From: Tejun Heo <tj@kernel.org> To: Austin S Hemmelgarn <ahferroin7@gmail.com> Cc: Aleksa Sarai <cyphar@cyphar.com>, lizefan@huawei.com, mingo@redhat.com, peterz@infradead.org, richard@nod.at, fweisbec@gmail.com, linux-kernel@vger.kernel.org, cgroups@vger.kernel.org Subject: Re: [PATCH RFC 0/2] add nproc cgroup subsystem Date: Fri, 27 Feb 2015 14:35:39 -0500 [thread overview] Message-ID: <20150227193539.GO3964@htj.duckdns.org> (raw) In-Reply-To: <54F0BC51.4050506@gmail.com> Hello, Austin. On Fri, Feb 27, 2015 at 01:49:53PM -0500, Austin S Hemmelgarn wrote: > As far as being trivial to achieve, I'm assuming you are referring to rlimit > and PAM's limits module, both of which have their own issues. Using > pam_limits.so to limit processes isn't trivial because it requires calling > through PAM to begin with, which almost no software that isn't login related > does, and rlimits are tricky to set up properly with the granularity that > having a cgroup would provide. ... > PID's are a fundamental resource, you run out and it's an only marginally > better situation than OOM, namely, if you don't already have a shell open > which has kill builtin (because you can't fork), or have some other reliable > way to terminate processes without forking, you are stuck either waiting for > the problem to resolve itself, or have to reset the system. Right, this is an a lot more valid argument. Currently, we're capping max pid at 4M which translates to some tens of gigs of memory which isn't a crazy amount on modern machines. The hard(er) barrier would be around 2^30 (2^29 from futex side, apparently) which would also be reacheable on configurations w/ terabytes of memory. I'll think more about it and get back. Thanks a lot. -- tejun
WARNING: multiple messages have this Message-ID (diff)
From: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> To: Austin S Hemmelgarn <ahferroin7-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> Cc: Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org>, lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org, mingo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org, richard-/L3Ra7n9ekc@public.gmane.org, fweisbec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Subject: Re: [PATCH RFC 0/2] add nproc cgroup subsystem Date: Fri, 27 Feb 2015 14:35:39 -0500 [thread overview] Message-ID: <20150227193539.GO3964@htj.duckdns.org> (raw) In-Reply-To: <54F0BC51.4050506-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> Hello, Austin. On Fri, Feb 27, 2015 at 01:49:53PM -0500, Austin S Hemmelgarn wrote: > As far as being trivial to achieve, I'm assuming you are referring to rlimit > and PAM's limits module, both of which have their own issues. Using > pam_limits.so to limit processes isn't trivial because it requires calling > through PAM to begin with, which almost no software that isn't login related > does, and rlimits are tricky to set up properly with the granularity that > having a cgroup would provide. ... > PID's are a fundamental resource, you run out and it's an only marginally > better situation than OOM, namely, if you don't already have a shell open > which has kill builtin (because you can't fork), or have some other reliable > way to terminate processes without forking, you are stuck either waiting for > the problem to resolve itself, or have to reset the system. Right, this is an a lot more valid argument. Currently, we're capping max pid at 4M which translates to some tens of gigs of memory which isn't a crazy amount on modern machines. The hard(er) barrier would be around 2^30 (2^29 from futex side, apparently) which would also be reacheable on configurations w/ terabytes of memory. I'll think more about it and get back. Thanks a lot. -- tejun
