Re: mlock and jail

2017-02-02 Thread Xin LI
; > Cc: Bruno Lauzé<mailto:brunola...@msn.com>; > freebsd-current<mailto:freebsd-current@freebsd.org> > Subject: Re: mlock and jail > > > > On Thu, Feb 2, 2017 at 7:54 AM, Pavel Timofeev <tim...@gmail.com> wrote: >> 2017-02-02 4:31 GMT+03:00 Xin LI <

RE: mlock and jail

2017-02-02 Thread Bruno Lauzé
ent<mailto:freebsd-current@freebsd.org> Subject: Re: mlock and jail On Thu, Feb 2, 2017 at 7:54 AM, Pavel Timofeev <tim...@gmail.com> wrote: > 2017-02-02 4:31 GMT+03:00 Xin LI <delp...@gmail.com>: >> I like this idea. >> >> Note that potentially your patch wou

Re: mlock and jail

2017-02-02 Thread Xin LI
On Thu, Feb 2, 2017 at 7:54 AM, Pavel Timofeev wrote: > 2017-02-02 4:31 GMT+03:00 Xin LI : >> I like this idea. >> >> Note that potentially your patch would make it possible for a jailed >> root to DoS the whole system by locking too much of pages in memory.

Re: mlock and jail

2017-02-02 Thread Pavel Timofeev
2017-02-02 4:31 GMT+03:00 Xin LI : > I like this idea. > > Note that potentially your patch would make it possible for a jailed > root to DoS the whole system by locking too much of pages in memory. > I think it would be sensible to provide a per-jail flag to enable > doing it,

Re: mlock and jail (Elasticsearch/Java use case)

2017-02-02 Thread GomoR
Hello, Giving mlock support to jails would also allow Elasticsearch (Java-based) to run as a jailed process. In fact, Java can use a memory optimization trick for better performances by locking a specified amount of memory. Thus, Elasticsearch has the need for such a setting to let it run at

Re: mlock and jail

2017-02-01 Thread Bruno Lauzé
elp...@gmail.com> Sent: February 1, 2017 8:31:35 PM To: Bruno Lauzé Cc: freebsd-current Subject: Re: mlock and jail I like this idea. Note that potentially your patch would make it possible for a jailed root to DoS the whole system by locking too much of pages in memory. I think it would be sensible to p

Re: mlock and jail

2017-02-01 Thread Xin LI
I like this idea. Note that potentially your patch would make it possible for a jailed root to DoS the whole system by locking too much of pages in memory. I think it would be sensible to provide a per-jail flag to enable doing it, or better, have some finer grained control (e.g. per jail quota

mlock and jail

2017-02-01 Thread Bruno Lauzé
I would like to ask if there is a reason I would have to applythe patch below to make an application work in a jail. And who's bad? the app too intrusive or the bsd not flexible enough (allow.mlock?) Index: sys/kern/kern_jail.c