]>
Commit | Line | Data |
---|---|---|
12804f68 DW |
1 | [[kernel_samepage_merging]] |
2 | Kernel Samepage Merging (KSM) | |
3 | ----------------------------- | |
4 | ifdef::wiki[] | |
5 | :pve-toplevel: | |
6 | endif::wiki[] | |
7 | ||
8 | Kernel Samepage Merging (KSM) is an optional memory deduplication feature | |
9 | offered by the Linux kernel, which is enabled by default in {pve}. KSM | |
10 | works by scanning a range of physical memory pages for identical content, and | |
11 | identifying the virtual pages that are mapped to them. If identical pages are | |
12 | found, the corresponding virtual pages are re-mapped so that they all point to | |
13 | the same physical page, and the old pages are freed. The virtual pages are | |
14 | marked as "copy-on-write", so that any writes to them will be written to a new | |
15 | area of memory, leaving the shared physical page intact. | |
16 | ||
17 | Implications of KSM | |
18 | ~~~~~~~~~~~~~~~~~~~ | |
19 | ||
20 | KSM can optimize memory usage in virtualization environments, as multiple VMs | |
21 | running similar operating systems or workloads could potentially share a lot of | |
22 | common memory pages. | |
23 | ||
24 | However, while KSM can reduce memory usage, it also comes with some security | |
25 | risks, as it can expose VMs to side-channel attacks. Research has shown that it | |
26 | is possible to infer information about a running VM via a second VM on the same | |
27 | host, by exploiting certain characteristics of KSM. | |
28 | ||
29 | Thus, if you are using {pve} to provide hosting services, you should consider | |
30 | disabling KSM, in order to provide your users with additional security. | |
31 | Furthermore, you should check your country's regulations, as disabling KSM may | |
32 | be a legal requirement. | |
33 | ||
34 | Disabling KSM | |
35 | ~~~~~~~~~~~~~ | |
36 | ||
37 | To see if KSM is active, you can check the output of: | |
38 | ||
39 | ---- | |
40 | # systemctl status ksmtuned | |
41 | ---- | |
42 | ||
43 | If it is, it can be disabled immediately with: | |
44 | ||
45 | ---- | |
46 | # systemctl disable --now ksmtuned | |
47 | ---- | |
48 | ||
49 | Finally, to unmerge all the currently merged pages, run: | |
50 | ||
51 | ---- | |
52 | # echo 2 > /sys/kernel/mm/ksm/run | |
53 | ---- | |
54 |