tor_memquota/config.rs
1//! Configuration (private module)
2
3use std::sync::LazyLock;
4
5use sysinfo::{MemoryRefreshKind, System};
6use tracing::warn;
7
8use crate::internal_prelude::*;
9
10/// We want to support at least this many participants with a cache each
11///
12/// This is not a recommended value; it's probably too lax
13const MIN_MAX_PARTICIPANTS: usize = 10;
14
15/// Minimum hysteresis
16///
17/// This is not a recommended value; it's probably far too lax for sensible performance!
18const MAX_LOW_WATER_RATIO: f32 = 0.98;
19
20define_derive_deftly! {
21 /// Define setters on the builder for every field of type `Qty`
22 ///
23 /// The field type must be spelled precisely that way:
24 /// we use `approx_equal(...)`.
25 QtySetters:
26
27 impl ConfigBuilder {
28 $(
29 ${when approx_equal($ftype, { Option::<ExplicitOrAuto<Qty>> })}
30
31 ${fattrs doc}
32 ///
33 /// (Setter method.)
34 // We use `value: impl Into<ExplicitOrAuto<usize>>` to avoid breaking users who used the
35 // previous `value: usize`. But this isn't 100% foolproof, for example if a user used
36 // `$fname(foo.into())`, which will fail type inference.
37 pub fn $fname(&mut self, value: impl Into<ExplicitOrAuto<usize>>) -> &mut Self {
38 self.$fname = Some(value.into().map(Qty));
39 self
40 }
41 )
42 }
43}
44
45/// Configuration for a memory data tracker
46///
47/// This is where the quota is specified.
48///
49/// This type can also represent
50/// "memory quota tracking is not supposed to be enabled".
51#[derive(Debug, Clone, Eq, PartialEq)]
52pub struct Config(pub(crate) IfEnabled<ConfigInner>);
53
54/// Configuration for a memory data tracker (builder)
55//
56// We could perhaps generate this with `#[derive(Builder)]` on `ConfigInner`,
57// but derive-builder would need a *lot* of overriding attributes;
58// and, doing it this way lets us write separate docs about
59// the invariants on our fields, which are not the same as those in the builder.
60#[derive(Serialize, Deserialize, Debug, Clone, Eq, PartialEq, Default, Deftly)]
61#[derive_deftly(tor_config::Flattenable, QtySetters)]
62pub struct ConfigBuilder {
63 /// Maximum memory usage tolerated before reclamation starts
64 ///
65 /// Setting this to `usize::MAX` disables the memory quota.
66 ///
67 /// The default is "auto",
68 /// which uses a value derived from the total system memory.
69 /// It should not be assumed that the value used for "auto"
70 /// will remain stable across different versions of this library.
71 ///
72 /// Note that this is not a hard limit.
73 /// See Approximate in [the overview](crate).
74 max: Option<ExplicitOrAuto<Qty>>,
75
76 /// Reclamation will stop when memory use is reduced to below this value
77 ///
78 /// Default is "auto", which uses 75% of the maximum.
79 /// It should not be assumed that the value used for "auto"
80 /// will remain stable across different versions of this library.
81 ///
82 /// If set to an explicit value,
83 /// then `max` must be set to an explicit value as well.
84 low_water: Option<ExplicitOrAuto<Qty>>,
85}
86
87/// Configuration, if enabled
88#[derive(Debug, Clone, Eq, PartialEq, Deftly)]
89#[cfg_attr(
90 feature = "testing",
91 visibility::make(pub),
92 allow(clippy::exhaustive_structs)
93)]
94pub(crate) struct ConfigInner {
95 /// Maximum memory usage
96 ///
97 /// Guaranteed not to be `MAX`, since we're enabled
98 pub max: Qty,
99
100 /// Low water
101 ///
102 /// Guaranteed to be enough lower than `max`
103 pub low_water: Qty,
104}
105
106impl Config {
107 /// Start building a [`Config`]
108 ///
109 /// Returns a fresh default [`ConfigBuilder`].
110 pub fn builder() -> ConfigBuilder {
111 ConfigBuilder::default()
112 }
113
114 /// Obtain the actual configuration, if we're enabled, or `None` if not
115 ///
116 /// Ad-hoc accessor for testing purposes.
