From mboxrd@z Thu Jan 1 00:00:00 1970 References: <0F748B67-FB11-464C-84FA-66B4E0B29918@9.offblast.org> <44900c0d4896622fa8a9411b05efe730@brasstown.quanstro.net> <7A132462-4747-471A-A4BF-D9381E38A4EA@ar.aichi-u.ac.jp> <4c37cf728d5b0e7ae4ebd3c2e0c2cee4@brasstown.quanstro.net> <3a6fb8671dae34eb5b4e0ebe3992bcfd@brasstown.quanstro.net> <1fccf1df5e46d5fa5235a40a90a001e3@brasstown.quanstro.net> From: Quintile Content-Type: text/plain; charset=utf-8 In-Reply-To: Message-Id: <068F2ED1-D863-47CC-A72F-4BFE5A17144C@quintile.net> Date: Wed, 28 Jan 2015 07:48:42 +0000 To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) Subject: Re: [9fans] protection against resource exhaustion Topicbox-Message-UUID: 3ce3d532-ead9-11e9-9d60-3106f5b1d025 I always thought the best solution for a university system, is to implement t= he fair share scheduler. thus people can use any resource the want on an idl= e machine, but a saturated machine splits its load based on rules. I had this experience when I managed a cray (YMP-El only) and it worked perf= ectly. it did not limit processes per user, but it could. similarly ram use and network bandwidth - though this only works per machine= . personally I like erik's idea, though I would make it a boot option. I would also keep malloc() returning nil on fail, but add emalloc() to libc.= and finally have an environment car that makes emalloc() clas sys fatal)) or= abort() - for debug. Steve > On 28 Jan 2015, at 06:50, arisawa wrote: >=20 > Hello, >=20 >> nonetheless, i have experience running multi-user plan 9 systems, and use= rs >> were not usually the issue. >=20 > Eric=E2=80=99s users are all gentleman, all careful people and all skillfu= l programmers. > If your system is served for university students, you will have different t= hought. >=20 >> i think you've turned a problem with bounded recovery time into a >> situation where the recovery code itself will inadvertently dos attack it= s >> users. >=20 > in case that a process failed in getting resource such as memory or proces= s,=20 > what it should do is very limited: puts out some message and exits. > this is right behavior. > I have never seen programs that retry malloc() or fork() until succeed. > if all processes retry them, the system will get down. > this is what I have observed in current plan9 kernel. >=20 > if any one has cleaner solution, i.e., a solution that never kill innocent= process, > I want to see it. >=20 >=20