Re: Resource Limits Architecture

Jesse Pollard (pollard@tomcat.admin.navo.hpc.mil)
Fri, 17 Sep 1999 10:26:32 -0500 (CDT)

From: "Stephen C. Tweedie" <sct@redhat.com>
> From: "Stephen C. Tweedie" <sct@redhat.com>
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> Message-ID: <14306.19657.730958.715479@dukat.scot.redhat.com>
> Date: Fri, 17 Sep 1999 15:14:33 +0100 (BST)
> To: Jordan Mendelson <jordy@wserv.com>
> Cc: linux-kernel@vger.rutgers.edu, Stephen Tweedie <sct@redhat.com>
> Subject: Re: Resource Limits Architecture
> In-Reply-To: <37E0B2C8.A3F32849@wserv.com>
> References: <37E0B2C8.A3F32849@wserv.com>
> Sender: owner-linux-kernel@vger.rutgers.edu
> Precedence: bulk
> X-Loop: majordomo@vger.rutgers.edu
> X-Orcpt: rfc822;linux-kernel-outgoing-dig
> Status: N
> Content-Length: 1755
> X-Lines: 42
> X-Display-Position: 0
>
> Hi,
>
> On Thu, 16 Sep 1999 05:05:12 -0400, Jordan Mendelson <jordy@wserv.com> said:
>
> > A few days ago I mentioned that robust resource limits really didn't
> > exist in Linux. Alan Cox (who I thought moved to the US,
>
> Not unless the US has larger territorial ambitions than I thought. :)
>
> > I have searched high and low and can't find a good complete resource limits
> > architecture in any Unix implementation. As I see it, there should be a few
> > different categories of limits:
>
> > Per-System : Limits which are placed on all processes
> > Per-Group : Limits which are placed on all processes from a group id
> > Per-User : Limits which are placed on all processes from a user id
> > Per-Process Group : Limits which are placed on a group of processes (shared)
> > Per-Process : Limits which are placed on a process
> > Per-Thread Group : Limits which are placed on a group of threads (shared)
> > Per-Thread : Limits which are placed on a thread
>
I prefer the "Group" to be "Project" to separate the accounting function
from grop access controls. There is no reason to multiply the accounting
difficulties by mixing the two in large environments (as I am).

> Ouch. Now every time I want to, say, perform a page fault, the kernel
> has to check the process's resident set size against 7 separate limits?
> And update those 7 limits too, causing 7 separate cache misses if
> another CPU is hosting another thread of the same process and wants to
> do the same thing?
>
You only compair aginst the minimum of the collection, computed when a
job/session is started. All processes created afterwards deduct from the
job/session accounting structure which would have only one value per
resource.

> That is way overkill, I'm afraid. Per-process (ie. per-thread-group)
> and per-user is a much more manageable set and entirely covers the main
> reasons why people want this: protection against a single runaway
> process, and protection against a user DoS attack.
>
Doesn't really protect against a DoS attack. The system manager can still
oversubscribe the available resources (just as disk quotas frequently are).

> > Is this a bit of an overkill?
>
> No, it's a lot of an overkill. :)
>

Actually, only if a primitive implementation is done. What is actually used
in other systems:

1. User logs in
job session id is created with:
minimum of per process, per group(account), per thread, per user,
per system is loaded into a prototype accounting structure.
If the job initialization procedure determines that there is not enough
resources to start the job, then a "insufficient resources ..." message
is given to the user, and the login/cron/batch job is terminated, or not
started at all (batch queueing systems tend to do this).
2. Process creation subtracts from the session limits listed in the accounting
structure.
3. resources are controled by checking aginst the session accounting
structure. Only one comparison per resource.

-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/