Re: [PATCH 2/3] fs: Introduce cmdline argument exceed_file_max_panic

[Al Viro]

On Sat, Jun 06, 2020 at 02:32:19PM +0800, Tiezhu Yang wrote:
> It is important to ensure that files that are opened always get closed.
> Failing to close files can result in file descriptor leaks. One common
> answer to this problem is to just raise the limit of open file handles
> and then restart the server every day or every few hours, this is not
> a good idea for long-lived servers if there is no leaks.
> 
> If there exists file descriptor leaks, when file-max limit reached, we
> can see that the system can not work well and at worst the user can do
> nothing, it is even impossible to execute reboot command due to too many
> open files in system. In order to reboot automatically to recover to the
> normal status, introduce a new cmdline argument exceed_file_max_panic for
> user to control whether to call panic in this case.

What the hell?  You are modifying the path for !CAP_SYS_ADMIN.  IOW,
you've just handed an ability to panic the box to any non-priveleged
process.

NAK.  That makes no sense whatsoever.  Note that root is *NOT* affected
by any of that, so you can bloody well have a userland process running
as root and checking the number of files once in a while.  And doing
whatever it wants to do, up to and including reboot/writing to
/proc/sys/sysrq-trigger, etc.  Or just looking at the leaky processes
and killing them, with a nastygram along the lines of "$program appears
to be leaking descriptors; LART the authors of that FPOS if they can
be located" sent into log/over mail/etc.