On Sat, Jun 06, 2020 at 02:32:19PM +0800, Tiezhu Yang wrote: > It is important to ensure that files that are opened always get closed. > Failing to close files can result in file descriptor leaks. One common > answer to this problem is to just raise the limit of open file handles > and then restart the server every day or every few hours, this is not > a good idea for long-lived servers if there is no leaks. > > If there exists file descriptor leaks, when file-max limit reached, we > can see that the system can not work well and at worst the user can do > nothing, it is even impossible to execute reboot command due to too many > open files in system. In order to reboot automatically to recover to the > normal status, introduce a new cmdline argument exceed_file_max_panic for > user to control whether to call panic in this case. What the hell? You are modifying the path for !CAP_SYS_ADMIN. IOW, you've just handed an ability to panic the box to any non-priveleged process. NAK. That makes no sense whatsoever. Note that root is *NOT* affected by any of that, so you can bloody well have a userland process running as root and checking the number of files once in a while. And doing whatever it wants to do, up to and including reboot/writing to /proc/sys/sysrq-trigger, etc. Or just looking at the leaky processes and killing them, with a nastygram along the lines of "$program appears to be leaking descriptors; LART the authors of that FPOS if they can be located" sent into log/over mail/etc.
