Date: Thu, 9 Nov 2000 16:29:41 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: keith.stevenson@louisville.edu (Keith Stevenson) Cc: tlambert@primenet.com (Terry Lambert), dcs@newsguy.com (Daniel C. Sobral), arch@FreeBSD.ORG Subject: Re: AIX SIGDANGER (was Re: softdep panic due to blocked malloc) Message-ID: <200011091629.JAA20559@usr08.primenet.com> In-Reply-To: <20001108175704.B1405@osaka.louisville.edu> from "Keith Stevenson" at Nov 08, 2000 05:57:04 PM
next in thread | previous in thread | raw e-mail | index | archive | help
> This is a bit offtopic, but I couldn't help myself. (I'm an AIX admin) > > Quoting IBM's July 2000 system documentation CDROM: [ ... SIGDANGER default action = ignore ... ] > So, SIGDANGER doesn't buy you much unless your applications have a handler for > it. (In my experience, most don't.) I was not very happy when I hit a low > memory situation and AIX started committing random acts of violence against > my process table. The system ended up being so hosed, I had to reboot to > maintenance mode and repair a bunch of datafiles. (One of our production > applications doesn't SIGKILL gracefully.) > > I think that SIGDANGER would make a lot more sense if its default action was > the same as SIGTERM. SIGKILL'ing everything in sight isn't a lot cleaner > (IMO) than letting the system crash. FWIW, the last time I played with this particular issue was on a machine with too little swap and no ability to set the swap as a hog partititon (one which would grow 4M at a time, until all unallocated PP's were allocated to it). At the time, I am almost dead certain that SIGDANGER would act as SIGTERM, not be ignored, by default. Unfortunately (or fortunately), I rather doubt anyone could dig up a copy of AIX 3.x to verify this, so if I'm wrong, I'm wrong. If I _am_ wrong, SIGDANGER is actually much more useful, IMO, in that it would alert processes to the "I'm about to start being violent". This wouldn't help programs that didn't set up their own handler to get them out of the blast radius, but on the other hand, it'd be a great incentive to set yourself up that way. The only problem with this, of course, is that programs well enough behaved to heed the warning are probably not the problems in the first place. It would be useful, instead, to change the kernel to commit "semi-random acts of violence": send SIGTERM in phases, and prefer to send it to programs _without_ a SIGDANGER handler. The problem with this, of course, is once the behaviour is known, programs that are badly behaved will just register handlers that do nothing, to keep themselves out of harm's way, and even a well behaved program could be the victim of a DOS or a bug, so it really does very little overall to "fix" things, except that it lets programs that take the trouble to do all the work actually shutdown gracefully. All in all, it's still not useful for a kernel startvation, and it's only barely useful as itself, and then only against unintentional attacks that don't intentionally mimic degenerate cases. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011091629.JAA20559>