Bug#929256: systemd lockdown for ntpsec-rotate-stats.service

Mon, 20 May 2019 19:33:54 -0700 

PS: one thing "systemd-analyze security" doesn't cover AT ALL is service denial 
attacks.

For example, one day I mounted a backup drive (full of snapshots) on
/mnt instead of /media, and the overnight mlocate updatedb cron job
tried to scan it, flushing all the real disk's blocks from the page
cache (thereby measurably reducing performance for everything else on
the system).

See also:

0)  The systemd reference is systemd.resource-control(5), but
    it's a reference rather than a howto/guide/example.

1)  # These are equivalent to "nice ionice -c3 chrt --idle 0".  I think. --twb, 
Jun 2016
    [Service]
    Nice=10
    IOSchedulingClass=idle
    CPUSchedulingPolicy=idle

    I habitually add these to anything that I think of as an "overnight 
background job".
    Pretty much anything fired by cron or a .timer.

2)  mlocate uses "nocache" (an LD_PRELOAD hack that adds FADV_DONTNEED to I/O 
syscalls).
    The nocache homepage (https://github.com/Feh/nocache) suggests on "modern" 
systems with cgroup v1 support, to set a per-unit memory limit instead.
    I *think* under modern systemd, with cgroups v2, you actually do something 
like

        MemoryHigh=128M

    Which doesn't set a memory *limit*, but it helps the page cache
    replacement algorithm decide which pages should be evicted first.

    These articles explain that nocache (or equivalent) is needed as
    workaround because Linux's current heuristics are old and crufty:

        https://linux-mm.org/AdvancedPageReplacement
        https://linux-mm.org/PageReplacementDesign

    UNFORTUNATELY, I do not yet have enough experience to know what is
    a "reasonable" MemoryHigh= number to set for a given unit.

    systemd has memory accounting, but unlike CPU or network
    accounting, when the unit ends, it will not report the "peak"
    memory usage.

    Instead, you have to poll systemd-cgls (or possibly systemctl
    show) while the unit is running, to see the point-in-time value.

    You can also shove /usr/bin/time in front of the command to see
    *a* peak memory value, but (I think?) that doesn't include the
    page cache (cache of HDD blocks in RAM).

        $ /usr/bin/time gzip -k tmp.txt
        … (… 1368maxresident)k

Reply via email to