117 /// (ideally we'd use `visibility` to make fields `pub`, but that doesn't work.)
118 #[cfg(any(test, feature = "testing"))]
119 #[cfg_attr(feature = "testing", visibility::make(pub))]
120 fn inner(&self) -> Option<&ConfigInner> {
121 self.0.as_ref().into_enabled()
122 }
123}
124
125impl ConfigBuilder {
126 /// Builds a new `Config` from a builder
127 ///
128 /// Returns an error if the fields values are invalid or inconsistent.
129 pub fn build(&self) -> Result<Config, ConfigBuildError> {
130 // both options default to "auto"
131 let max = self.max.unwrap_or(ExplicitOrAuto::Auto);
132 let low_water = self.low_water.unwrap_or(ExplicitOrAuto::Auto);
133
134 // `MAX` indicates "disabled".
135 // TODO: Should we add a new "enabled" config option instead of using a sentinel value?
136 // But this would be a breaking change. Or maybe we should always enable the memquota
137 // machinery even if the user chooses an unreasonably large value, and not give users a way
138 // to disable it.
139 if max == ExplicitOrAuto::Explicit(Qty::MAX) {
140 // If it should be disabled, but the user provided an explicit value for `low_water`.
141 if matches!(low_water, ExplicitOrAuto::Explicit(_)) {
142 return Err(ConfigBuildError::Inconsistent {
143 fields: vec!["max".into(), "low_water".into()],
144 problem: "low_water supplied, but max indicates that we should disable the memory quota".into(),
145 });
146 };
147 return Ok(Config(IfEnabled::Noop));
148 }
149
150 // We don't want the user to set "auto" for `max`, but an explicit value for `low_water`.
151 // Otherwise this config is prone to breaking since a `max` of "auto" may change as system
152 // memory is removed (either physically or if running in a VM/container).
153 if matches!(max, ExplicitOrAuto::Auto) && matches!(low_water, ExplicitOrAuto::Explicit(_)) {
154 return Err(ConfigBuildError::Inconsistent {
155 fields: vec!["max".into(), "low_water".into()],
156 problem: "max is \"auto\", but low_water is set to an explicit quantity".into(),
157 });
158 }
159
160 let enabled = EnabledToken::new_if_compiled_in()
161 //
162 .ok_or_else(|| ConfigBuildError::NoCompileTimeSupport {
163 field: "max".into(),
164 problem: "cargo feature `memquota` disabled (in tor-memquota crate)".into(),
165 })?;
166
167 // The general logic is taken from c-tor (see `compute_real_max_mem_in_queues`).
168 // NOTE: Relays have an additional lower bound for explicitly given values (64 MiB),
169 // but we have no way of knowing whether we are a relay or not here.
170 let max = match max {
171 ExplicitOrAuto::Explicit(x) => x,
172 ExplicitOrAuto::Auto => compute_max_from_total_system_mem(total_available_memory()),
173 };
174
175 let low_water = match low_water {
176 ExplicitOrAuto::Explicit(x) => x,
177 ExplicitOrAuto::Auto => Qty((*max as f32 * 0.75) as _),
178 };
179
180 let config = ConfigInner { max, low_water };
181
182 /// Minimum low water. `const` so that overflows are compile-time.
183 const MIN_LOW_WATER: usize = crate::mtracker::MAX_CACHE.as_usize() * MIN_MAX_PARTICIPANTS;
184 let min_low_water = MIN_LOW_WATER;
185 if *config.low_water < min_low_water {
186 return Err(ConfigBuildError::Invalid {
187 field: "low_water".into(),
188 problem: format!("must be at least {min_low_water}"),
189 });
190 }
191
192 let ratio: f32 = *config.low_water as f32 / *config.max as f32;
193 if ratio > MAX_LOW_WATER_RATIO {
194 return Err(ConfigBuildError::Inconsistent {
195 fields: vec!["low_water".into(), "max".into()],
196 problem: format!(
197 "low_water / max = {ratio}; must be <= {MAX_LOW_WATER_RATIO}, ideally considerably lower"
198 ),
199 });
200 }
201
202 Ok(Config(IfEnabled::Enabled(config, enabled)))
203 }
204}
205
206/// Determine a max given the system's total available memory.
207///
208/// This is used when `max` is configured as "auto".
209/// It takes a `Result` so that we can handle the case where the total memory isn't available.
210fn compute_max_from_total_system_mem(mem: Result<usize, MemQueryError>) -> Qty {
211 const MIB: usize = 1024 * 1024;
212 const GIB: usize = 1024 * 1024 * 1024;
213
214 let mem = match mem {
215 Ok(x) => x,
216 Err(e) => {
217 warn!("Unable to get the total available memory. Using a constant max instead: {e}");
218
219 // Can't get the total available memory,
220 // so we return a max depending on whether the architecture is 32-bit or 64-bit.
221 return Qty({
222 cfg_if::cfg_if! {
223 if #[cfg(target_pointer_width = "64")] {
224 8 * GIB
225 } else {
226 1 * GIB
227 }
228 }
229 });
230 }
231 };
232
233 let mem = if mem >= 8 * GIB {
234 // From c-tor:
235 //
236 // > The idea behind this value is that the amount of RAM is more than enough
237 // > for a single relay and should allow the relay operator to run two relays
238 // > if they have additional bandwidth available.
239 (mem as f64 * 0.40) as usize
240 } else {
241 (mem as f64 * 0.75) as usize
242 };
243
244 // The (min, max) range to clamp `mem` to.
245 let clamp = {
246 cfg_if::cfg_if! {
247 if #[cfg(target_pointer_width = "64")] {
248 (256 * MIB, 8 * GIB)
249 } else {
250 (256 * MIB, 2 * GIB)
251 }
252 }
253 };
254
255 let mem = mem.clamp(clamp.0, clamp.1);
256
257 Qty(mem)
258}
259
260/// The total available memory in bytes.
261///
262/// This is generally the amount of system RAM,
263/// but we may also take into account other OS-specific limits such as cgroups.
264///
265/// Returns `None` if we were unable to get the total available memory.
266/// But see internal comments for details.
267fn total_available_memory() -> Result<usize, MemQueryError> {
268 // The sysinfo crate says we should use only one `System` per application.
269 // But we're a library, so it's probably best to just make this global and reuse it.
270 // In reality getting the system memory probably shouldn't require persistent state,
271 // but since the internals of the sysinfo crate are opaque to us,
272 // we'll just follow their documentation and cache the `System`.
273 //
274 // NOTE: The sysinfo crate in practice gets more information than we ask for.
275 // For example `System::new()` will always query the `_SC_PAGESIZE` and `_SC_CLK_TCK`
276 // on Linux even though we only refresh the memory info below
277 // (see https://github.com/GuillaumeGomez/sysinfo/blob/fc31b411eea7b9983176399dc5be162786dec95b/src/unix/linux/system.rs#L152).
278 // This means that miri will fail to run on tests that build the config, even if the config uses
279 // explicit values.
280 static SYSTEM: LazyLock<Mutex<System>> = LazyLock::new(|| Mutex::new(System::new()));
281 let mut system = SYSTEM.lock().unwrap_or_else(|mut e| {
282 // The sysinfo crate has some internal panics which would poison this mutex.
283 // But we can easily reset it, rather than panicking ourselves if it's poisoned.
284 **e.get_mut() = System::new();
285 SYSTEM.clear_poison();
286 e.into_inner()
287 });
288
289 system.refresh_memory_specifics(MemoryRefreshKind::nothing().with_ram());
290
291 // It might be possible for 32-bit systems to return >usize::MAX due to PAE (I haven't looked
292 // into this), so we just saturate the value and don't consider this an error.
293 let mem = to_usize_saturating(system.total_memory());
294
295 // The sysinfo crate doesn't report errors, so the best we can do is guess that a value of 0
296 // implies that it was unable to get the total memory.
297 //
298 // We also need to return early to prevent a panic below.
