pyrox.dev
openssh: enable --with-linux-memlock-onfault
This new configure option attempts to call the following as part of sshd
startup, simply warning if it fails:
`mlockall(MCL_CURRENT | MCL_FUTURE | MCL_ONFAULT)`
From https://man7.org/linux/man-pages/man2/mlock.2.html:
> Since Linux 2.6.9, no limits are placed on the amount of memory
> that a privileged process can lock and the RLIMIT_MEMLOCK soft
> resource limit instead defines a limit on how much memory an
> unprivileged process may lock.
Since sshd is run as root, locking all current and future pages
also will not run into hypothetical OOM issues.
+3
pkgs/tools/networking/openssh/common.nix
+3
pkgs/tools/networking/openssh/common.nix
···
36
withSecurityKey ? !stdenv.hostPlatform.isStatic,
37
withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl && withSecurityKey,
38
withPAM ? stdenv.hostPlatform.isLinux,
39
dsaKeysSupport ? false,
40
linkOpenssl ? true,
41
isNixos ? stdenv.hostPlatform.isLinux,
···
119
++ lib.optional (!linkOpenssl) "--without-openssl"
120
++ lib.optional withLdns "--with-ldns"
121
++ lib.optional stdenv.hostPlatform.isOpenBSD "--with-bsd-auth"
122
++ extraConfigureFlags;
123
124
${if stdenv.hostPlatform.isStatic then "NIX_LDFLAGS" else null} =
···
36
withSecurityKey ? !stdenv.hostPlatform.isStatic,
37
withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl && withSecurityKey,
38
withPAM ? stdenv.hostPlatform.isLinux,
39
+
# Attempts to mlock the entire sshd process on startup to prevent swapping.
40
+
withLinuxMemlock ? stdenv.hostPlatform.isLinux,
41
dsaKeysSupport ? false,
42
linkOpenssl ? true,
43
isNixos ? stdenv.hostPlatform.isLinux,
···
121
++ lib.optional (!linkOpenssl) "--without-openssl"
122
++ lib.optional withLdns "--with-ldns"
123
++ lib.optional stdenv.hostPlatform.isOpenBSD "--with-bsd-auth"
124
+
++ lib.optional withLinuxMemlock "--with-linux-memlock-onfault"
125
++ extraConfigureFlags;
126
127
${if stdenv.hostPlatform.isStatic then "NIX_LDFLAGS" else null} =