linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Aleksa Sarai <asarai@suse.de>
To: Daniel Colascione <dancol@google.com>
Cc: Michal Hocko <mhocko@kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	rppt@linux.ibm.com, Tim Murray <timmurray@google.com>,
	Joel Fernandes <joelaf@google.com>,
	Suren Baghdasaryan <surenb@google.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Andrew Morton <akpm@linux-foundation.org>,
	Roman Gushchin <guro@fb.com>,
	Mike Rapoport <rppt@linux.vnet.ibm.com>,
	Vlastimil Babka <vbabka@suse.cz>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	"Dennis Zhou (Facebook)" <dennisszhou@gmail.com>,
	Prashant Dhamdhere <pdhamdhe@redhat.com>,
	"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>
Subject: Re: [PATCH v2] Document /proc/pid PID reuse behavior
Date: Mon, 19 Nov 2018 22:16:09 +1100	[thread overview]
Message-ID: <20181119111609.v4j2j53zpd6hvk2c@mikami> (raw)
In-Reply-To: <CAKOZuevb-MED0QiL5RWJ0py=yt48=N7bPSq5bFqiwWcqN9L=Xg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1483 bytes --]

On 2018-11-07, Daniel Colascione <dancol@google.com> wrote:
> On Wed, Nov 7, 2018 at 4:00 PM, Michal Hocko <mhocko@kernel.org> wrote:
> > On Wed 07-11-18 15:48:20, Daniel Colascione wrote:
> >> On Tue, Nov 6, 2018 at 1:05 PM, Michal Hocko <mhocko@kernel.org> wrote:
> >> > otherwise anybody could simply DoS the system
> >> > by consuming all available pids.
> >>
> >> People can do that today using the instrument of terror widely known
> >> as fork(2). The only thing standing between fork(2) and a full process
> >> table is RLIMIT_NPROC.
> >
> > not really.
> 
> What else, besides memory consumption and (as you mention below)
> cgroups? In practice, nobody uses RLIMIT_NPROC, so outside of various
> container-y namespaced setups, avoidance of
> system-DoS-through-PID-exhaustion isn't a pressing problem.

systemd has had a default pid cgroup controller policy (for both user
and system slices) for a quite long time. I believe that the most recent
version of most enterprise and community distributions support it by
default (and probably even some older versions -- commit 49b786ea146f
was merged in 2015 and I think systemd grew support for it in 2016).

I agree with your overall point, but it should be noted that the vast
majority of Linux systems these days have protections against this (by
default) that use the pids cgroup controller.

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  parent reply	other threads:[~2018-11-19 11:16 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-31 15:06 [PATCH] Document /proc/pid PID reuse behavior Daniel Colascione
2018-11-01  7:08 ` Mike Rapoport
2018-11-05 13:22 ` [PATCH v2] " Daniel Colascione
2018-11-06  6:01   ` Mike Rapoport
2018-11-07 17:16     ` Matthew Wilcox
2018-11-07 18:21       ` Daniel Colascione
2018-11-06 13:05   ` Michal Hocko
2018-11-07 15:48     ` Daniel Colascione
2018-11-07 16:00       ` Michal Hocko
2018-11-07 16:10         ` Daniel Colascione
2018-11-07 16:19           ` Michal Hocko
2018-11-19 11:16           ` Aleksa Sarai [this message]
2018-11-07 17:04         ` Martin Steigerwald
2018-11-08 12:02           ` David Laight
2018-11-08 12:27             ` Matthew Wilcox
2018-11-08 13:42               ` David Laight
2018-11-08 14:07                 ` Matthew Wilcox
2018-11-08 14:14                   ` David Laight
2018-11-08 13:25           ` Michal Hocko
2018-11-19 10:54   ` Pavel Machek
2018-11-19 16:24     ` Daniel Colascione
2018-11-20  8:50       ` Pavel Machek
2018-11-20  9:05     ` Vlastimil Babka
2018-11-20  9:18       ` Pavel Machek
2018-11-20 17:39         ` Matthew Wilcox
2018-11-20 17:48           ` Daniel Colascione
2018-11-20 17:59             ` Matthew Wilcox
2018-11-20 16:37       ` Joel Fernandes
2018-11-20 16:49       ` Jonathan Corbet
2018-11-20 16:57         ` Pavel Machek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181119111609.v4j2j53zpd6hvk2c@mikami \
    --to=asarai@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=corbet@lwn.net \
    --cc=dancol@google.com \
    --cc=dennisszhou@gmail.com \
    --cc=guro@fb.com \
    --cc=joelaf@google.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhocko@kernel.org \
    --cc=pdhamdhe@redhat.com \
    --cc=rppt@linux.ibm.com \
    --cc=rppt@linux.vnet.ibm.com \
    --cc=surenb@google.com \
    --cc=timmurray@google.com \
    --cc=vbabka@suse.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).