mlock and jail (Elasticsearch/Java use case)
freebsd at gomor.org
Thu Feb 2 12:39:00 UTC 2017
Giving mlock support to jails would also allow Elasticsearch
(Java-based) to run as a jailed process.
In fact, Java can use a memory optimization trick for better
performances by locking a specified amount of memory.
Thus, Elasticsearch has the need for such a setting to let it run at its
Without this tunable, one cannot take advantage of this and
Elasticsearch cannot run jailed to its full performance.
Furthermore, putting it outside of a jail is less confortable regarding
overall system security.
On 2017-02-02 02:31, Xin LI wrote:
> I like this idea.
> Note that potentially your patch would make it possible for a jailed
> root to DoS the whole system by locking too much of pages in memory.
> I think it would be sensible to provide a per-jail flag to enable
> doing it, or better, have some finer grained control (e.g. per jail
> quota of permitted locked pages).
> Why did the application want to lock pages in main memory, though?
> On Wed, Feb 1, 2017 at 3:52 PM, Bruno Lauzé <brunolauze at msn.com> wrote:
>> I would like to ask if there is a reason I would have to applythe
>> patch below to make an application work in a jail.
>> And who's bad? the app too intrusive or the bsd not flexible enough
>> Index: sys/kern/kern_jail.c
>> --- sys/kern/kern_jail.c (revision 313033)
>> +++ sys/kern/kern_jail.c (working copy)
>> @@ -3340,6 +3340,11 @@
>> case PRIV_PROC_SETLOGINCLASS:
>> return (0);
>> + case PRIV_VM_MADV_PROTECT:
>> + case PRIV_VM_MLOCK:
>> + case PRIV_VM_MUNLOCK:
>> + return (0);
>> freebsd-current at freebsd.org mailing list
>> To unsubscribe, send any mail to
>> "freebsd-current-unsubscribe at freebsd.org"
> freebsd-current at freebsd.org mailing list
> To unsubscribe, send any mail to
> "freebsd-current-unsubscribe at freebsd.org"
More information about the freebsd-current