Hello, Am Mittwoch, 7. Januar 2015 schrieb Bernhard Voelker:
On 01/07/2015 11:52 AM, Bernhard M. Wiedemann wrote:
On 2014-12-30 09:38, Ludwig Nussel wrote:
==== pam ==== Subpackages: pam-32bit pam-devel
- limit number of processes to 700 to harden against fork-bombs Add pam-limit-nproc.patch
700? When I start 'make -j' here, then 700-800 processes are quite common. The usefulness of such a limit to harden against fork-bombs is probably depending very much on the hardware (RAM, CPUs, etc.) ... and on the size of the executables being run.
Therefore, I assume that finding a useful limit which is not overly limiting the average (and moderate advanced) users is pretty hard ... but to answer your question: yes, please!
I had some fun with Konqueror eating up lots of memory some months ago. Basically a task for the OOM killer - but before it did its job, the system was frozen for several minutes because all cache was replaced with whatever Konqueror kept in RAM. Since then, I enforce more free RAM (about 100 MB) which means the OOM killer does its job earlier. Basically the OOM killer kills the same processes that it would kill nevertheless, but it does it earlier so that the system keeps usable. # cat /etc/sysctl.d/42-vm.min_free_kbytes.conf vm.min_free_kbytes = 100000 The only disadvantage is that the kernel really keeps this space free (not even used for cache). The perfect solution would be to configure a minimum amount of RAM used for cache, but I couldn't find such a parameter. Did I overlook something? Regards, Christian Boltz -- SPENDENAUFRUF Bitte spendet fleißig für neue Glaskugeln für die hier ständig glaskugelnden, der Verschleiß ist zwar gering, aber über die Jahre nutzt sich eine Glaskugel doch ab ... [David Haller in opensuse-de] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org