Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2606349imu; Mon, 19 Nov 2018 03:19:44 -0800 (PST) X-Google-Smtp-Source: AFSGD/U8P9x4qi0DkUdStf2txGAlZ+0fV6o2jdCwEMHt8gJi1haq1062n6NlFcpIu4ATFopJxfeI X-Received: by 2002:a17:902:c01:: with SMTP id 1-v6mr2490740pls.15.1542626383962; Mon, 19 Nov 2018 03:19:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542626383; cv=none; d=google.com; s=arc-20160816; b=cfC3d1EksqJEG79WKwjMNc9x/Jm5KZu7yha70Q8e2vnbTYShzOuPT4CzJk3HWv3XaL Kjs/KvUwQ4MMxtQHfeF9Jwv9hOjH60/DqoLo11yh94iEKAAzow+e7kTNmVi4An6y4Pje u061Jz5v7lDYVhfIc4/trv8KUQ5YGhfw0Fspj1QnKsfTYhur2JrHTbvn6P+9JSNpQ+rU YtVkIIhUpAJofI1o705ui3K15zZkpyIE4M4LNZcyZoIl1NBV1P0VaRxZgL5+etyJtPyG FNA3MoaBgM4AmMJi/831sMOt5DbUeqLmZlQH4X5x0pyVJOxYuMpQ7fA/4fBBMlxtUy++ DPkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=o1nCV0fqowuevRGDwlMeEHSDPXAH4JwFhVu1IZVGg7I=; b=PR9ujI+4ZGvIq4WnCbe91rfmDYA1tpl7+sEKG9UNnMWF7Hv50elIP7Zjy04JZPbl7R F4NWkjqdhq9pWUqYSW+X7OQPCkuxSqwhzAeCXkchxmKJLQju5Ex8kQrPZv3fdAuiglhy j+h0TQ5qPudR8nwRgHFHkM47ifWSnyh8ZyesoFrtkejt4k45kHX3ZKD+NVEd673GyCOD cTkAncoJ65Af88xrU/kaRB82B858PqKGauKEHv8+7JQYwsiJOtOjerhw/ZAjwNCGtUus kpRekPZgfcxTVDkUp2picKwDf4tOfmvRgHRZV0Ujr7xu8Ei3X4YWZh4rsCmbBIITBYbh V62A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cd16si11196816plb.47.2018.11.19.03.19.03; Mon, 19 Nov 2018 03:19:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728652AbeKSVjm (ORCPT + 99 others); Mon, 19 Nov 2018 16:39:42 -0500 Received: from mx2.suse.de ([195.135.220.15]:49824 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727857AbeKSVjl (ORCPT ); Mon, 19 Nov 2018 16:39:41 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id D320CAE1D; Mon, 19 Nov 2018 11:16:20 +0000 (UTC) Date: Mon, 19 Nov 2018 22:16:09 +1100 From: Aleksa Sarai To: Daniel Colascione Cc: Michal Hocko , linux-kernel , rppt@linux.ibm.com, Tim Murray , Joel Fernandes , Suren Baghdasaryan , Jonathan Corbet , Andrew Morton , Roman Gushchin , Mike Rapoport , Vlastimil Babka , "Kirill A. Shutemov" , "Dennis Zhou (Facebook)" , Prashant Dhamdhere , "open list:DOCUMENTATION" Subject: Re: [PATCH v2] Document /proc/pid PID reuse behavior Message-ID: <20181119111609.v4j2j53zpd6hvk2c@mikami> References: <20181031150625.147369-1-dancol@google.com> <20181105132205.138695-1-dancol@google.com> <20181106130524.GC2453@dhcp22.suse.cz> <20181107160015.GI27423@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3ds7txroqa3vkjpz" Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --3ds7txroqa3vkjpz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018-11-07, Daniel Colascione wrote: > On Wed, Nov 7, 2018 at 4:00 PM, Michal Hocko wrote: > > On Wed 07-11-18 15:48:20, Daniel Colascione wrote: > >> On Tue, Nov 6, 2018 at 1:05 PM, Michal Hocko wrote: > >> > otherwise anybody could simply DoS the system > >> > by consuming all available pids. > >> > >> People can do that today using the instrument of terror widely known > >> as fork(2). The only thing standing between fork(2) and a full process > >> table is RLIMIT_NPROC. > > > > not really. >=20 > What else, besides memory consumption and (as you mention below) > cgroups? In practice, nobody uses RLIMIT_NPROC, so outside of various > container-y namespaced setups, avoidance of > system-DoS-through-PID-exhaustion isn't a pressing problem. systemd has had a default pid cgroup controller policy (for both user and system slices) for a quite long time. I believe that the most recent version of most enterprise and community distributions support it by default (and probably even some older versions -- commit 49b786ea146f was merged in 2015 and I think systemd grew support for it in 2016). I agree with your overall point, but it should be noted that the vast majority of Linux systems these days have protections against this (by default) that use the pids cgroup controller. --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --3ds7txroqa3vkjpz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAlvym3YACgkQnhiqJn3b jbQ0aw/8DVfcFOcsOSHtls6XOQp7nAUApvojwiqJZMGknbiSNUFN+E3XDyCN9KNk ncMKEBpzWttE11bEs9htNVlGyrOyFhZa1bwOECN+supF3Npw2P7xiL9ldgorIaek u97ksYsJ4BvtPf3uFZIzs56LdK+/KfS4qF/IuloOa1icgvVPGnZGIHDEvmQhwQIE K0YbhwYruNpH3/gLCtwEPOLqLZ4mW6s1ghPkAM7Oh/N0jGHGrMttiZzQSwYHO1Gm CysiXLjHxVPsS9Da7OV8kpS2ED8p3L2Xsy9SSvvvUcUKlgmu7svq5zTafBz5UPvj gQmpO8zXr9hhldZiLu/9ppWClSILoh5ND2FVaglsVgmB08NvAUoJnaAtWGLjOmMS 2jHOnOnuwCTNi+LTVl+PfNbGC+mJYnhac/IdZTOg8EYAzDGwp7kX6NCWZFJwMlNf ht4HeIOzM45N0L41NGqeSU356U269xWDZA1NsyJ6RCB64zEKTB9TXaeuHGs6M6Iu iiECtJLSMo+dWhlv2HYUjCJict43owREvH0WhOLM7gDw6CJ06HwQ2xKiPhVY1OAw UV5qVJGVAY02mIzVTlwGIlsHqkJgxzcuDY3kF7VRTjFNCvUH6dnCYxWJ9GW5k7R8 5Rb6117P+uwrjXpfjb48SHZ7nfN66lr07TekInLq5/Wc8RhmJQU= =kgBp -----END PGP SIGNATURE----- --3ds7txroqa3vkjpz--