Re: [9fans] protection against resource exhaustion

[arisawa <arisawa@ar.aichi-u.ac.jp>]

we don’t have perfect solution.
nevertheless, we must protect system.

if we search ideal (or nearly ideal) solution, we should assign limited resource to each user.
however this is a big job, I believe.

current plan9 system is running under shared resource model.
under this model, it is very hard to protect system from evil-minded users.

keeping this model, we can do something that is, of course, imperfect (but easy to implement, I believe).
for example:
(a) select processes that should keep running. (with resrcwait flag, for example)
(b) kill processe that failed to be allocated resource if it doesn’t has resrcwait flag.

this strategy has following problems:
(1) innocent processes may be killed.
the probability is small if the origin is careless program, but can be large by evil-mined program.
(2) error return from malloc() and fork() are disabled.

> 2015/01/27 23:10、erik quanstrom <quanstro@quanstro.net> のメール：
> 
>>> i think it will go the same way with fork protection.  how do you tell which program
>>> is at fault?  how do you tell a program forking at high frequency, with short lived
>>> children from a fork bomb?  (such as a busy web server.)
>> 
>> only system administrator knows which processes should keep running.
> 
> do you wake him up in the middle of the night if this happens to arbitrate?
> this knowledge of what should be preserved may only be post facto knowledge.
> "i'll know what to kill off once i see what's running."  which assumes a working
> fork, at least for the administrator.
> 
> in any event, i'd be interested in code that does do a good job, especially
> if it passes tests other than the trivial fork bomb, such as many users contributing
> to exhaustion.
> 
>> I have beeb writing codes believing those error return is working.
> 
> do you have tests?  did you write a test malloc that will fail when called
> at every location, and ensure sane behavior?
> 
> - erik
>