使FD生效-为什么每个用户ID而不是每个进程的限制? [英] inotify FD - why is the limit per user id and not per process?
问题描述
在Linux中,进程可以打开的inotify实例的数量受到/proc/sys/fs/inotify/max_user_instances 中指定的每个用户ID最大数量的限制. >
自然的事情是对每个进程进行限制,例如文件FD.由于inotify FD受用户ID的限制,因此它更可能在许多进程可能使用同一用户ID运行的服务器上达到极限.但是我想这一定有原因吗?
这是一个编程问题,因为我必须在代码中使用inotify并想为系统设置正确的限制.
原因是通过使用inotify监视大量文件来防止非root用户对系统进行DoSing. inotify结构需要不可忽略的内存量来维护(并且不能交换到磁盘上),因此对非特权可提交的数量有一定的限制.
epoll过去也有类似的限制(max_user_instances和max_user_watches),尽管最后删除了max_user_instances并将max_user_watches设置为内存的4%.
可能应该提交类似的补丁进行inotify,但到目前为止还没有.
出于完全不同的原因,文件描述符在每个进程的基础上受到限制:当进程启动时,将分配文件描述符表,并且其大小与文件描述符的最大允许数目成比例.保持尽可能小可以减少每个进程的内存开销.
In Linux, limit on the number of inotify instances a process can have open is limited by a per user-id max number, specified in /proc/sys/fs/inotify/max_user_instances
Natural thing would be to limit it per process, like file FDs for example. Since the inotify FDs are limited by the user id, its more likely to hit the limit on servers where many processes might run with the same user id. But I guess there has to be a reason for this ?
This is a programming question because I have to use inotify in my code and want to set the right limit for the system.
The reason is to prevent non-root users DoSing the system by watching lots of files using inotify. inotify structures require non-negligible amount of memory to maintain (and it can't be swapped out to disk), so there needs to be some limit on how much non-privileged can commit.
epoll used to have similar restrictions (max_user_instances and max_user_watches), although in the end max_user_instances was removed and max_user_watches was just set to be 4% of memory.
A similar patch should probably be submitted for inotify, but hasn't been so far.
File descriptors are limited on a per-process basis for a completely different reason: when a process starts a file descriptor table is allocated and its size is proportional to the maximum allowed number of file descriptors. Keeping this as small as possible reduces the per-process memory overhead.
这篇关于使FD生效-为什么每个用户ID而不是每个进程的限制?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
