[lxc-devel] process number limit

2013-05-12 Thread Robert Gierzinger 
Hi,
I was playing around with lxc for some time now. I used (all amd64 
based) Ubuntu 12.04 with the shipped kernel 3.2.0 and the backported 
3.5.0 and the lxc 0.7.5. However, I also tried a vanilla 3.9.2 kernel 
with the lxc-daily 0.9.0;
So far this stuff is quite cool, but I have some considerations 
considering fork bombs ... (don't want my clients vhosts to affect others):

1) /proc/sys/kernel/pid_max can only be limited in the host which may 
reduce the effect of a fork bomb, will this be on a per-container base? 
(this would be awesome)
2) apparmor: as far as I can see apparmors "set rlimit" cannot be used 
to limit the guests number of processes
3) forkbombing on a 6-core cpu whith one running guest (stuck to cpu 
number 0 and 1) also works ... but the point when the host becomes 
inaccessible is later
4) user namespace is cool, but a simple fork bomb with only a small 
number of processes kills the host if the root (assuming a compromised 
guest) of the guest starts the forkbomb with a username outside the 
range of users who are mapped to host-uids. Try 
https://github.com/linux-vserver/util-vserver/blob/master/tests/forkbomb.c

I used the classic bash fork bomb and the program from 4)
Is there anything planned to restrict exhaustive process generation in a 
guest or any other means to defend against fork bombs?

bye,
Robert

--
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] process number limit

2013-05-20 Thread Robert Gierzinger 
Hi,

>> Is there anything planned to restrict exhaustive process generation in a
>> guest or any other means to defend against fork bombs?
> In recent kernels (such as 3.9.x) you have
> `memory.kmem.limit_in_bytes` which could be use for that purpose.
> see
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/plain/Documentation/cgroups/memory.txt
Thanks for pointing me to the right docs. I managed to get lxc to run 
with the kmem limits.
I discovered some strange behaviour, hope this is the right mailing list 
to report to.

My scenario:
*) Server is 64 Bit Intel I7 cpu with 16 GB RAM, Ubuntu 13.04 with 64 
bit - I installed the supplied ubuntu 3.8 kernel source with the 
as-experimental-marked cgroup->kmem->limit enabled.
*) Inside the container: I tried to figure out how much kernel memory to 
allocate to the container, tried various usual stuff. I realized that 
using rsync ate up all my kernel memory allocated to the container (1GB) 
when syncing a directory of about 1500 MB of size - error "Cannot 
allocate memory (12)"; of course the corresponding failcnt was not zero. 
Setting vfs_cache_pressure to a very high number and periodically 
modifying drop_caches did not help
*) It seems that setting 512MB kernel memory for the container is OK to 
prevent for a forkbomb from forkbomb.c in my last mail. The strange 
thing, allocating 1GB and forkbombing the guest results in killing the 
host. On the host, even a "ls" is not possible - getting "bash: fork: 
Cannot allocate memory". SysRq is the only thing to work with at this 
stage. However, if I left htop running in another terminal it is not 
killed and reports around 32k tasks and only around 1100MB of the 16GB 
of RAM used!

Thanks in advance for some enlightenment ;-)

Robert


--
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel