Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753654AbbKJPM3 (ORCPT ); Tue, 10 Nov 2015 10:12:29 -0500 Received: from mail-yk0-f193.google.com ([209.85.160.193]:35916 "EHLO mail-yk0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753260AbbKJPM1 (ORCPT ); Tue, 10 Nov 2015 10:12:27 -0500 Date: Tue, 10 Nov 2015 10:12:23 -0500 From: Tejun Heo To: Max Kellermann Cc: cgroups@vger.kernel.org, cyphar@cyphar.com, lizefan@huawei.com, hannes@cmpxchg.org, max@duempel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] cgroup_pids: add fork limit Message-ID: <20151110151223.GA17938@mtj.duckdns.org> References: <144716440621.20175.1000688899886388119.stgit@rabbit.intern.cm-ag> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <144716440621.20175.1000688899886388119.stgit@rabbit.intern.cm-ag> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1218 Lines: 27 On Tue, Nov 10, 2015 at 03:06:46PM +0100, Max Kellermann wrote: > This patch introduces a new setting called "fork_remaining". When > positive, each successful fork decrements the value, and once it > reaches zero, no further forking is allowed, no matter how many of > those processes are still alive. The special value "unlimited" > disables the fork limit. > > The goal of this limit is to have another safeguard against fork > bombs. It gives processes a chance to set up their child processes / > threads, but will be stopped once they attempt to waste resources by > continuously exiting and cloning new processes. This can be useful > for short-lived processes such as CGI programs. But what's the resource here? All first-order resources which can be consumed by forking repeatedly already have proper controllers. What's the point of adding an extra second-order controller? Where do we go from there? Limit on the number of syscalls? Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/