jjelinek/capping

## capping
The physical memory limit and the swap cap are two independent and
unrelated limits.

The physical memory limit is a soft cap that controls how many pages of
physical memory can be resident for the zone. Once that value is exceeded
the memory capper will invalidate pages until the RSS of the set of
processes within the zone is below the limit.

The swap cap is a hard limit and is used to control how much anonymous
memory is available. Because anonymous memory is reserved when it is
requested, it is easy to enforce a hard cap.

The reason that the physical cap is a soft limit is that each physical
memory page for a process is backed by something. This can be program text
files, other files that are mmap-ped or anonymous memory (heap and stack)
which is backed by swapfs (and thus is the only memory covered by the swap
cap). Because memory is consumed by demand paging, whenever a process touchs
a page which is not resident the data is brought into memory from the
backing store. Likewise, if the VM system needs a page for something else
it is free to reclaim a page from the process by invalidating its mapping
(after writing the page to backing store if it is dirty). Because many
non-anonymous mappings are shared among more than one process (e.g. libc)
there is no simple way to assign ownership of a page to an individual process.
Thus, you can see why the physical limit is a soft cap.

To implement the physical limit the memory capper invalidates page mappings
for an invidual process although, as described above, this does not impact
other processes which are also referencing the page. The general intention
of the physical limit is to prevent the VM system from forcing pages out from
other processes due to a greedy process touching lots of pages. If the capper
is disabled then a process can have as much RSS as the VM system allows.
There is also nothing inherently wrong here and the VM system will simply
demand page in pages for other processes  again when they are touched. The
worst effect is that other processes in other zones might experience more
paging activity than is fair.
	The physical memory limit and the swap cap are two independent and
	unrelated limits.

	The physical memory limit is a soft cap that controls how many pages of
	physical memory can be resident for the zone. Once that value is exceeded
	the memory capper will invalidate pages until the RSS of the set of
	processes within the zone is below the limit.

	The swap cap is a hard limit and is used to control how much anonymous
	memory is available. Because anonymous memory is reserved when it is
	requested, it is easy to enforce a hard cap.

	The reason that the physical cap is a soft limit is that each physical
	memory page for a process is backed by something. This can be program text
	files, other files that are mmap-ped or anonymous memory (heap and stack)
	which is backed by swapfs (and thus is the only memory covered by the swap
	cap). Because memory is consumed by demand paging, whenever a process touchs
	a page which is not resident the data is brought into memory from the
	backing store. Likewise, if the VM system needs a page for something else
	it is free to reclaim a page from the process by invalidating its mapping
	(after writing the page to backing store if it is dirty). Because many
	non-anonymous mappings are shared among more than one process (e.g. libc)
	there is no simple way to assign ownership of a page to an individual process.
	Thus, you can see why the physical limit is a soft cap.

	To implement the physical limit the memory capper invalidates page mappings
	for an invidual process although, as described above, this does not impact
	other processes which are also referencing the page. The general intention
	of the physical limit is to prevent the VM system from forcing pages out from
	other processes due to a greedy process touching lots of pages. If the capper
	is disabled then a process can have as much RSS as the VM system allows.
	There is also nothing inherently wrong here and the VM system will simply
	demand page in pages for other processes again when they are touched. The
	worst effect is that other processes in other zones might experience more
	paging activity than is fair.