From: Tejun Heo <tj@kernel.org>
To: Austin S Hemmelgarn <ahferroin7@gmail.com>
Cc: Aleksa Sarai <cyphar@cyphar.com>,
lizefan@huawei.com, mingo@redhat.com, peterz@infradead.org,
richard@nod.at, fweisbec@gmail.com, linux-kernel@vger.kernel.org,
cgroups@vger.kernel.org
Subject: Re: [PATCH RFC 0/2] add nproc cgroup subsystem
Date: Fri, 27 Feb 2015 14:35:39 -0500 [thread overview]
Message-ID: <20150227193539.GO3964@htj.duckdns.org> (raw)
In-Reply-To: <54F0BC51.4050506@gmail.com>
Hello, Austin.
On Fri, Feb 27, 2015 at 01:49:53PM -0500, Austin S Hemmelgarn wrote:
> As far as being trivial to achieve, I'm assuming you are referring to rlimit
> and PAM's limits module, both of which have their own issues. Using
> pam_limits.so to limit processes isn't trivial because it requires calling
> through PAM to begin with, which almost no software that isn't login related
> does, and rlimits are tricky to set up properly with the granularity that
> having a cgroup would provide.
...
> PID's are a fundamental resource, you run out and it's an only marginally
> better situation than OOM, namely, if you don't already have a shell open
> which has kill builtin (because you can't fork), or have some other reliable
> way to terminate processes without forking, you are stuck either waiting for
> the problem to resolve itself, or have to reset the system.
Right, this is an a lot more valid argument. Currently, we're capping
max pid at 4M which translates to some tens of gigs of memory which
isn't a crazy amount on modern machines. The hard(er) barrier would
be around 2^30 (2^29 from futex side, apparently) which would also be
reacheable on configurations w/ terabytes of memory.
I'll think more about it and get back.
Thanks a lot.
--
tejun
WARNING: multiple messages have this Message-ID (diff)
From: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
To: Austin S Hemmelgarn <ahferroin7-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org>,
lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org,
mingo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org,
richard-/L3Ra7n9ekc@public.gmane.org,
fweisbec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH RFC 0/2] add nproc cgroup subsystem
Date: Fri, 27 Feb 2015 14:35:39 -0500 [thread overview]
Message-ID: <20150227193539.GO3964@htj.duckdns.org> (raw)
In-Reply-To: <54F0BC51.4050506-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Hello, Austin.
On Fri, Feb 27, 2015 at 01:49:53PM -0500, Austin S Hemmelgarn wrote:
> As far as being trivial to achieve, I'm assuming you are referring to rlimit
> and PAM's limits module, both of which have their own issues. Using
> pam_limits.so to limit processes isn't trivial because it requires calling
> through PAM to begin with, which almost no software that isn't login related
> does, and rlimits are tricky to set up properly with the granularity that
> having a cgroup would provide.
...
> PID's are a fundamental resource, you run out and it's an only marginally
> better situation than OOM, namely, if you don't already have a shell open
> which has kill builtin (because you can't fork), or have some other reliable
> way to terminate processes without forking, you are stuck either waiting for
> the problem to resolve itself, or have to reset the system.
Right, this is an a lot more valid argument. Currently, we're capping
max pid at 4M which translates to some tens of gigs of memory which
isn't a crazy amount on modern machines. The hard(er) barrier would
be around 2^30 (2^29 from futex side, apparently) which would also be
reacheable on configurations w/ terabytes of memory.
I'll think more about it and get back.
Thanks a lot.
--
tejun
next prev parent reply other threads:[~2015-02-27 19:35 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-23 3:08 [PATCH RFC 0/2] add nproc cgroup subsystem Aleksa Sarai
2015-02-23 3:08 ` Aleksa Sarai
2015-02-23 3:08 ` [PATCH RFC 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai
2015-02-23 14:49 ` Peter Zijlstra
2015-02-23 3:08 ` [PATCH RFC 2/2] cgroups: add an nproc subsystem Aleksa Sarai
2015-02-27 4:17 ` [RFC PATCH v2 0/2] add nproc cgroup subsystem Aleksa Sarai
2015-02-27 4:17 ` Aleksa Sarai
