On Fri, Jan 13, 2012 at 07:14:00PM +0100, Frederic Weisbecker wrote: > Add a new subsystem to limit the number of running tasks, > similar to the NR_PROC rlimit but in the scope of a cgroup. > > The user can set an upper bound limit that is checked every > time a task forks in a cgroup or is moved into a cgroup > with that subsystem binded. > > The primary goal is to protect against forkbombs that explode > inside a container. The traditional NR_PROC rlimit is not > efficient in that case because if we run containers in parallel > under the same user, one of these could starve all the others > by spawning a high number of tasks close to the user wide limit. > > This is a prevention against forkbombs, so it's not deemed to > cure the effects of a forkbomb when the system is in a state > where it's not responsive. It's aimed at preventing from ever > reaching that state and stop the spreading of tasks early. > While defining the limit on the allowed number of tasks, it's > up to the user to find the right balance between the resource > its containers may need and what it can afford to provide. > > As it's totally dissociated from the rlimit NR_PROC, both > can be complementary: the cgroup task counter can set an upper > bound per container and the rlmit can be an upper bound on the > overall set of containers. > > Also this subsystem can be used to kill all the tasks in a cgroup > without races against concurrent forks, by setting the limit of > tasks to 0, any further forks can be rejected. This is a good > way to kill a forkbomb in a container, or simply kill any container > without the need to retry an unbound number of times. > > Signed-off-by: Frederic Weisbecker <fweisbec@xxxxxxxxx> > Cc: Paul Menage <paul@xxxxxxxxxxxxxx> > Cc: Li Zefan <lizf@xxxxxxxxxxxxxx> > Cc: Johannes Weiner <hannes@xxxxxxxxxxx> > Cc: Aditya Kali <adityakali@xxxxxxxxxx> > Cc: Oleg Nesterov <oleg@xxxxxxxxxx> > Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > Cc: Kay Sievers <kay.sievers@xxxxxxxx> > Cc: Tim Hockin <thockin@xxxxxxxxxx> > Cc: Tejun Heo <tj@xxxxxxxxxx> > Cc: Kirill A. Shutemov <kirill@xxxxxxxxxxxxx> > Cc: Containers <containers@xxxxxxxxxxxxxxxxxxxxxxxxxx> Acked-by: Kirill A. Shutemov <kirill@xxxxxxxxxxxxx> -- Kirill A. Shutemov _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
