On Sat, 3 Mar 2007, Mechiel Lukkien wrote:
> On Fri, Mar 02, 2007 at 06:09:22PM +0100, Tobias Ulmer wrote:
> > On Fri, Mar 02, 2007 at 11:25:11AM +0100, Mechiel Lukkien wrote:
> > > Hi all,
> > >
> > > It seems mlock does not work on OpenBSD/i386 for non-root users. On other
> > > archs it might work as non-root (looking at the code), but I don't have
> > > a machine to test. It seems this has existed for a long time:
> > >
> > > [ ... ]
> >
> > >From http://www.opengroup.org/onlinepubs/009695399/functions/mlock.html
> >
> > "The appropriate privilege is required to lock process memory with
> > mlock()"
> >
> > So getting an EPERM is the norm if your're a normal user on most OS.
>
> true, but EPERM isn't listed in mlock(2). manual pages on openbsd tend
> to describe behaviour exactly. i haven't tried on other bsd's, but on
> linux a normal user is allowed to lock memory. i would think locking a
> maximum of 0 pages by default through rlimit would be okay, than an
> rlimit (e.g. in login.conf for one user) could be set higher to allow
> actual pages to be locked. besides, it seems other archs than i386 do
> allow mlock-ing. i am not very sure about that though.
Yeah, it depend on the platform specific part of the uvm system. If a
platform does support wired page counting, the lockedmem ulimit is
enforced. If the platform does not support wired page counting, only
the superuser may lock mem. EPERM not being in the man page is
probably just an omission.
> > You didn't ask for it, but let me guess. You want to protect some super
> > secret data from being swaped out to disk. OpenBSD does have encrypted
> > swap enabled by default.
>
> nopes, i know openbsd has encrypted swap. i am using a large amount
> of memory to do fast randomly distributed lookups in a big table.
> the table cannot be on disk (or paged out), that would mean one more
> random disk access.
If you lock a lot of mem and your machine has too little memory,
performance (of other processes) will suck. So just put enough memory
in your machine and trust the virtual memory system. Better solution
is to run on an arch that does support any user locking mem, like
amd64.
-Otto
