Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Mar 2006 14:39:42 +0200
From:      Kostik Belousov <kostikbel@gmail.com>
To:        Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>
Cc:        Michael Proto <mike@jellydonut.org>, freebsd-stable@freebsd.org, Peter Jeremy <peterjeremy@optushome.com.au>
Subject:   Re: RELENG_4 on flash disk and swap
Message-ID:  <20060310123942.GI37572@deviant.kiev.zoral.com.ua>
In-Reply-To: <20060310121758.S80837@atlantis.atlantis.dp.ua>
References:  <20060302181625.I3905@atlantis.atlantis.dp.ua> <76FAD2DB-CD18-42D4-95C8-F016CFB17B00@segpub.com.au> <20060303110936.R86586@atlantis.atlantis.dp.ua> <20060303185157.GB692@turion.vk2pj.dyndns.org> <20060304001224.G356@atlantis.atlantis.dp.ua> <20060304065138.GD692@turion.vk2pj.dyndns.org> <20060310121758.S80837@atlantis.atlantis.dp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 

--9JSHP372f+2dzJ8X
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 10, 2006 at 01:57:50PM +0200, Dmitry Pryanishnikov wrote:
>=20
>  This is still a concern for me. IMHO it would be useful to have the abil=
ity
> to disable process killing due to the lack of swap, because having this
> enabled on e.g. transit router can lead to very unpleasant scenario.=20
> Imagine someone DoS-attacks it's sshd, and kernel kills the process with=
=20
> the largest RSS - it could e.g. be a vital part of the routing software=
=20
> (zebra/ripd/bgpd), and killing this process will render our router=20
> unreachable and unusable!

Then, what should kernel do ? It kills the process because it _needs_
the page. Usually, this page is needed to fill the frame that was already
allocated by some process, so, SIGKILL is another way to report ENOMEM.

The only way to prevent this situation is to never satisfy
memory address range requests that (potentially) cannot be backed
by real memory (this includes swap) in the future.

Some time ago I did implemented such behaviour ("disable overcommit switch"=
).
Patch was applicable at the times of 6-CURRENT. I could blow
the dust off if somebody becomes interested in testing.

Latest version is available at
http://kostikbel.narod.ru/overcommit/


--9JSHP372f+2dzJ8X
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEEXONC3+MBN1Mb4gRAic3AKDZOwLCv3Z2cQ3v8zTk2nsalE4kWwCfWlxd
gtFfObB16DlIjH5FkP3rkuM=
=L7sA
-----END PGP SIGNATURE-----

--9JSHP372f+2dzJ8X--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060310123942.GI37572>