From owner-freebsd-arch Thu Nov 9 8:30:14 2000 Delivered-To: freebsd-arch@freebsd.org Received: from smtp04.primenet.com (smtp04.primenet.com [206.165.6.134]) by hub.freebsd.org (Postfix) with ESMTP id C812A37B479 for ; Thu, 9 Nov 2000 08:30:04 -0800 (PST) Received: (from daemon@localhost) by smtp04.primenet.com (8.9.3/8.9.3) id JAA17561; Thu, 9 Nov 2000 09:26:37 -0700 (MST) Received: from usr08.primenet.com(206.165.6.208) via SMTP by smtp04.primenet.com, id smtpdAAAlqaydI; Thu Nov 9 09:26:26 2000 Received: (from tlambert@localhost) by usr08.primenet.com (8.8.5/8.8.5) id JAA20559; Thu, 9 Nov 2000 09:29:41 -0700 (MST) From: Terry Lambert Message-Id: <200011091629.JAA20559@usr08.primenet.com> Subject: Re: AIX SIGDANGER (was Re: softdep panic due to blocked malloc) To: keith.stevenson@louisville.edu (Keith Stevenson) Date: Thu, 9 Nov 2000 16:29:41 +0000 (GMT) Cc: tlambert@primenet.com (Terry Lambert), dcs@newsguy.com (Daniel C. Sobral), arch@FreeBSD.ORG In-Reply-To: <20001108175704.B1405@osaka.louisville.edu> from "Keith Stevenson" at Nov 08, 2000 05:57:04 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > This is a bit offtopic, but I couldn't help myself. (I'm an AIX admin) > > Quoting IBM's July 2000 system documentation CDROM: [ ... SIGDANGER default action = ignore ... ] > So, SIGDANGER doesn't buy you much unless your applications have a handler for > it. (In my experience, most don't.) I was not very happy when I hit a low > memory situation and AIX started committing random acts of violence against > my process table. The system ended up being so hosed, I had to reboot to > maintenance mode and repair a bunch of datafiles. (One of our production > applications doesn't SIGKILL gracefully.) > > I think that SIGDANGER would make a lot more sense if its default action was > the same as SIGTERM. SIGKILL'ing everything in sight isn't a lot cleaner > (IMO) than letting the system crash. FWIW, the last time I played with this particular issue was on a machine with too little swap and no ability to set the swap as a hog partititon (one which would grow 4M at a time, until all unallocated PP's were allocated to it). At the time, I am almost dead certain that SIGDANGER would act as SIGTERM, not be ignored, by default. Unfortunately (or fortunately), I rather doubt anyone could dig up a copy of AIX 3.x to verify this, so if I'm wrong, I'm wrong. If I _am_ wrong, SIGDANGER is actually much more useful, IMO, in that it would alert processes to the "I'm about to start being violent". This wouldn't help programs that didn't set up their own handler to get them out of the blast radius, but on the other hand, it'd be a great incentive to set yourself up that way. The only problem with this, of course, is that programs well enough behaved to heed the warning are probably not the problems in the first place. It would be useful, instead, to change the kernel to commit "semi-random acts of violence": send SIGTERM in phases, and prefer to send it to programs _without_ a SIGDANGER handler. The problem with this, of course, is once the behaviour is known, programs that are badly behaved will just register handlers that do nothing, to keep themselves out of harm's way, and even a well behaved program could be the victim of a DOS or a bug, so it really does very little overall to "fix" things, except that it lets programs that take the trouble to do all the work actually shutdown gracefully. All in all, it's still not useful for a kernel startvation, and it's only barely useful as itself, and then only against unintentional attacks that don't intentionally mimic degenerate cases. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message