Less known Solaris Features: Resource Management - Part 3: Limiting operating system resources
The kernel of an operating system provides a huge amount of resources to the processes running on it. Such resources are file descriptors, shared memory segments or the process tables. Albeit it´s hard to fill up this resources with modern operating systems it´s not impossible. When a resource is consumed by a single malicous or erronous application, all other can´t run as well when they need more resources from the operating system.
Let´s assume this scenario: There is an course “Perl Scripting for beginners” at the Unseen University and in the last year the lesson “About fork” ended in chaos as some of your students coded forkbombs as they though this would be funny (as the class before, and the one before …)
I´ve stored this little script at /opt/bombs/forkbomb.pl. A few seconds after starting such a script, the system is toast because of the hundreds of forked processes. Don´t try this without resource management. Okay, but this year, you´ve migrated to Solaris. You can impose resource management.
Okay, we have to modify our project configuration:
Now we have configured a resource limit. A single task in the class2005 cant have more than 9 processes. The tenth attempt to fork will be denied. Okay, do you remember the reasons, why the system starts a new task? One of it is “login”. Thus every login of a user gives him 10 threads to work with. And this is exacly the behaviour we want.
Let´s assume Alice starts her forkbomb:
After forking away 7 forkbomb.pl processes, any futher fork is denied by the system. The load of the system goes up (as there are hundreds of denied forks) but the system stays usable.
Alice sends her script to Bob. He tries it, too:
This is still no problem for the system. After a few forks of the forkbomb, the system denies further forks. And the system stays usable. The limitation of the number of processes is only one example. You can limit other resources. You can find a list of all controls at the man page of resource_controls