[PATCH] make nginx not swappable
Marcin Strągowski
marcin.stragowski at adpilot.pl
Wed May 21 14:21:17 UTC 2014
Hello, I'm new here but I work with nginx on daily basis at my company Adpilot.pl and I would like to suggest a patch to nginx.
Recently we had a need to provide a full security to our servers by securing our encryption keys and preventing them to be written on to the hard disk.
But there still was an issue with swapping out nginx - there still was (a small) possibility that in extreme situations some portion of nginx memory where keys are stored (or information which could be used to recreate keys) will be swapped out and will be written on hard drive.
Also keeping nginx out of swap has few performance benefits on heavy loaded systems ;)
In earlier Linux systems process could be kept out of swap by setting a sticky bit (chmod +S) but on all modern linux distributions - this flag doesn't work anymore.
Now it must be done manually in code, so I'm sending a patch which is adding a configuration parameter that can enable marking all nginx memory (also workers) as nonswappable.
Feedback welcome!
Thanks
Marcin Strągowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mlockall.patch
Type: text/x-patch
Size: 2751 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140521/b1ed9e38/attachment.bin>
More information about the nginx-devel
mailing list