Re: Any particular reason we don't have sshd oomprotected by default?

Reply: Alexander Leidinger : "Re: Any particular reason we don't have sshd oomprotected by default?"
In reply to: Alexander Leidinger : "Any particular reason we don't have sshd oomprotected by default?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Philip Paeps <philip_at_freebsd.org>
Date: Thu, 09 Nov 2023 11:18:53 UTC

On 2023-11-09 15:54:22 (+0800), Alexander Leidinger wrote:
> We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is 
> there a particular reason we don't have sshd protected the same way?
>
> Any objections if I would commit such a change (sshd_oomprotect=YES in 
> defaults/rc.conf)?

I don't have feelings about it either way.  It probably makes sense to 
optimise for installations that don't have out of band access.

> I was also thinking about which other daemon we should protect by 
> default, but apart from the need to make sure important logs are 
> written to find issues which may have caused the oom trigger, and the 
> need to be able to login to such a troubled system, I didn't see any 
> other service as such critical (we could argue about ntpd, but I send 
> to be on the "may be protected" (not for my use cases) and not to be 
> on the "has to be protected" side) to include it in this proposal.

In the FreeBSD.org cluster, we set local_unbound_oomprotect="YES" too.  
Without DNS, everything grinds to a halt.  Including SSH.

Philip

-- 
Philip Paeps
Senior Reality Engineer
Alternative Enterprises