Hi, I was playing around with lxc for some time now. I used (all amd64 based) Ubuntu 12.04 with the shipped kernel 3.2.0 and the backported 3.5.0 and the lxc 0.7.5. However, I also tried a vanilla 3.9.2 kernel with the lxc-daily 0.9.0; So far this stuff is quite cool, but I have some considerations considering fork bombs ... (don't want my clients vhosts to affect others):
1) /proc/sys/kernel/pid_max can only be limited in the host which may reduce the effect of a fork bomb, will this be on a per-container base? (this would be awesome) 2) apparmor: as far as I can see apparmors "set rlimit" cannot be used to limit the guests number of processes 3) forkbombing on a 6-core cpu whith one running guest (stuck to cpu number 0 and 1) also works ... but the point when the host becomes inaccessible is later 4) user namespace is cool, but a simple fork bomb with only a small number of processes kills the host if the root (assuming a compromised guest) of the guest starts the forkbomb with a username outside the range of users who are mapped to host-uids. Try https://github.com/linux-vserver/util-vserver/blob/master/tests/forkbomb.c I used the classic bash fork bomb and the program from 4) Is there anything planned to restrict exhaustive process generation in a guest or any other means to defend against fork bombs? bye, Robert ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
