From owner-freebsd-arch@FreeBSD.ORG  Sat Jun  2 11:30:24 2012
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: freebsd-arch@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 74216106566C;
	Sat,  2 Jun 2012 11:30:24 +0000 (UTC) (envelope-from avg@FreeBSD.org)
Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140])
	by mx1.freebsd.org (Postfix) with ESMTP id 9F94B8FC0C;
	Sat,  2 Jun 2012 11:30:22 +0000 (UTC)
Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua
	[212.40.38.100])
	by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id OAA23639;
	Sat, 02 Jun 2012 14:30:20 +0300 (EEST)
	(envelope-from avg@FreeBSD.org)
Received: from localhost ([127.0.0.1])
	by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD))
	id 1SamXE-000INm-Ht; Sat, 02 Jun 2012 14:30:20 +0300
Message-ID: <4FC9F94B.8060708@FreeBSD.org>
Date: Sat, 02 Jun 2012 14:30:19 +0300
From: Andriy Gapon <avg@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
	rv:12.0) Gecko/20120503 Thunderbird/12.0.1
MIME-Version: 1.0
To: Julian Elischer <julian@FreeBSD.org>
References: <4FAC3EAB.6050303@delphij.net> <861umkurt8.fsf@ds4.des.no>
	<CAJ-VmokY+pgcq999NHShbq-3rK3=oeWT2WY7NmTvVdXOHZJhdg@mail.gmail.com>
	<CAF6rxgmDW21aPJ5Mp6Tbk1z02ivw4UPhSaNEX+Wiu7O0v13skA@mail.gmail.com>
	<20120517055425.GA802@infradead.org>
	<4FC762DD.90101@FreeBSD.org> <4FC81D9C.2080801@FreeBSD.org>
	<4FC8E29F.2010806@shatow.net> <4FC95A10.7000806@freebsd.org>
In-Reply-To: <4FC95A10.7000806@freebsd.org>
X-Enigmail-Version: 1.5pre
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Adrian Chadd <adrian@FreeBSD.org>, Doug Barton <dougb@FreeBSD.org>,
	d@delphij.net, Eitan Adler <lists@eitanadler.com>,
	freebsd-arch@FreeBSD.org,
	=?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>,
	Edward Tomasz Napierala <trasz@FreeBSD.org>,
	Bryan Drewery <bryan@shatow.net>
Subject: Re: Allow small amount of memory be mlock()'ed by unprivileged
	process?
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Jun 2012 11:30:24 -0000

on 02/06/2012 03:10 Julian Elischer said the following:
> I'd go a different route.
> I'd have it inherited, and I'd have the value be 0 by default, but settable to
> some different value at login.conf, or by an ancestor with root privs.

I think that this is how the limits work in general :-)
I agree that defaulting the limit to 0 for non-privileged users is a good idea,
at least at the beginning.  For super-user we might want to keep the limit uncapped.

Some further technical observations:
o  I was overly optimistic about _full_ support for RLIMIT_MEMLOCK - mlockall()
doesn't support itat the moment and I am not sure if it is easy to implement the
support for the MCL_FUTURE case.

o  Currently the default class in default login.conf has memorylocked=unlimited
- not very smart.

o  There is also vm.max_wired sysctl (with no equivalent tunable), which
specifies number of _pages_ that can be wired system wide (by both kernel and
userland).  But note that the limit applies only to userland requests, the
kernel is allowed to wire new pages even when the limit is exceeded.  By default
the limit is set to 1/3 of available pages.
So watch out for this limit when using ZFS, ZFS can easily starve userland.

o  I've just discovered :-) that we also have RCTL/RACCT framework (not enabled
by default) aka "Resource Accounting" / "Resource Limits", which seems to
parallel the conventional limits in many categories including the locked memory.
 Not sure why we have that and if the interactions between conventional limits,
resource limits and privileges would be easy to untangle.

o  A general observation that our way of setting resource limits via login
classes (login.conf) seems to be inferior to limits.conf way of Linux.

More about the last point.
In addition to the traditional users and groups we also have login classes.
Initial (conventional) resource limits can be set only via login.conf, i.e. via
the classes.  The classes can be assigned only in master.passwd and thus only to
users.  So if I want to increase some limit for a group, then I have to create
(and maintain) a parallel class and assign that class to all users in question.
Now imagine a case of a user being in several groups.
Ability to specify the limits on per-user/per-group basis like it is done with
Linux limits.conf seems to be more convenient.
The new rctl framework also allows to set resource limits for "process, user,
login class, or jail".  'group' is missing from the list.

-- 
Andriy Gapon