lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <4768FB5E-33D1-45B9-AA71-1D979F56B1B1@mac.com>
Date:	Fri, 12 Oct 2007 01:49:50 -0400
From:	Kyle Moffett <mrmacman_g4@....com>
To:	Al Boldi <a1426z@...ab.com>
Cc:	LKML Kernel <linux-kernel@...r.kernel.org>, g@...f.cl,
	Valdis Kletnieks <Valdis.Kletnieks@...edu>
Subject: Re: [PATCH] Reserve N process to root

On Oct 12, 2007, at 01:37:23, Al Boldi wrote:
> Kyle Moffett wrote:
>> This isn't really necessary any more with the new CFS scheduler.   
>> If you want to prevent excess memory usage then you limit memory  
>> usage, not process count, so just set the system max process count  
>> to something absurdly high and leave the user counts down at the  
>> maximum a user might run.  Then as long as the sum of the user  
>> processes is less than the max number of processes (which you just  
>> set absurdly high or unlimited), you may still log in.  With the  
>> per-user scheduling enabled CFS allows you to run an  
>> optimistically-real-time game as one user and several thousand  
>> busy-loops as another user and get almost picture perfect 50% CPU  
>> distribution between the users. To me that seems a much better DoS- 
>> prevention system than limits which don't scale based on how many  
>> people are requesting resources.
>
> You have a point, and resource-controllers can probably control DoS  
> a lot better, but the they also incur more overhead.  Think of this  
> "lockout prevention" patch as a near zero overhead safety valve.

But why do you need to add "lockout prevention" if it already  
exists?  With CFS' extremely efficient per-user-scheduling (hopefully  
soon to be the default) there are only two forms of lockout by non- 
root processes:  (1) Running out of PIDs in the box's PID-space  
(think tens or hundreds of thousands of processes), or (2) Swap- 
storming the box to death.  To put it bluntly trying to reserve free  
PID slots is attacking the wrong end of the problem and your so  
called "lockout prevention" could very easily ensure that 10 PIDs are  
available even if the user has swapstormed the box with the PIDs he  
does have.

Cheers,
Kyle Moffett
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