcommit on idle etc...

as i do not see any "load balancing" options i am thinking there is not apart limiting ram amount and the cpu pinning
but then 100% can be used.

one bhyve frontend i looked at : vm-bhyves, has some options like :

limit_pcpu=""
limit_rbps=""
limit_wbps=""
limit_riops=""
limit_wiops=""

but it sems to use some outside of bhyve guru magic from the BSD kernel, docs of rctl say its process limits but i guess
the VM could be just one process :)

network limits could be put down farther the lane i mean this does not seems to be the bhyve realm but more the normal
network Qos in the kernel that could be used on the virtual switches.

So, with network out of the picture and if ram is ok as it seems what if a guest goes wild on cpu and disk io ? (lets
say on a mono core system for the discution). does the world explose into flame ? I am pretty sure some of you must have
had a guest run wild so it you have field experience do not hesitate to share :)

best regards,
Ghislain.

More information about the freebsd-virtualization mailing list