From: Austin S Hemmelgarn <ahferroin7@gmail.com>
To: Tejun Heo <tj@kernel.org>
Cc: Aleksa Sarai <cyphar@cyphar.com>,
lizefan@huawei.com, mingo@redhat.com, peterz@infradead.org,
richard@nod.at, fweisbec@gmail.com, linux-kernel@vger.kernel.org,
cgroups@vger.kernel.org
Subject: Re: [PATCH RFC 0/2] add nproc cgroup subsystem
Date: Fri, 27 Feb 2015 13:49:53 -0500 [thread overview]
Message-ID: <54F0BC51.4050506@gmail.com> (raw)
In-Reply-To: <20150227170640.GK3964@htj.duckdns.org>
On 2015-02-27 12:06, Tejun Heo wrote:
> Hello,
>
> On Fri, Feb 27, 2015 at 11:42:10AM -0500, Austin S Hemmelgarn wrote:
>> Kernel memory consumption isn't the only valid reason to want to limit the
>> number of processes in a cgroup. Limiting the number of processes is very
>> useful to ensure that a program is working correctly (for example, the NTP
>> daemon should (usually) have an _exact_ number of children if it is
>> functioning correctly, and rpcbind shouldn't (AFAIK) ever have _any_
>> children), to prevent PID number exhaustion, to head off DoS attacks against
>> forking network servers before they get to the point of causing kmem
>> exhaustion, and to limit the number of processes in a cgroup that uses lots
>> of kernel memory very infrequently.
>
> All the use cases you're listing are extremely niche and can be
> trivially achieved without introducing another cgroup controller. Not
> only that, they're actually pretty silly. Let's say NTP daemon is
> misbehaving (or its code changed w/o you knowing or there are corner
> cases which trigger extremely infrequently). What do you exactly
> achieve by rejecting its fork call? It's just adding another
> variation to the misbehavior. It was misbehaving before and would now
> be continuing to misbehave after a failed fork.
>
I wouldn't think that preventing PID exhaustion would be all that much
of a niche case, it's fully possible for it to happen without using
excessive amounts of kernel memory (think about BIG server systems with
terabytes of memory running (arguably poorly written) forking servers
that handle tens of thousands of client requests per second, each
lasting multiple tens of seconds), and not necessarily as trivial as you
might think to handle sanely (especially if you want callbacks when the
limits get hit).
As far as being trivial to achieve, I'm assuming you are referring to
rlimit and PAM's limits module, both of which have their own issues.
Using pam_limits.so to limit processes isn't trivial because it requires
calling through PAM to begin with, which almost no software that isn't
login related does, and rlimits are tricky to set up properly with the
granularity that having a cgroup would provide.
> In general, I'm pretty strongly against adding controllers for things
> which aren't fundamental resources in the system. What's next? Open
> files? Pipe buffer? Number of flocks? Number of session leaders or
> program groups?
>
PID's are a fundamental resource, you run out and it's an only
marginally better situation than OOM, namely, if you don't already have
a shell open which has kill builtin (because you can't fork), or have
some other reliable way to terminate processes without forking, you are
stuck either waiting for the problem to resolve itself, or have to reset
the system.
> If you want to prevent a certain class of jobs from exhausting a given
> resource, protecting that resource is the obvious thing to do.
>
Which is why I'm advocating something that provides a more robust method
of preventing the system from exhausting PID numbers.
> Thanks.