299 if mem == 0 {
300 return Err(MemQueryError::Unavailable);
301 }
302
303 // Note: The docs for the sysinfo crate say:
304 //
305 // > You need to have run refresh_memory at least once before calling this method.
306 //
307 // But as implemented, it also panics if `sys.mem_total == 0` (for example if the refresh
308 // silently failed).
309 let Some(cgroups) = system.cgroup_limits() else {
310 // There is no cgroup (or we're a non-Linux platform).
311 return Ok(mem);
312 };
313
314 // The `cgroup_limits()` surprisingly doesn't actually return the unaltered cgroups limits.
315 // It also adjusts them depending on the total memory.
316 // Since this is all undocumented, we'll also do the same calculation here.
317 let mem = std::cmp::min(mem, to_usize_saturating(cgroups.total_memory));
318
319 Ok(mem)
320}
321
322/// An error when we are unable to obtain the system's total available memory.
323#[derive(Clone, Debug, thiserror::Error)]
324enum MemQueryError {
325 /// The total available memory is unavailable.
326 #[error("total available memory is unavailable")]
327 Unavailable,
328}
329
330/// Convert a `u64` to a `usize`, saturating if the value would overflow.
331fn to_usize_saturating(x: u64) -> usize {
332 // this will be optimized to a no-op on 64-bit systems
333 x.try_into().unwrap_or(usize::MAX)
334}
335
336#[cfg(test)]
337mod test {
338 // @@ begin test lint list maintained by maint/add_warning @@
339 #![allow(clippy::bool_assert_comparison)]
340 #![allow(clippy::clone_on_copy)]
341 #![allow(clippy::dbg_macro)]
342 #![allow(clippy::mixed_attributes_style)]
343 #![allow(clippy::print_stderr)]
344 #![allow(clippy::print_stdout)]
345 #![allow(clippy::single_char_pattern)]
346 #![allow(clippy::unwrap_used)]
347 #![allow(clippy::unchecked_duration_subtraction)]
348 #![allow(clippy::useless_vec)]
349 #![allow(clippy::needless_pass_by_value)]
350 //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->
351
352 use super::*;
353 use serde_json::json;
354
355 #[test]
356 // A value of "auto" depends on the system memory,
357 // which typically results in libc calls or syscall that aren't supported by miri.
358 #[cfg_attr(miri, ignore)]
359 fn configs() {
360 let chk_ok_raw = |j, c| {
361 let b: ConfigBuilder = serde_json::from_value(j).unwrap();
362 assert_eq!(b.build().unwrap(), c);
363 };
364 #[cfg(feature = "memquota")]
365 let chk_ok = |j, max, low_water| {
366 const M: usize = 1024 * 1024;
367
368 let exp = IfEnabled::Enabled(
369 ConfigInner {
370 max: Qty(max * M),
371 low_water: Qty(low_water * M),
372 },
373 EnabledToken::new(),
374 );
375
376 chk_ok_raw(j, Config(exp));
377 };
378 let chk_err = |j, exp| {
379 let b: ConfigBuilder = serde_json::from_value(j).unwrap();
380 let got = b.build().unwrap_err().to_string();
381
382 #[cfg(not(feature = "memquota"))]
383 if got.contains("cargo feature `memquota` disabled") {
384 return;
385 }
386
387 assert!(got.contains(exp), "in {exp:?} in {got:?}");
388 };
389 #[cfg(not(feature = "memquota"))]
390 let chk_ok = |j, max, low_water| {
391 chk_err(j, "UNSUPPORTED");
392 };
393
394 let chk_builds = |j| {
395 cfg_if::cfg_if! {
396 if #[cfg(feature = "memquota")] {
397 let b: ConfigBuilder = serde_json::from_value(j).unwrap();
398 b.build().unwrap();
399 } else {
400 chk_err(j, "UNSUPPORTED");
401 }
402 }
403 };
404
405 chk_ok(json! {{ "max": "8 MiB" }}, 8, 6);
406 chk_ok(json! {{ "max": "8 MiB", "low_water": "auto" }}, 8, 6);
407 chk_ok(json! {{ "max": "8 MiB", "low_water": "4 MiB" }}, 8, 4);
408
409 // We don't know what the exact values will be since they are derived from the system
410 // memory.
