Re: Resource limits

From: Al Boldi
Date: Tue Sep 27 2005 - 00:12:15 EST

Next message: Alejandro Bonilla: "Re: ipw2200 only works as a module?"
Previous message: Robert Schwebel: "Re: ADI Blackfin porting for kernel-2.6.13"
In reply to: Neil Horman: "Re: Resource limits"
Next in thread: Neil Horman: "Re: Resource limits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Neil Horman wrote:
> On Mon, Sep 26, 2005 at 11:26:10PM +0300, Al Boldi wrote:
> > Neil Horman wrote:
> > > On Mon, Sep 26, 2005 at 08:32:14PM +0300, Al Boldi wrote:
> > > > Neil Horman wrote:
> > > > > On Mon, Sep 26, 2005 at 05:18:17PM +0300, Al Boldi wrote:
> > > > > > Rik van Riel wrote:
> > > > > > > On Sun, 25 Sep 2005, Al Boldi wrote:
> > > > > > > > Too many process forks and your system may crash.
> > > > > > > > This can be capped with threads-max, but may lead you into a
> > > > > > > > lock-out.
> > > > > > > >
> > > > > > > > What is needed is a soft, hard, and a special emergency
> > > > > > > > limit that would allow you to use the resource for a limited
> > > > > > > > time to circumvent a lock-out.
> > > > > > >
> > > > > > > How would you reclaim the resource after that limited time is
> > > > > > > over ? Kill processes?
> > > > > >
> > > > > > That's one way, but really, the issue needs some deep thought.
> > > > > > Leaving Linux exposed to a lock-out is rather frightening.
> > > > >
> > > > > What exactly is it that you're worried about here?
> > > >
> > > > Think about a DoS attack.
> > >
> > > Be more specific. Are you talking about a fork bomb, a ICMP flood,
> > > what?
> >
> > How would you deal with a situation where the system hit the threads-max
> > ceiling?
>
> Nominally I would log the inability to successfully create a new
> process/thread, attempt to free some of my applications resources, and try
> again.

Consider this dilemma:
Runaway proc/s hit the limit.
Try to kill some and you are denied due to the resource limit.
Use some previously running app like top, hope it hasn't been killed by some
OOM situation, try killing some procs and another one takes it's place
because of the runaway situation.
Raise the limit, and it gets filled by the runaways.
You are pretty much stuck.

You may get around the problem by a user-space solution, but this will always
run the risks associated with user-space.

> > The issue here is a general lack of proper kernel support for resource
> > limits. The fork problem is just an example.
>
> Thats not really true. As Mr. Helsley pointed out, CKRM is available

Matthew Helsley wrote:
> Have you looked at Class-Based Kernel Resource Managment (CKRM)
> (http://ckrm.sf.net) to see if it fits your needs? My initial thought is
> that the CKRM numtasks controller may help limit forks in the way you
> describe.

Thanks for the link! CKRM is great!

Is there a CKRM-lite version? This would make it easier to be included into
the mainline, something that would concentrate on the pressing issues, like
lock-out prevention, and leave all the management features as an option.

Thanks!

--
Al

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alejandro Bonilla: "Re: ipw2200 only works as a module?"
Previous message: Robert Schwebel: "Re: ADI Blackfin porting for kernel-2.6.13"
In reply to: Neil Horman: "Re: Resource limits"
Next in thread: Neil Horman: "Re: Resource limits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]