>
next prev parent reply other threads:[~2015-02-27 18:50 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-23 3:08 [PATCH RFC 0/2] add nproc cgroup subsystem Aleksa Sarai
2015-02-23 3:08 ` [PATCH RFC 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai
2015-02-23 14:49 ` Peter Zijlstra
2015-02-23 3:08 ` [PATCH RFC 2/2] cgroups: add an nproc subsystem Aleksa Sarai
2015-02-27 4:17 ` [RFC PATCH v2 0/2] add nproc cgroup subsystem Aleksa Sarai
2015-02-27 4:17 ` [PATCH v2 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai
2015-03-09 3:06 ` Tejun Heo
[not found] ` <CAOviyaip7Faz98YWzGoTaXGYVb72sfD+ZL4Xa89reU9+=43jFA@mail.gmail.com>
[not found] ` <20150309065902.GP13283@htj.duckdns.org>
2015-03-10 8:19 ` Aleksa Sarai
2015-03-10 12:47 ` Tejun Heo
2015-03-10 14:51 ` Aleksa Sarai
2015-03-10 15:17 ` Tejun Heo
2015-03-11 5:16 ` Aleksa Sarai
2015-03-11 11:46 ` Tejun Heo
2015-03-11 23:47 ` Aleksa Sarai
2015-03-12 1:25 ` Tejun Heo
2015-02-27 4:17 ` [PATCH v2 2/2] cgroups: add an nproc subsystem Aleksa Sarai
2015-03-02 15:22 ` Tejun Heo
2015-03-09 1:49 ` Zefan Li
2015-03-09 2:34 ` Tejun Heo
2015-02-27 11:49 ` [PATCH RFC 0/2] add nproc cgroup subsystem Tejun Heo
2015-02-27 13:46 ` Richard Weinberger
2015-02-27 13:52 ` Tejun Heo
2015-02-27 16:42 ` Austin S Hemmelgarn
2015-02-27 17:06 ` Tejun Heo
2015-02-27 17:25 ` Tim Hockin
2015-02-27 17:45 ` Tejun Heo
2015-02-27 17:56 ` Tejun Heo
2015-02-27 21:45 ` Tim Hockin
2015-02-27 21:49 ` Tejun Heo
[not found] ` <CAAAKZwsCc8BtFx58KMFpRTohU81oCBeGVOPGMJrjJt9q5upKfQ@mail.gmail.com>
2015-02-28 16:57 ` Tejun Heo
2015-02-28 22:26 ` Tim Hockin
2015-02-28 22:50 ` Tejun Heo
2015-03-01 4:46 ` Tim Hockin
2015-02-28 23:11 ` Johannes Weiner
2015-02-27 18:49 ` Austin S Hemmelgarn [this message]
2015-02-27 19:35 ` Tejun Heo
2015-02-28 9:26 ` Aleksa Sarai
2015-02-28 11:59 ` Tejun Heo
[not found] ` <CAAAKZws45c3PhFQMGrm_K+OZV+KOyGV9sXTakHcTfNP1kHxzOQ@mail.gmail.com>
2015-02-28 16:43 ` Tejun Heo
2015-03-02 13:13 ` Austin S Hemmelgarn
2015-03-02 13:31 ` Aleksa Sarai
2015-03-02 13:54 ` Tejun Heo
2015-03-02 13:49 ` Tejun Heo
2015-02-27 17:12 ` Tim Hockin
2015-02-27 17:15 ` Tejun Heo
2015-03-04 20:23 ` [PATCH v3 0/2] cgroup: add pids subsystem Aleksa Sarai
2015-03-04 20:23 ` [PATCH v3 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai
2015-03-04 20:23 ` [PATCH v3 2/2] cgroups: add a pids subsystem Aleksa Sarai
2015-03-05 8:39 ` Aleksa Sarai
2015-03-05 14:37 ` Marian Marinov
2015-03-06 1:45 ` [PATCH v4 0/2] cgroup: add " Aleksa Sarai
2015-03-06 1:45 ` [PATCH v4 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai
2015-03-06 1:45 ` [PATCH v4 2/2] cgroups: add a pids subsystem Aleksa Sarai
2015-03-09 3:34 ` Tejun Heo
2015-03-09 3:39 ` Tejun Heo
2015-03-09 18:58 ` Austin S Hemmelgarn
2015-03-09 19:51 ` Tejun Heo
2015-03-10 8:10 ` Aleksa Sarai
2015-03-10 11:32 ` Austin S Hemmelgarn
2015-03-10 12:31 ` Aleksa Sarai
2015-03-11 15:13 ` Austin S Hemmelgarn
2015-03-12 2:28 ` Aleksa Sarai
2015-03-12 15:35 ` Austin S Hemmelgarn
2015-03-12 3:47 ` Tejun Heo
2015-03-09 3:08 ` [PATCH v4 0/2] cgroup: add " Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54F0BC51.4050506@gmail.com \
--to=ahferroin7@gmail.com \
--cc=cgroups@vger.kernel.org \
--cc=cyphar@cyphar.com \
--cc=fweisbec@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=richard@nod.at \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox