[lxc-devel] Fork-bomb test
Nishant Agrawal
nragrawal at cs.wisc.edu
Thu Nov 20 17:54:46 UTC 2014
Using unprivileged container is one option but not intuitive one.
I know that task limiting subsystem haven't made into the kernel source
code yet. But I have tried to use memory.kmem.limit_in_bytes - 1G, which
looks like implemented for the same purpose, even for more generic
purpose.
The notion behind that was to account kernel memory usage so that when
kernel stack grows because of new process it will eventually reach to a
limit after which OOM should come in picture and kill all the processes.
I am not able to see it happen though.
Please, correct me if I am wrong.
See discussion
https://lists.linuxcontainers.org/pipermail/lxc-devel/2013-May/004371.html
for more details.
Patch set which implements it:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1348688
In the end, should I assume that there is no other way to prevent fork
bomb inside linux containers other than using unprivileged container and
some security features of Apparmor?
Regards,
Nishant
On 2014-11-20 02:24, Tamas Papp wrote:
> On 11/20/2014 05:19 AM, Nishant Agrawal wrote:
>> Hi Folks,
>>
>> I am trying to run fork bomb test inside a container to measure the
>> extent of isolation containers provide. I am observing that even after
>> putting all the available limits my host system becomes unresponsive
>> after some time. Can someone throw light what should be the issue?
>> Doesn't LXC handles situations like forkbomb?
>>
>> I am running linux kernel 3.13.0.36generic.
>> I am setting below limits on the program,
>>
>> memory.limit_in_bytes 2G
>> memory.soft_limit_in_bytes 1G
>> memory.memsw.limit_in_bytes 3G
>> memory.kmem.limit_in_bytes - 1G
>>
>> Any help is appreciated.
>
> IMO the problem is that the number of processes are not and cannot be
> limited.
> There was a kernel patch but as far as I can it was not accepted on
> LKML.
>
> However, you may try to run an unprivileged container and control the
> resource usage via ulimit.
>
>
> cheers,
> tamas
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list