Date: Thu, 09 Nov 2023 09:17:03 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: Robert Clausecker <fuz@fuz.su> Cc: freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? Message-ID: <79e9ef768da7ce9be14d3922b80c8104@Leidinger.net> In-Reply-To: <ZUyTnDAJ3HOppG8h@fuz.su> References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> <ZUyTnDAJ3HOppG8h@fuz.su>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_4ee35c77ecd409f9e475616bcd7da65c Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Am 2023-11-09 09:09, schrieb Robert Clausecker: > Hi Alexander, > > I encountered the same issue a while ago, leaving my system in a > vegetative state. I would propose to add syslogd and cron to the syslogd is already protected (at least in 14 and -current). > list. Syslogd because when it dies and you don't notice, you may go > for > a long time without syslogs, cron because a dead cron means no > housekeeping tasks happen, including some which the administrator may > have intended to fix an issue causing an OOM condition (e.g. > periodically restarting services with known memory leaks or cleaning > tmpfs-based file systems). I thought about crond. I agree with your reasoning (I have some cronjobs which are supposed to fix/workaround some issues which for whatever reason can not be handled in a better way). On the other hand I disagree as it can also be the cause of such an oom situation (that's the reason why I didn't include it in my proposal). If the general consensus is to add sshd and cron, I offer to do the work to add it. Bye, Alexander. > Yours, > Robert Clausecker > > Am Thu, Nov 09, 2023 at 08:54:22AM +0100 schrieb Alexander Leidinger: >> Hi, >> >> We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is >> there a >> particular reason we don't have sshd protected the same way? >> >> Any objections if I would commit such a change (sshd_oomprotect=YES in >> defaults/rc.conf)? >> >> I was also thinking about which other daemon we should protect by >> default, >> but apart from the need to make sure important logs are written to >> find >> issues which may have caused the oom trigger, and the need to be able >> to >> login to such a troubled system, I didn't see any other service as >> such >> critical (we could argue about ntpd, but I send to be on the "may be >> protected" (not for my use cases) and not to be on the "has to be >> protected" >> side) to include it in this proposal. >> >> Bye, >> Alexander. >> >> -- >> http://www.Leidinger.net Alexander@Leidinger.net: PGP >> 0x8F31830F9F2772BF >> http://www.FreeBSD.org netchild@FreeBSD.org : PGP >> 0x8F31830F9F2772BF -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_4ee35c77ecd409f9e475616bcd7da65c Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmVMlY0ACgkQEg2wmwP4 2IbuThAAhG4l47SbPjvzfJZIw0Om3G0DGeHF+Vv9FWkf8tw/fmRmT+F/xtpFPFuu 70stE4fuBGWjPii5BfUITsFLFS2I37rGaKQEOhype+/WqikfOp2h3UoaSTwH4bY7 O+te2tbXt6w0NFgSnI3PJkNPJ3ORSjYIr/Gsd1b1JVKmoax/3l3nfMC4EThnWX7t piaGkGC0IVKWma0j7defjlkt2DFVzTVwsyzE1W3ywN+Q5JpgRRei1/T5ckSy+Vpc vzNgQoggbPv/tL02c+5VxJxwwl6VbZZFNdgeqZbhdQ9IlFefeHbcUt2KJFXA3frb jCfLQxph2Fqv9Ghu+Ag1HcQxFUchZiX1eFReQK5/f3NsU0xuexElx35K31qDMgHy lMJZ6svJPOtIMP+QqxPYHwbrv22+qNvkxuSBz7yjFt2OVQwnqNSCRwjJfIxPivw5 bkX67Xf5y75e2SIzU3JnyZ5aJCsOoDmCewZIEXwwaZHkg5EWtVr2mz7o1chcBl3I cDwbHcNejWBIZ88LFLbvVwF2GyKGxywGS9t1AKayiLGmFfVVNQaxxp8hmWARmyWL lqCcTDIxyeuT1BK7oxJvczGfCR0IPoPxbcaTabr87DsRnxiw7Kp9De37jmAtu38D 38frD8vnSgH1cvjfiKRv2BtgbJaeRn8sqVMpJ+t/vqydU/sqmok= =YR79 -----END PGP SIGNATURE----- --=_4ee35c77ecd409f9e475616bcd7da65c--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?79e9ef768da7ce9be14d3922b80c8104>