411 chk_builds(json! {{ }});
412 chk_builds(json! {{ "max": "auto" }});
413 chk_builds(json! {{ "low_water": "auto" }});
414 chk_builds(json! {{ "max": "auto", "low_water": "auto" }});
415
416 chk_err(
417 json! {{ "low_water": "4 MiB" }},
418 "max is \"auto\", but low_water is set to an explicit quantity",
419 );
420 chk_err(
421 json! {{ "max": "8 MiB", "low_water": "8 MiB" }},
422 "inconsistent: low_water / max",
423 );
424
425 // `usize::MAX` is a special value.
426 chk_err(
427 json! {{ "max": usize::MAX.to_string(), "low_water": "8 MiB" }},
428 "low_water supplied, but max indicates that we should disable the memory quota",
429 );
430 chk_builds(json! {{ "max": (usize::MAX - 1).to_string(), "low_water": "8 MiB" }});
431
432 // check that the builder works as expected
433 #[cfg(feature = "memquota")]
434 {
435 let mut b = Config::builder();
436 b.max(ExplicitOrAuto::Explicit(100_000_000));
437 if let Some(inner) = b.build().unwrap().inner() {
438 assert_eq!(inner.max, Qty(100_000_000));
439 }
440
441 let mut b = Config::builder();
442 b.max(100_000_000);
443 if let Some(inner) = b.build().unwrap().inner() {
444 assert_eq!(inner.max, Qty(100_000_000));
445 }
446
447 let mut b = ConfigBuilder::default();
448 b.max(ExplicitOrAuto::Auto);
449 b.build().unwrap();
450 }
451 }
452
453 /// Test the logic that computes the `max` when configured as "auto".
454 #[test]
455 // We do some `1 * X` operations below for readability.
456 #[allow(clippy::identity_op)]
457 fn auto_max() {
458 #[allow(unused)]
459 fn check_helper(val: Qty, expected_32: Qty, expected_64: Qty) {
460 assert_eq!(val, {
461 cfg_if::cfg_if! {
462 if #[cfg(target_pointer_width = "64")] {
463 expected_64
464 } else if #[cfg(target_pointer_width = "32")] {
465 expected_32
466 } else {
467 panic!("Unsupported architecture :(");
468 }
469 }
470 });
471 }
472
473 check_helper(
474 compute_max_from_total_system_mem(Err(MemQueryError::Unavailable)),
475 /* 32-bit */ Qty(1 * 1024 * 1024 * 1024),
476 /* 64-bit */ Qty(8 * 1024 * 1024 * 1024),
477 );
478 check_helper(
479 compute_max_from_total_system_mem(Ok(8 * 1024 * 1024 * 1024)),
480 /* 32-bit */ Qty(2 * 1024 * 1024 * 1024),
481 /* 64-bit */ Qty(3435973836),
482 );
483 check_helper(
484 compute_max_from_total_system_mem(Ok(7 * 1024 * 1024 * 1024)),
485 /* 32-bit */ Qty(2 * 1024 * 1024 * 1024),
486 /* 64-bit */ Qty(5637144576),
487 );
488 check_helper(
489 compute_max_from_total_system_mem(Ok(1 * 1024 * 1024 * 1024)),
490 /* 32-bit */ Qty(805306368),
491 /* 64-bit */ Qty(805306368),
492 );
493 check_helper(
494 compute_max_from_total_system_mem(Ok(7 * 1024)),
495 /* 32-bit */ Qty(256 * 1024 * 1024),
496 /* 64-bit */ Qty(256 * 1024 * 1024),
497 );
498 check_helper(
499 compute_max_from_total_system_mem(Ok(0)),
500 /* 32-bit */ Qty(256 * 1024 * 1024),
501 /* 64-bit */ Qty(256 * 1024 * 1024),
502 );
503 check_helper(
504 compute_max_from_total_system_mem(Ok(usize::MAX)),
505 /* 32-bit */ Qty(2 * 1024 * 1024 * 1024),
506 /* 64-bit */ Qty(8 * 1024 * 1024 * 1024),
507 );
508 }
509}