From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Fri, 17 Apr 2009 13:04:49 +0200 From: Mechiel Lukkien To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-ID: <20090417110449.GD8655@knaagkever.ueber.net> References: <96d0e4dc833935103aec6f07dcb61cba@quintile.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <96d0e4dc833935103aec6f07dcb61cba@quintile.net> User-Agent: Mutt/1.5.13 (2006-08-11) Subject: Re: [9fans] security questions Topicbox-Message-UUID: e009715e-ead4-11e9-9d60-3106f5b1d025 On Fri, Apr 17, 2009 at 11:29:47AM +0100, Steve Simon wrote: > I am interested in the idea of adding some kind of resource limits > to plan9. If they existsed I would probably open it up to external > users, however different things would worry me: > > CPU use > Implement the Fair share scheduler > > User memory > Working swap would do me to fix this, but sadly rlimits would probably > be easier to implement. > > Network bandwidth > Again a FSS type algorithm delaying or dropping packets could rate > control the network well I think. > > Dialing remote ports > I don't become a spam relay so some restriction must be in place, > I guess this would require a minor modification to the IP stack. > > Fork bombs > Erik's mod would help, but add a seccond threshold where after 15 secconds > you kill the proc failed the most fork() calls - the danger here is a spam > storm may cause listen(1) to be killed. > > Running out of kernel memory > I don't perceive this as a problem, though this could be my lack of vision. of all the resource capping on a public plan 9 server, i would say the limits should be per user. not per-process (group) limits or similar. i don't know how feasable that (accounting) is. e.g. make sure a single user gets at most e.g. 50% of all available resources (memory, procs, cpu time). seems fairest to me. leftover cpu time can be given to active users. leftover memory should probably just go unused (unless you want to start with swap, which lets you scale a bit further but has limits too). if the per-user memory is too low, just add more memory so it won't be. then at least multiple users can use the system and a single one cannot lock it up. dialing to the outside is perhaps easiest with an external firewall (e.g. on adsl modem, they all have one nowadays). same for bandwidth limiting. that won't fairly share the network bandwidth among the users though of the cpu servers, but will leave your home connection usable. then there is "none". anyone can become none, and services run as none (at least initially). with per-user limits, anyone can hog none's resources, leaving none left for network services (which other users need to login). perhaps this is the reason per-user limits won't work? or what would be the impact of disallowing becoming none for non-hostowners? normal users might not need it? mjl