From nobody Mon Aug 02 12:19:00 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4E95F12D9784 for ; Mon, 2 Aug 2021 12:19:22 +0000 (UTC) (envelope-from freebsd@grem.de) Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail.evolve.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GdcWF2bfxz3qJk for ; Mon, 2 Aug 2021 12:19:21 +0000 (UTC) (envelope-from freebsd@grem.de) Received: by mail.evolve.de (OpenSMTPD) with ESMTP id f18fd499 for ; Mon, 2 Aug 2021 12:19:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=grem.de; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; s=20180501; bh=KaW67icApRTvdpMUIkV7V C4TFi4=; b=Co8c0I/2tPbSITSuz61fNgz0M3GzQAjKf9VKWB/4D7wYroITP2UZS pmDTj7gtyyDGYH9ppOJGXqFqEQMTldo/KIZbaNUsHVEuKAQ0p0OQXvJ5ZrwURQOz UvV9+hsImZt4bxmGQzWYVAM3fEPcFqSC80P1daJjgl/sKWe8QphqAQ0Mocg1fBk9 /DZqKEwQ63aVm9DRM9mGqttPIJDU69NEz2/ZO3et35Svp0XB5V5YSZtw9Wb1Lm6u a19x3Wg9mZLk6KYIIUzaNd8VzK98Db0+9WN/yQU1yAaZDLSRnJVsWoeInizXeso9 YCCinJxA13loMiNMIt6aZE3fW/ZiEi10g== DomainKey-Signature: a=rsa-sha1; c=nofws; d=grem.de; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; q=dns; s=20180501; b=cbHlNW8wfHPjHro z+eMX3vzLUrlNQ34N3oobtZ7qEgiIEm7b77Qckft7Iku+37ss9HUARdRCgOjF/Kf jwFjpkWl4YRYepSLECZBHTum7ptac+NHravjp18nmjJav9UkC54v3zlMuo+rKov6 1LSpo8yr39ETU/bbQKZFS0q8u3K4mTxotc6R/gew1n3YDsj30od05QoK82raPLeP EFiXTKOb4Eoo1y/QJ+cUkjLfNDPwnYJAoCX8pyQDc83q/pVt1xZxQDzvEtuxrY1V CiAxPLfv4wo9UGgO5ZM6MnX6f1PBi1s6LapSi1J475aaeBvoUepovNRqW+2hVWwm UwFecZQ== Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id 7ba039a4 (TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256:NO) for ; Mon, 2 Aug 2021 12:19:15 +0000 (UTC) Date: Mon, 2 Aug 2021 14:19:00 +0200 From: Michael Gmelin To: jail@freebsd.org Subject: POSIX shared memory, jails, and (lack of) limits Message-ID: <20210802141900.069d0051@bsd64.grem.de> X-Face: $wrgCtfdVw_H9WAY?S&9+/F"!41z'L$uo*WzT8miX?kZ~W~Lr5W7v?j0Sde\mwB&/ypo^}> +a'4xMc^^KroE~+v^&^#[B">soBo1y6(TW6#UZiC]o>C6`ej+i Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWJBwe5BQDl LASZU0/LTEWEfHbyj0Txi32+sKrp1Mv944X8/fm1rS+cAAAACXBIWXMAAAsTAAAL EwEAmpwYAAAAB3RJTUUH3wESCxwC7OBhbgAAACFpVFh0Q29tbWVudAAAAAAAQ3Jl YXRlZCB3aXRoIFRoZSBHSU1QbbCXAAAAAghJREFUOMu11DFvEzEUAGCfEhBVFzuq AKkLd0O6VrIQsLXVSZXoWE5N1K3DobBBA9fQpRWc8OkWouaIjedWKiyREOKs+3PY fvalCNjgLVHeF7/3bMtBzV8C/VsQ8tecEgCcDgrzjekwKZ7TwsJZd/ywEKwwP+ZM 8P3drTsAwWn2mpWuDDuYiK1bFs6De0KUUFw0tWxm+D4AIhuuvZqtyWYeO7jQ4Aea 7jUqI+ixhQoHex4WshEvSXdood7stlv4oSuFOC4tqGcr0NjEqXgV4mMJO38nld4+ xKNxRDon7khyKVqY7YR4d+Cg0OMrkWXZOM7YDkEfKiilCn1qYv4mighZiynuHHOA Wq9QJq+BIES7lMFUtcikMnkDGHUoncA+uHgrP0ctIEqfwLHzeSo+eUA66AqzwN6n 2ZHJhw6Qh/PoyC/QENyEyC/AyNjq74Bs+3UH0xYwzDUC4B97HgLocg1QLYgDDO1v f3UX9Y307Ew4AHh67YAFFsxEpkXwpXY3eIgMhAAE3R19L919nNnuD2wlPcDE3UeT L2ytEICQib9BXgS2fU8PrD82ToYO1OEmMSnYTjSqSv9wdC0tPYC+rQRQD9ESnldF CyqfmiYW+tlALt8gH2xrMdC/youbjzPXEun+/ReXsMCDyve3dZc09fn2Oas8oXGc Jj6/fOeK5UmSMPmf/jL+GD8BEj0k/Fn6IO4AAAAASUVORK5CYII= List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4GdcWF2bfxz3qJk X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=grem.de header.s=20180501 header.b="Co8c0I/2"; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@grem.de designates 213.239.217.29 as permitted sender) smtp.mailfrom=freebsd@grem.de X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[grem.de:s=20180501]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:213.239.217.29/32]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[jail@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[grem.de:+]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_NA(0.00)[grem.de]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[jail] X-ThisMailContainsUnwantedMimeParts: N Hi, I've been playing a bit with POSIX shared memory and, unlike for SysV shared memory, I couldn't find any way to limit its use by jails. First, I looked at racct/rctl, but there is no resource for POSIX shared memory and memoryuse/vmemoryuse don't seem to have an effect (which makes sense). Then I checked if there are jail parameters that could help, but there doesn't seem to be anything like "allow.sysvshm" for POSIX shared memory to limit access to the feature. So, unless I'm missing something, it seems like all jails on a system have unlimited access to POSIX shared memory and therefore any single jail can use up the jailhost's virtual memory until the jailhost comes to a grinding halt. I wrote a little test program that keeps allocating POSIX shared memory inside of a jail and it can easily bring the host down to its knees: login: Aug 2 12:12:09 test kernel: pid 11825 (getty), jid 0, uid 0, was killed: out of swap space Aug 2 12:12:10 test init[11827]: getty repeating too quickly on port /dev/ttyu0, sleeping 30 secs Aug 2 12:12:10 test kernel: pid 11826 (getty), jid 0, uid 0, was killed: out of swap space Best, Michael -- Michael Gmelin