Merge pull request #2778 from lindig/CP-18860

CP 18860 - Restrict setting memory limits for Bromium VMs

* The memory configuration is checked explicitly before VM.start
* A check is integrated into xapi_vm_memory_constraints
* There is no check as part of vm_lifecycle which was the original approach to implement the check.

Author: lindig

ocaml/idl/datamodel.ml

@@ -511,6 +511,8 @@ let _ =
     ~doc:"You attempted an operation which would have resulted in duplicate keys in the database." ();
   error Api_errors.location_not_unique ["SR"; "location"]
     ~doc:"A VDI with the specified location already exists within the SR" ();
+  error Api_errors.memory_constraint_violation ["constraint"]
+    ~doc:"The dynamic memory range does not satisfy the following constraint." ();
 
   (* Session errors *)
   error Api_errors.session_authentication_failed []

ocaml/xapi/xapi_vm_lifecycle.ml

@@ -279,18 +279,28 @@ let check_protection_policy ~vmr ~op ~ref_str =
  * If the VM_metrics object does not exist, it implies the VM is not
  * running - in which case we use the current values from the database.
  **)
-let is_mobile ~__context vm strict =
-  let metrics = Db.VM.get_metrics ~__context ~self:vm in
+
+let nomigrate ~__context vm metrics =
   try
-    let nomigrate   = Db.VM_metrics.get_nomigrate ~__context ~self:metrics in
-    let nested_virt = Db.VM_metrics.get_nested_virt ~__context ~self:metrics in
-    (not nomigrate && not nested_virt) || not strict
+    Db.VM_metrics.get_nomigrate ~__context ~self:metrics
   with _ ->
-    (* No VM_metrics *)
-    let not_true platformdata key =
-      not @@ Vm_platform.is_true ~key ~platformdata ~default:false in
-    let platform = Db.VM.get_platform ~__context ~self:vm in
-    (not_true platform "nomigrate" && not_true platform "nested-virt") || not strict
+    let platformdata = Db.VM.get_platform ~__context ~self:vm in
+    let key = "nomigrate" in
+    Vm_platform.is_true ~key ~platformdata ~default:false
+
+let nested_virt ~__context vm metrics =
+  try
+    Db.VM_metrics.get_nested_virt ~__context ~self:metrics
+  with _ ->
+    let platformdata = Db.VM.get_platform ~__context ~self:vm in
+    let key = "nested-virt" in
+    Vm_platform.is_true ~key ~platformdata ~default:false
+
+let is_mobile ~__context vm strict =
+  let metrics = Db.VM.get_metrics ~__context ~self:vm in
+  (not @@ nomigrate ~__context vm metrics
+   && not @@ nested_virt ~__context vm metrics)
+  || not strict
 
 
 (** Take an internal VM record and a proposed operation. Return None iff the operation

ocaml/xapi/xapi_vm_memory_constraints.ml

@@ -51,26 +51,34 @@ module Vm_memory_constraints : T = struct
 
   include Vm_memory_constraints.Vm_memory_constraints
 
+  let nested_virt ~__context vm =
+    let metrics = Db.VM.get_metrics ~__context ~self:vm in
+    Xapi_vm_lifecycle.nested_virt ~__context vm metrics
+
+  let order_constraint =
+    "Memory limits must satisfy: \
+     static_min ≤ dynamic_min ≤ dynamic_max ≤ static_max"
+  let equality_constraint =
+    "Memory limits must satisfy: \
+     static_min ≤ dynamic_min = dynamic_max = static_max"
+
   let assert_valid ~constraints =
     if not (are_valid ~constraints)
     then raise (Api_errors.Server_error (
-        Api_errors.memory_constraint_violation,
-        ["Memory limits must satisfy: \
-          				static_min ≤ dynamic_min ≤ dynamic_max ≤ static_max"]))
+      Api_errors.memory_constraint_violation, [order_constraint]))
 
   let assert_valid_and_pinned_at_static_max ~constraints =
     if not (are_valid_and_pinned_at_static_max ~constraints)
     then raise (Api_errors.Server_error (
-        Api_errors.memory_constraint_violation,
-        ["Memory limits must satisfy: \
-          				static_min ≤ dynamic_min = dynamic_max = static_max"]))
+      Api_errors.memory_constraint_violation, [equality_constraint]))
 
   let assert_valid_for_current_context ~__context ~vm ~constraints =
     let is_control_domain = Db.VM.get_is_control_domain ~__context ~self:vm in
-    (if Pool_features.is_enabled ~__context Features.DMC && not is_control_domain
-     then assert_valid
-     else assert_valid_and_pinned_at_static_max)
-      ~constraints
+    if Pool_features.is_enabled ~__context Features.DMC
+      && not is_control_domain
+      && not (nested_virt ~__context vm)
+    then assert_valid ~constraints
+    else assert_valid_and_pinned_at_static_max ~constraints
 
   let extract ~vm_record =
     {

ocaml/xapi/xapi_xenops.ml

@@ -708,6 +708,16 @@ module MD = struct
     (* CA-55754: temporarily disable msitranslate when GPU is passed through. *)
     let pci_msitranslate =
       if vm.API.vM_VGPUs <> [] then false else pci_msitranslate in
+
+    (* CP-18860: check memory limits if using nested_virt *)
+    if Vm_platform.is_true ~key:"nested-virt" ~platformdata ~default:false
+    then
+      begin
+        let module C = Xapi_vm_memory_constraints.Vm_memory_constraints in
+        let c = C.get ~__context ~vm_ref:vmref in
+        C.assert_valid_and_pinned_at_static_max c
+      end;
+
     {
       id = vm.API.vM_uuid;
       name = vm.API.vM_name_label;