So I noticed a serious -- and somewhat funny -- problem with nfsiod
and diskless systems yesterday.  We allow the u-area of the nfsiod
process to be swapped out.

This is a problem for two reasons:

1) In the best case, it means that in a low memory situation NFS
   performance will be severly hosed as we spend a bunch of time
   paging in and out u-areas to free up memory.

2) In the worst case, it will result in a deadlock.  (Can you say
   `swapping out the swapper'?)

Oops.

The obvious thing to do is to set the P_SYSTEM flag while inside
nfssvc(), to prevent the process from ever being swapped.  However,
this has some implications:

a) P_SYSTEM currently prevents signals from being delivered to a
   process, which would prevent nfsiod from ever being killed.  I
   suggest removing these semantics, and instead having the pagedaemon
   and swapper processes set their signal masks to block all signals.

b) At least one port does some optimizations when switching into a
   P_SYSTEM process, to avoid the overhead of switching all the user
   state when switching kernel `threads'.  This means that when we
   turn *off* P_SYSTEM (in preparation for exiting nfssvc()), we need
   a macro/function to sync the user state.

c) This would also prevent the user page table pages from ever being
   destroyed.  This is worsened by the fact that nfsiod is now
   dynamically linked, and therefore uses more page table space by
   default.  Perhaps we can have some way of destroying the page table
   without swapping the u-area out.

Any comments on this?  I'd like to implement this (probably without
the refinements in part c) RFSN.