Monitor job root and kill over limit jobs
If a job were to be pointed at an abnormally large git repository (or
a maliciously large one), a clone would fill the disk. Or anything else
that might happen that writes data onto the executor disk.
We run a single thread periodically running du on the root of all jobs
on this executor. This is called the DiskAccountant.
We set a config item per executor of the limit per job. This won't
actually save a server from a full disk if many thousands of concurrent
changes are submitted, but this will prevent any accidental filling of
the disk, and make malicious disk filling much harder.
We also ignore hard links from the merge root, which will exempt bits
cloned from the merge root from disk accounting.
Change-Id: I415e5930cc3ebe2c7e1a84316e78578d6b9ecf30
Story: 2000879
Task: 3504
9 files changed