[PATCH] new cgroup controller "fork"

Max Kellermann max at duempel.org
Fri Nov 4 13:38:48 UTC 2011


On 2011/11/04 14:11, Glauber Costa <glommer at parallels.com> wrote:
> For other uses, we can watch the task counter increase until a
> certain value, and then set the limit to 0.
> 
> Max, wouldn't it be enough for your use?

No.  We do have a process limit already (I didn't publish it yet), but
we might adopt Frederic's new controller as soon as it hits our
servers.  The fork controller complements it, and we have many others.
We run a shared CGI hosting platform with millions of accounts, and
many users have badly designed or even vulnerable PHP scripts.  The
fork controller is very effective at stopping certain kinds of those.
Other controllers shall keep other problems small.  This mix of many
different measures has been working very well for quite a few years.

We'll just keep that code on our private git repository .. rebasing on
new kernel releases is easy enough for me.

Max


More information about the Containers mailing list