Re: [PATCH 2/3] fs: Introduce cmdline argument exceed_file_max_panic

From: Al Viro
Date: Sat Jun 06 2020 - 10:29:05 EST


On Sat, Jun 06, 2020 at 02:32:19PM +0800, Tiezhu Yang wrote:
> It is important to ensure that files that are opened always get closed.
> Failing to close files can result in file descriptor leaks. One common
> answer to this problem is to just raise the limit of open file handles
> and then restart the server every day or every few hours, this is not
> a good idea for long-lived servers if there is no leaks.
>
> If there exists file descriptor leaks, when file-max limit reached, we
> can see that the system can not work well and at worst the user can do
> nothing, it is even impossible to execute reboot command due to too many
> open files in system. In order to reboot automatically to recover to the
> normal status, introduce a new cmdline argument exceed_file_max_panic for
> user to control whether to call panic in this case.

What the hell? You are modifying the path for !CAP_SYS_ADMIN. IOW,
you've just handed an ability to panic the box to any non-priveleged
process.

NAK. That makes no sense whatsoever. Note that root is *NOT* affected
by any of that, so you can bloody well have a userland process running
as root and checking the number of files once in a while. And doing
whatever it wants to do, up to and including reboot/writing to
/proc/sys/sysrq-trigger, etc. Or just looking at the leaky processes
and killing them, with a nastygram along the lines of "$program appears
to be leaking descriptors; LART the authors of that FPOS if they can
be located" sent into log/over mail/etc.