lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 1 Feb 2012 19:50:01 +0100
From:	Frederic Weisbecker <fweisbec@...il.com>
To:	Tejun Heo <tj@...nel.org>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Li Zefan <lizf@...fujitsu.com>,
	LKML <linux-kernel@...r.kernel.org>,
	"Kirill A. Shutemov" <kirill@...temov.name>,
	Paul Menage <paul@...lmenage.org>,
	Johannes Weiner <hannes@...xchg.org>,
	Aditya Kali <adityakali@...gle.com>,
	Oleg Nesterov <oleg@...hat.com>,
	Tim Hockin <thockin@...kin.org>,
	Containers <containers@...ts.linux-foundation.org>,
	Glauber Costa <glommer@...il.com>,
	Cgroups <cgroups@...r.kernel.org>,
	Daniel J Walsh <dwalsh@...hat.com>,
	"Daniel P. Berrange" <berrange@...hat.com>,
	KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com>,
	Max Kellermann <mk@...all.com>,
	Mandeep Singh Baines <msb@...omium.org>
Subject: Re: [PATCH 00/10] cgroups: Task counter subsystem v8

On Wed, Feb 01, 2012 at 08:31:26AM -0800, Tejun Heo wrote:
> On Wed, Feb 01, 2012 at 04:37:40AM +0100, Frederic Weisbecker wrote:
> > Changes In this version:
> > 
> > - Split 32/64 bits version of res_counter_write_u64() [1/10]
> >   Courtesy of Kirill A. Shutemov
> > 
> > - Added Kirill's ack [8/10]
> > 
> > - Added selftests [9/10], [10/10]
> > 
> > Please consider for merging. At least two users want this feature:
> 
> Has there been further discussion about this approach?  IIRC, we
> weren't sure whether this should be merged.

The doubts I have noticed were:

Q: Can't we rather focus on a global solution to fight forkbombs?

If we can find a reliable solution that works in any case and that
prevent from any forkbomb to impact the rest of the system then it
may be an acceptable solution. But I'm not aware of such feature.

Besides, another point in having this task counter is that we
have a per container limit. Assuming all containers are running under
the same user, we can protect against a container starving all others
with a massive amount of processes close to the NR_PROC rlimit.

Q: Can/should we implement a limitation on the number of "fork" as well?
   (as in https://lkml.org/lkml/2011/11/3/233 )

I'm still not sure about why such a thing is needed. Is it really something we
want? Why can't the task counter be used instead?

I need more details from the author of this patch. But I doubt we can merge
both subsystems, they have pretty different semantics.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