Date: Tue, 10 Nov 2015 10:12:23 -0500
From: Tejun Heo <tj@kernel.org>
To: Max Kellermann <mk@cm4all.com>
Cc: cgroups@vger.kernel.org, cyphar@cyphar.com, lizefan@huawei.com,
        hannes@cmpxchg.org, max@duempel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] cgroup_pids: add fork limit
Message-ID: <20151110151223.GA17938@mtj.duckdns.org>
References: <144716440621.20175.1000688899886388119.stgit@rabbit.intern.cm-ag>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <144716440621.20175.1000688899886388119.stgit@rabbit.intern.cm-ag>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1218
Lines: 27

On Tue, Nov 10, 2015 at 03:06:46PM +0100, Max Kellermann wrote:
> This patch introduces a new setting called "fork_remaining".  When
> positive, each successful fork decrements the value, and once it
> reaches zero, no further forking is allowed, no matter how many of
> those processes are still alive.  The special value "unlimited"
> disables the fork limit.
> 
> The goal of this limit is to have another safeguard against fork
> bombs.  It gives processes a chance to set up their child processes /
> threads, but will be stopped once they attempt to waste resources by
> continuously exiting and cloning new processes.  This can be useful
> for short-lived processes such as CGI programs.

But what's the resource here?  All first-order resources which can be
consumed by forking repeatedly already have proper controllers.
What's the point of adding an extra second-order controller?  Where do
we go from there?  Limit on the number of syscalls?

Thanks.

-- 
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/