commit 2b75b132a19c8d783b8c6faccd855c5dda3d9bef · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

openssh: enable --with-linux-memlock-onfault

This new configure option attempts to call the following as part of sshd
startup, simply warning if it fails:

`mlockall(MCL_CURRENT | MCL_FUTURE | MCL_ONFAULT)`

From https://man7.org/linux/man-pages/man2/mlock.2.html:

> Since Linux 2.6.9, no limits are placed on the amount of memory
> that a privileged process can lock and the RLIMIT_MEMLOCK soft
> resource limit instead defines a limit on how much memory an
> unprivileged process may lock.

Since sshd is run as root, locking all current and future pages
also will not run into hypothetical OOM issues.

Morgan Jones 10 months ago 2b75b132 c722a577

1 changed file

expand all

unified split

pkgs

tools

networking

openssh

common.nix

pkgs/tools/networking/openssh/common.nix

··· 36 36 withSecurityKey ? !stdenv.hostPlatform.isStatic, 37 37 withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl && withSecurityKey, 38 38 withPAM ? stdenv.hostPlatform.isLinux, 39 + # Attempts to mlock the entire sshd process on startup to prevent swapping. 40 + withLinuxMemlock ? stdenv.hostPlatform.isLinux, 39 41 dsaKeysSupport ? false, 40 42 linkOpenssl ? true, 41 43 isNixos ? stdenv.hostPlatform.isLinux, ··· 119 121 ++ lib.optional (!linkOpenssl) "--without-openssl" 120 122 ++ lib.optional withLdns "--with-ldns" 121 123 ++ lib.optional stdenv.hostPlatform.isOpenBSD "--with-bsd-auth" 124 + ++ lib.optional withLinuxMemlock "--with-linux-memlock-onfault" 122 125 ++ extraConfigureFlags; 123 126 124 127 ${if stdenv.hostPlatform.isStatic then "NIX_LDFLAGS" else null} =