diff options
| author | Aleksa Sarai <cyphar@cyphar.com> | 2015-06-09 07:32:10 -0400 |
|---|---|---|
| committer | Tejun Heo <tj@kernel.org> | 2015-07-14 17:29:23 -0400 |
| commit | 49b786ea146f69c371df18e81ce0a2d5839f865c (patch) | |
| tree | 8e7abdd61fb2a8e5d3b7ffbf263fc36d8f9969f5 /init | |
| parent | 7e47682ea555e7c1edef1d8fd96e2aa4c12abe59 (diff) | |
cgroup: implement the PIDs subsystem
Adds a new single-purpose PIDs subsystem to limit the number of
tasks that can be forked inside a cgroup. Essentially this is an
implementation of RLIMIT_NPROC that applies to a cgroup rather than a
process tree.
However, it should be noted that organisational operations (adding and
removing tasks from a PIDs hierarchy) will *not* be prevented. Rather,
the number of tasks in the hierarchy cannot exceed the limit through
forking. This is due to the fact that, in the unified hierarchy, attach
cannot fail (and it is not possible for a task to overcome its PIDs
cgroup policy limit by attaching to a child cgroup -- even if migrating
mid-fork it must be able to fork in the parent first).
PIDs are fundamentally a global resource, and it is possible to reach
PID exhaustion inside a cgroup without hitting any reasonable kmemcg
policy. Once you've hit PID exhaustion, you're only in a marginally
better state than OOM. This subsystem allows PID exhaustion inside a
cgroup to be prevented.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Diffstat (limited to 'init')
| -rw-r--r-- | init/Kconfig | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/init/Kconfig b/init/Kconfig index af09b4fb43d2..2184b34cbf73 100644 --- a/init/Kconfig +++ b/init/Kconfig | |||
| @@ -955,6 +955,22 @@ config CGROUP_FREEZER | |||
| 955 | Provides a way to freeze and unfreeze all tasks in a | 955 | Provides a way to freeze and unfreeze all tasks in a |
| 956 | cgroup. | 956 | cgroup. |
| 957 | 957 | ||
| 958 | config CGROUP_PIDS | ||
| 959 | bool "PIDs cgroup subsystem" | ||
| 960 | help | ||
| 961 | Provides enforcement of process number limits in the scope of a | ||
| 962 | cgroup. Any attempt to fork more processes than is allowed in the | ||
| 963 | cgroup will fail. PIDs are fundamentally a global resource because it | ||
| 964 | is fairly trivial to reach PID exhaustion before you reach even a | ||
| 965 | conservative kmemcg limit. As a result, it is possible to grind a | ||
| 966 | system to halt without being limited by other cgroup policies. The | ||
| 967 | PIDs cgroup subsystem is designed to stop this from happening. | ||
| 968 | |||
| 969 | It should be noted that organisational operations (such as attaching | ||
| 970 | to a cgroup hierarchy will *not* be blocked by the PIDs subsystem), | ||
| 971 | since the PIDs limit only affects a process's ability to fork, not to | ||
| 972 | attach to a cgroup. | ||
| 973 | |||
| 958 | config CGROUP_DEVICE | 974 | config CGROUP_DEVICE |
| 959 | bool "Device controller for cgroups" | 975 | bool "Device controller for cgroups" |
| 960 | help | 976 | help |