2015-02-27 4:17 ` [PATCH v2 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai
2015-02-27 4:17 ` Aleksa Sarai
2015-03-09 3:06 ` Tejun Heo
2015-03-09 3:06 ` Tejun Heo
[not found] ` <CAOviyaip7Faz98YWzGoTaXGYVb72sfD+ZL4Xa89reU9+=43jFA@mail.gmail.com>
[not found] ` <20150309065902.GP13283@htj.duckdns.org>
2015-03-10 8:19 ` Aleksa Sarai
2015-03-10 8:19 ` Aleksa Sarai
2015-03-10 12:47 ` Tejun Heo
2015-03-10 12:47 ` Tejun Heo
2015-03-10 14:51 ` Aleksa Sarai
2015-03-10 14:51 ` Aleksa Sarai
2015-03-10 15:17 ` Tejun Heo
2015-03-10 15:17 ` Tejun Heo
2015-03-11 5:16 ` Aleksa Sarai
2015-03-11 11:46 ` Tejun Heo
2015-03-11 23:47 ` Aleksa Sarai
2015-03-11 23:47 ` Aleksa Sarai
2015-03-12 1:25 ` Tejun Heo
2015-03-12 1:25 ` Tejun Heo
2015-02-27 4:17 ` [PATCH v2 2/2] cgroups: add an nproc subsystem Aleksa Sarai
2015-03-02 15:22 ` Tejun Heo
2015-03-02 15:22 ` Tejun Heo
2015-03-09 1:49 ` Zefan Li
2015-03-09 1:49 ` Zefan Li
2015-03-09 2:34 ` Tejun Heo
2015-03-09 2:34 ` Tejun Heo
2015-02-27 11:49 ` [PATCH RFC 0/2] add nproc cgroup subsystem Tejun Heo
2015-02-27 13:46 ` Richard Weinberger
2015-02-27 13:46 ` Richard Weinberger
2015-02-27 13:52 ` Tejun Heo
2015-02-27 13:52 ` Tejun Heo
2015-02-27 16:42 ` Austin S Hemmelgarn
2015-02-27 16:42 ` Austin S Hemmelgarn
2015-02-27 17:06 ` Tejun Heo
2015-02-27 17:06 ` Tejun Heo
2015-02-27 17:25 ` Tim Hockin
2015-02-27 17:25 ` Tim Hockin
2015-02-27 17:45 ` Tejun Heo
2015-02-27 17:56 ` Tejun Heo
2015-02-27 17:56 ` Tejun Heo
2015-02-27 21:45 ` Tim Hockin
2015-02-27 21:45 ` Tim Hockin
2015-02-27 21:49 ` Tejun Heo
[not found] ` <CAAAKZwsCc8BtFx58KMFpRTohU81oCBeGVOPGMJrjJt9q5upKfQ@mail.gmail.com>
2015-02-28 16:57 ` Tejun Heo
2015-02-28 22:26 ` Tim Hockin
2015-02-28 22:26 ` Tim Hockin
2015-02-28 22:50 ` Tejun Heo
2015-02-28 22:50 ` Tejun Heo
2015-03-01 4:46 ` Tim Hockin
2015-03-01 4:46 ` Tim Hockin
2015-02-28 23:11 ` Johannes Weiner
2015-02-28 23:11 ` Johannes Weiner
2015-02-27 18:49 ` Austin S Hemmelgarn
2015-02-27 18:49 ` Austin S Hemmelgarn
2015-02-27 19:35 ` Tejun Heo [this message]
2015-02-27 19:35 ` Tejun Heo
2015-02-28 9:26 ` Aleksa Sarai
2015-02-28 9:26 ` Aleksa Sarai
2015-02-28 11:59 ` Tejun Heo
2015-02-28 11:59 ` Tejun Heo
[not found] ` <CAAAKZws45c3PhFQMGrm_K+OZV+KOyGV9sXTakHcTfNP1kHxzOQ@mail.gmail.com>
2015-02-28 16:43 ` Tejun Heo
2015-02-28 16:43 ` Tejun Heo
2015-03-02 13:13 ` Austin S Hemmelgarn
2015-03-02 13:31 ` Aleksa Sarai
2015-03-02 13:31 ` Aleksa Sarai
2015-03-02 13:54 ` Tejun Heo
2015-03-02 13:54 ` Tejun Heo
2015-03-02 13:49 ` Tejun Heo
2015-02-27 17:12 ` Tim Hockin
2015-02-27 17:15 ` Tejun Heo
2015-02-27 17:15 ` Tejun Heo
2015-03-04 20:23 ` [PATCH v3 0/2] cgroup: add pids subsystem Aleksa Sarai
2015-03-04 20:23 ` [PATCH v3 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai
2015-03-04 20:23 ` [PATCH v3 2/2] cgroups: add a pids subsystem Aleksa Sarai
2015-03-05 8:39 ` Aleksa Sarai
2015-03-05 14:37 ` Marian Marinov
2015-03-06 1:45 ` [PATCH v4 0/2] cgroup: add " Aleksa Sarai
2015-03-06 1:45 ` Aleksa Sarai
2015-03-06 1:45 ` [PATCH v4 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai
2015-03-06 1:45 ` [PATCH v4 2/2] cgroups: add a pids subsystem Aleksa Sarai
2015-03-06 1:45 ` Aleksa Sarai
2015-03-09 3:34 ` Tejun Heo
2015-03-09 3:34 ` Tejun Heo
2015-03-09 3:39 ` Tejun Heo
2015-03-09 3:39 ` Tejun Heo
2015-03-09 18:58 ` Austin S Hemmelgarn
2015-03-09 18:58 ` Austin S Hemmelgarn
2015-03-09 19:51 ` Tejun Heo
2015-03-09 19:51 ` Tejun Heo
2015-03-10 8:10 ` Aleksa Sarai
2015-03-10 8:10 ` Aleksa Sarai
2015-03-10 11:32 ` Austin S Hemmelgarn
2015-03-10 12:31 ` Aleksa Sarai
2015-03-10 12:31 ` Aleksa Sarai
2015-03-11 15:13 ` Austin S Hemmelgarn
2015-03-11 15:13 ` Austin S Hemmelgarn
2015-03-12 2:28 ` Aleksa Sarai
2015-03-12 2:28 ` Aleksa Sarai
2015-03-12 15:35 ` Austin S Hemmelgarn
2015-03-12 3:47 ` Tejun Heo
2015-03-09 3:08 ` [PATCH v4 0/2] cgroup: add " Tejun Heo
2015-03-09 3:08 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150227193539.GO3964@htj.duckdns.org \
--to=tj@kernel.org \
--cc=ahferroin7@gmail.com \
--cc=cgroups@vger.kernel.org \
--cc=cyphar@cyphar.com \
--cc=fweisbec@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=richard@nod.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.