| From: | "Jim C(dot) Nasby" <jim(at)nasby(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Heikki Linnakangas <heikki(at)enterprisedb(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Phantom Command ID |
| Date: | 2006-09-20 21:30:57 |
| Message-ID: | 20060920213056.GA28987@nasby.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Sep 20, 2006 at 04:22:47PM -0400, Tom Lane wrote:
> "Jim C. Nasby" <jim(at)nasby(dot)net> writes:
> > What would the failure mode be? Would we just keep going until the box
> > ran out of memory? I think it'd be better to have some kind of hard
> > limit so that a single backend can't grind a production server into a
> > swap-storm. (Arguably, not having a limit is exposing a DoS
> > vulnerability).
>
> [ shrug... ] If we tried to guarantee such a thing we'd be putting
> arbitrary limits into hundreds if not thousands of different bits of the
> backend. I think the correct answer for an admin who is worried about
> such a thing is to make sure that the process ulimit is a sufficiently
> small fraction of the machine's available RAM. Only if we can't
> gracefully handle running up against ulimit is it our problem (hence,
> we have a stack-size overflow check, but not any such thing for data size).
I didn't realize we had a lot of ways a backend could run a machine out
of memory, or at least ways that didn't have some kind of limit (ie:
work_mem). Are any of them very easy to run into?
--
Jim Nasby jim(at)nasby(dot)net
EnterpriseDB http://enterprisedb.com 512.569.9461 (cell)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2006-09-20 21:43:40 | Re: Phantom Command ID |
| Previous Message | Josh Berkus | 2006-09-20 21:22:57 | Re: Units in postgresql.conf.sample |