[lxc-devel] process number limit
Robert Gierzinger
robert.gierzinger at gmx.at
Sun May 12 20:15:53 UTC 2013
Hi,
I was playing around with lxc for some time now. I used (all amd64
based) Ubuntu 12.04 with the shipped kernel 3.2.0 and the backported
3.5.0 and the lxc 0.7.5. However, I also tried a vanilla 3.9.2 kernel
with the lxc-daily 0.9.0;
So far this stuff is quite cool, but I have some considerations
considering fork bombs ... (don't want my clients vhosts to affect others):
1) /proc/sys/kernel/pid_max can only be limited in the host which may
reduce the effect of a fork bomb, will this be on a per-container base?
(this would be awesome)
2) apparmor: as far as I can see apparmors "set rlimit" cannot be used
to limit the guests number of processes
3) forkbombing on a 6-core cpu whith one running guest (stuck to cpu
number 0 and 1) also works ... but the point when the host becomes
inaccessible is later
4) user namespace is cool, but a simple fork bomb with only a small
number of processes kills the host if the root (assuming a compromised
guest) of the guest starts the forkbomb with a username outside the
range of users who are mapped to host-uids. Try
https://github.com/linux-vserver/util-vserver/blob/master/tests/forkbomb.c
I used the classic bash fork bomb and the program from 4)
Is there anything planned to restrict exhaustive process generation in a
guest or any other means to defend against fork bombs?
bye,
Robert
More information about the lxc-devel
mailing list