mlock and jail (Elasticsearch/Java use case)
GomoR
freebsd at gomor.org
Thu Feb 2 12:39:00 UTC 2017
Hello,
Giving mlock support to jails would also allow Elasticsearch
(Java-based) to run as a jailed process.
In fact, Java can use a memory optimization trick for better
performances by locking a specified amount of memory.
Thus, Elasticsearch has the need for such a setting to let it run at its
full power.
Without this tunable, one cannot take advantage of this and
Elasticsearch cannot run jailed to its full performance.
Furthermore, putting it outside of a jail is less confortable regarding
overall system security.
Best regards,
On 2017-02-02 02:31, Xin LI wrote:
> I like this idea.
>
> Note that potentially your patch would make it possible for a jailed
> root to DoS the whole system by locking too much of pages in memory.
> I think it would be sensible to provide a per-jail flag to enable
> doing it, or better, have some finer grained control (e.g. per jail
> quota of permitted locked pages).
>
> Why did the application want to lock pages in main memory, though?
>
> On Wed, Feb 1, 2017 at 3:52 PM, Bruno Lauzé <brunolauze at msn.com> wrote:
>>
>> I would like to ask if there is a reason I would have to applythe
>> patch below to make an application work in a jail.
>> And who's bad? the app too intrusive or the bsd not flexible enough
>> (allow.mlock?)
>>
>>
>> Index: sys/kern/kern_jail.c
>> ===================================================================
>> --- sys/kern/kern_jail.c (revision 313033)
>> +++ sys/kern/kern_jail.c (working copy)
>> @@ -3340,6 +3340,11 @@
>> case PRIV_PROC_SETLOGINCLASS:
>> return (0);
>>
>>
>> + case PRIV_VM_MADV_PROTECT:
>> + case PRIV_VM_MLOCK:
>> + case PRIV_VM_MUNLOCK:
>> + return (0);
>> +
>> default:
>>
>>
>> _______________________________________________
>> freebsd-current at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>> To unsubscribe, send any mail to
>> "freebsd-current-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to
> "freebsd-current-unsubscribe at freebsd.org"
More information about the freebsd-current
mailing list