Add support for memlocking sshd on Linux#558
Closed
d-tatianin wants to merge 2 commits intoopenssh:masterfrom
Closed
Add support for memlocking sshd on Linux#558d-tatianin wants to merge 2 commits intoopenssh:masterfrom
d-tatianin wants to merge 2 commits intoopenssh:masterfrom
Conversation
Contributor
Author
|
CI failure looks unrelated to my changes (?) |
Previously this was possible via post_fork_child, but ever since sshd was split into multiple binaries, this is now no longer possible becase of execv.
Linux wakes up kcompactd threads in order to make more contiguous memory available on the system, it does this by migrating live movable pages (actively modifying live processes' page tables and constantly flooding them with page invalidation IPIs, which can be up to millions per second), which causes the process to become unresponsive for up to seconds or even minutes in some severe cases. In case of sshd, we want to always be able to connect to the system, even if it's under heavy kcompactd load. Introduce an option to protect sshd and its children sessions from being compacted by kcompactd (this works in cojunction with compact_unevictable_allowed = 0). Note that we depend on MCL_ONFAULT being available, which was introduced in linux 4.4. MCL_ONFAULT allows the system to lock pages lazily, thus drastically reducing memory usage of a locked process (without MCL_ONFAULT, every existing mapping in the process is instantly write-faulted).
d-tatianin
force-pushed
the
memlock-support
branch
from
fcd2a17 to
a2c054e
Compare
Contributor
Author
|
Ping :) |
Contributor
|
Applied, thanks. The CI failure is indeed unrelated (tcmalloc wants to use pipe2 under some conditions, which falls afoul of the process structure and sandboxing in a way we have not gotten to the bottom of yet. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linux wakes up kcompactd threads in order to make more contiguous memory
available on the system, it does this by migrating live movable pages
(actively modifying live processes' page tables and constantly flooding
them with page invalidation IPIs, which can be up to millions per
second), which causes the process to become unresponsive for up to
seconds or even minutes in some severe cases. In case of sshd, we want
to always be able to connect to the system, even if it's under heavy
kcompactd load.
Introduce an option to protect sshd and its children sessions from being
compacted by kcompactd (this works in cojunction with
compact_unevictable_allowed = 0). Note that we depend on MCL_ONFAULT
being available, which was introduced in linux 4.4. MCL_ONFAULT allows
the system to lock pages lazily, thus drastically reducing memory usage
of a locked process (without MCL_ONFAULT, every existing mapping in the
process is instantly write-faulted).