next prev parent reply other threads:[~2015-02-27 19:35 UTC|newest] Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-02-23 3:08 [PATCH RFC 0/2] add nproc cgroup subsystem Aleksa Sarai 2015-02-23 3:08 ` Aleksa Sarai 2015-02-23 3:08 ` [PATCH RFC 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai 2015-02-23 14:49 ` Peter Zijlstra 2015-02-23 3:08 ` [PATCH RFC 2/2] cgroups: add an nproc subsystem Aleksa Sarai 2015-02-27 4:17 ` [RFC PATCH v2 0/2] add nproc cgroup subsystem Aleksa Sarai 2015-02-27 4:17 ` Aleksa Sarai 2015-02-27 4:17 ` [PATCH v2 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai 2015-02-27 4:17 ` Aleksa Sarai 2015-03-09 3:06 ` Tejun Heo 2015-03-09 3:06 ` Tejun Heo [not found] ` <CAOviyaip7Faz98YWzGoTaXGYVb72sfD+ZL4Xa89reU9+=43jFA@mail.gmail.com> [not found] ` <20150309065902.GP13283@htj.duckdns.org> 2015-03-10 8:19 ` Aleksa Sarai 2015-03-10 8:19 ` Aleksa Sarai 2015-03-10 12:47 ` Tejun Heo 2015-03-10 12:47 ` Tejun Heo 2015-03-10 14:51 ` Aleksa Sarai 2015-03-10 14:51 ` Aleksa Sarai 2015-03-10 15:17 ` Tejun Heo 2015-03-10 15:17 ` Tejun Heo 2015-03-11 5:16 ` Aleksa Sarai 2015-03-11 11:46 ` Tejun Heo 2015-03-11 23:47 ` Aleksa Sarai 2015-03-11 23:47 ` Aleksa Sarai 2015-03-12 1:25 ` Tejun Heo 2015-03-12 1:25 ` Tejun Heo 2015-02-27 4:17 ` [PATCH v2 2/2] cgroups: add an nproc subsystem Aleksa Sarai 2015-03-02 15:22 ` Tejun Heo 2015-03-02 15:22 ` Tejun Heo 2015-03-09 1:49 ` Zefan Li 2015-03-09 1:49 ` Zefan Li 2015-03-09 2:34 ` Tejun Heo 2015-03-09 2:34 ` Tejun Heo 2015-02-27 11:49 ` [PATCH RFC 0/2] add nproc cgroup subsystem Tejun Heo 2015-02-27 13:46 ` Richard Weinberger 2015-02-27 13:46 ` Richard Weinberger 2015-02-27 13:52 ` Tejun Heo 2015-02-27 13:52 ` Tejun Heo 2015-02-27 16:42 ` Austin S Hemmelgarn 2015-02-27 16:42 ` Austin S Hemmelgarn 2015-02-27 17:06 ` Tejun Heo 2015-02-27 17:06 ` Tejun Heo 2015-02-27 17:25 ` Tim Hockin 2015-02-27 17:25 ` Tim Hockin 2015-02-27 17:45 ` Tejun Heo 2015-02-27 17:56 ` Tejun Heo 2015-02-27 17:56 ` Tejun Heo 2015-02-27 21:45 ` Tim Hockin 2015-02-27 21:45 ` Tim Hockin 2015-02-27 21:49 ` Tejun Heo [not found] ` <CAAAKZwsCc8BtFx58KMFpRTohU81oCBeGVOPGMJrjJt9q5upKfQ@mail.gmail.com> 2015-02-28 16:57 ` Tejun Heo 2015-02-28 22:26 ` Tim Hockin 2015-02-28 22:26 ` Tim Hockin 2015-02-28 22:50 ` Tejun Heo 2015-02-28 22:50 ` Tejun Heo 2015-03-01 4:46 ` Tim Hockin 2015-03-01 4:46 ` Tim Hockin 2015-02-28 23:11 ` Johannes Weiner 2015-02-28 23:11 ` Johannes Weiner 2015-02-27 18:49 ` Austin S Hemmelgarn 2015-02-27 18:49 ` Austin S Hemmelgarn 2015-02-27 19:35 ` Tejun Heo [this message] 2015-02-27 19:35 ` Tejun Heo 2015-02-28 9:26 ` Aleksa Sarai 2015-02-28 9:26 ` Aleksa Sarai 2015-02-28 11:59 ` Tejun Heo 2015-02-28 11:59 ` Tejun Heo [not found] ` <CAAAKZws45c3PhFQMGrm_K+OZV+KOyGV9sXTakHcTfNP1kHxzOQ@mail.gmail.com> 2015-02-28 16:43 ` Tejun Heo 2015-02-28 16:43 ` Tejun Heo 2015-03-02 13:13 ` Austin S Hemmelgarn 2015-03-02 13:31 ` Aleksa Sarai 2015-03-02 13:31 ` Aleksa Sarai 2015-03-02 13:54 ` Tejun Heo 2015-03-02 13:54 ` Tejun Heo 2015-03-02 13:49 ` Tejun Heo 2015-02-27 17:12 ` Tim Hockin 2015-02-27 17:15 ` Tejun Heo 2015-02-27 17:15 ` Tejun Heo 2015-03-04 20:23 ` [PATCH v3 0/2] cgroup: add pids subsystem Aleksa Sarai 2015-03-04 20:23 ` [PATCH v3 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai 2015-03-04 20:23 ` [PATCH v3 2/2] cgroups: add a pids subsystem Aleksa Sarai 2015-03-05 8:39 ` Aleksa Sarai 2015-03-05 14:37 ` Marian Marinov 2015-03-06 1:45 ` [PATCH v4 0/2] cgroup: add " Aleksa Sarai 2015-03-06 1:45 ` Aleksa Sarai 2015-03-06 1:45 ` [PATCH v4 1/2] cgroups: allow a cgroup subsystem to reject a fork Aleksa Sarai 2015-03-06 1:45 ` [PATCH v4 2/2] cgroups: add a pids subsystem Aleksa Sarai 2015-03-06 1:45 ` Aleksa Sarai 2015-03-09 3:34 ` Tejun Heo 2015-03-09 3:34 ` Tejun Heo 2015-03-09 3:39 ` Tejun Heo 2015-03-09 3:39 ` Tejun Heo 2015-03-09 18:58 ` Austin S Hemmelgarn 2015-03-09 18:58 ` Austin S Hemmelgarn 2015-03-09 19:51 ` Tejun Heo 2015-03-09 19:51 ` Tejun Heo 2015-03-10 8:10 ` Aleksa Sarai 2015-03-10 8:10 ` Aleksa Sarai 2015-03-10 11:32 ` Austin S Hemmelgarn 2015-03-10 12:31 ` Aleksa Sarai 2015-03-10 12:31 ` Aleksa Sarai 2015-03-11 15:13 ` Austin S Hemmelgarn 2015-03-11 15:13 ` Austin S Hemmelgarn 2015-03-12 2:28 ` Aleksa Sarai 2015-03-12 2:28 ` Aleksa Sarai 2015-03-12 15:35 ` Austin S Hemmelgarn 2015-03-12 3:47 ` Tejun Heo 2015-03-09 3:08 ` [PATCH v4 0/2] cgroup: add " Tejun Heo 2015-03-09 3:08 ` Tejun Heo
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20150227193539.GO3964@htj.duckdns.org \ --to=tj@kernel.org \ --cc=ahferroin7@gmail.com \ --cc=cgroups@vger.kernel.org \ --cc=cyphar@cyphar.com \ --cc=fweisbec@gmail.com \ --cc=linux-kernel@vger.kernel.org \ --cc=lizefan@huawei.com \ --cc=mingo@redhat.com \ --cc=peterz@infradead.org \ --cc=richard@nod.at \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.