[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 6 Jun 2020 15:28:50 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Tiezhu Yang <yangtiezhu@...ngson.cn>
Cc: Jonathan Corbet <corbet@....net>, linux-fsdevel@...r.kernel.org,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
Xuefeng Li <lixuefeng@...ngson.cn>
Subject: Re: [PATCH 2/3] fs: Introduce cmdline argument exceed_file_max_panic
On Sat, Jun 06, 2020 at 02:32:19PM +0800, Tiezhu Yang wrote:
> It is important to ensure that files that are opened always get closed.
> Failing to close files can result in file descriptor leaks. One common
> answer to this problem is to just raise the limit of open file handles
> and then restart the server every day or every few hours, this is not
> a good idea for long-lived servers if there is no leaks.
>
> If there exists file descriptor leaks, when file-max limit reached, we
> can see that the system can not work well and at worst the user can do
> nothing, it is even impossible to execute reboot command due to too many
> open files in system. In order to reboot automatically to recover to the
> normal status, introduce a new cmdline argument exceed_file_max_panic for
> user to control whether to call panic in this case.
What the hell? You are modifying the path for !CAP_SYS_ADMIN. IOW,
you've just handed an ability to panic the box to any non-priveleged
process.
NAK. That makes no sense whatsoever. Note that root is *NOT* affected
by any of that, so you can bloody well have a userland process running
as root and checking the number of files once in a while. And doing
whatever it wants to do, up to and including reboot/writing to
/proc/sys/sysrq-trigger, etc. Or just looking at the leaky processes
and killing them, with a nastygram along the lines of "$program appears
to be leaking descriptors; LART the authors of that FPOS if they can
be located" sent into log/over mail/etc.
Powered by blists - more mailing lists