lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20151110172915.GA13740@mtj.duckdns.org>
Date:	Tue, 10 Nov 2015 12:29:15 -0500
From:	Tejun Heo <tj@...nel.org>
To:	Max Kellermann <mk@...all.com>
Cc:	cgroups@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cgroup_pids: add fork limit

On Tue, Nov 10, 2015 at 06:06:12PM +0100, Max Kellermann wrote:
> No, Tejun, the "cpu" controller does not do what my feature does: like
> I said, it only changes the priority, or let's rephrase (to account
> for the "absolute CPU cycle bandwith" thing): it changes the amount of
> CPU cycles a process gets every period.
> 
> But it does NOT put an upper limit on total consumed CPU cycles!  It
> will only slow down a frantic process, but it will not stop it.
> Stopping it is what I want.  Once process crosses the limits I
> configured, there's no point in keeping it running.

It's not a stateful resource.  Of course the resource is controlled in
terms of bandwidth not absoulte amount consumed.  That's what we do
with all stateless resources.  It's absurd to limit absoulte amount
for CPU cycles.  The only action possible from there on would be
terminating the group.  If you wanna do that, do so from userspace.

> You may disagree that the feature I implemented is useful, and you may
> not want it merged, but do not say that I missed a kernel feature,
> because that's not true.
>
> The Linux kernel currently does not have a feature that can emulate
> the fork limit that I implemented.  Useful or not, it doesn't exist.

The point is that the missing "feature" is really a non-starter.  What
if the process falls into infinite loop on fork failures?  It's just a
silly thing to implement.

Thanks.

-- 
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