-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Howdy,
On Wed, 24 Nov 2004, Shailabh Nagar wrote:
> For the numtasks controller (which will do the fork bomb limiting you're
> looking for), 50% of available resources is still too many.
> If you see /rcfs/taskclass/stats, one of the cnt_* fields shows that
> 131072 tasks constitutes the "systemwide resource".
Thanks for your response! I tried those steps out, and it didn't seem to help.
That might be in the way I did something, so I'll explain how I did it.
> Could you try the following:
>
> -Change the total_guarantee field in /rcfs/taskclass/shares to 131072
This part was straight forward:
# echo "res=numtasks,total_guarantee=131072" > shares
# cat shares
res=numtasks,guarantee=-2,limit=-2,total_guarantee=131072,max_limit=100
That appears to be correct.
> Set the guarantee and limit fields of /rcfs/taskclass/A to 10 or some
> low number.
Okay, I saw something in the directions that explained a similar way of doing
things, but this doesn't work for me as such.
First, I've created 'A' as a directory, and all the magic files appear
underneath. I can't set any parameters using /rcfs/taskclass/A though, I get
an error about it being a directory. So I assume you meant for me to set
those parameters using /rcfs/taskclass/A/shares. But maybe that's not what you
meant, and maybe that's why it didn't work ;-) Here's what I did:
# mkdir A
# cd A
# ls
members shares stats target
# cat shares
res=numtasks,guarantee=-2,limit=-2,total_guarantee=100,max_limit=100
# echo "res=numtasks,limit=10" > shares
# echo "res=numtasks,guarantee=10" > shares
# cat shares
res=numtasks,guarantee=10,limit=10,total_guarantee=100,max_limit=100
Then, I logged in again as root, and got the pid of the bash shell:
# ps auxf
root 20104 0.3 2.4 9796 3916 ? S 05:39 0:00 \_ sshd: [EMAIL
PROTECTED] 19784 0.2 1.6 4560 2620 pts/2 S 05:39 0:00 \_
-bash
root 23383 0.0 0.9 3880 1476 pts/2 R 05:39 0:00 \_ ps au
I used the pid 19784 -- I'm sure that's referring to the correct shell because
that was the only user running 'ps aux' at the time :-)
I set the pid of the new shell:
# echo 19784 > target (still in the A directory)
# cat members
19784
So far, this all looks correct. Then, as the newly logged in root user, I ran
a bash fork bomb. Within 2-3 seconds, the system was completely
non-responsive.
Any thoughts?
> So do you automatically create CKRM classes for SELinux protection
> domains ? That'd be interesting...
Well, I have a lot of neat ideas for how those two could play together, but
that's not implemented yet, I wanted to get it working before we got fancy :-)
Originally, I wasn't using seperate classes, I was just modifying the values of
/rcfs/taskclass/shares and nothing else (not what I did above, that was before
I sent an email to the list).
However, as you said, there's some really neat things that can be done here.
Having a CKRM class for each SELinux domain is one of them. Having CKRM
classes based on the SELinux user roles would be neat too, and is likely to be
how I'd start.
I'm also open to other suggestions :-)
Thanks a lot for your help!
-Eric
- --
Eric Andreychek | Lucy: "What happens if you practice the
Eric Conspiracy Secret Labs | piano for 20 years and then end up not
[EMAIL PROTECTED] | being rich and famous?"
http://openthought.net | Schroeder: "The joy is in the playing."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBpKnuR5UKaDAjAG4RAk2zAJ4weYsy5POGfhyy4cG4O8v7J2TJhwCgqzLV
9OG6ckkHBk3D9ChUChGzAWs=
=241n
-----END PGP SIGNATURE-----
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
ckrm-tech mailing list
https://lists.sourceforge.net/lists/listinfo/ckrm-tech
