[lxc-devel] Fork-bomb test

Nishant Agrawal nragrawal at cs.wisc.edu
Thu Nov 20 17:54:46 UTC 2014


Using unprivileged container is one option but not intuitive one.

I know that task limiting subsystem haven't made into the kernel source 
code yet. But I have tried to use memory.kmem.limit_in_bytes - 1G, which 
looks like implemented for the same purpose, even for more generic 
purpose.

The notion behind that was to account kernel memory usage so that when 
kernel stack grows because of new process it will eventually reach to a 
limit after which OOM should come in picture and kill all the processes. 
I am not able to see it happen though.

Please, correct me if I am wrong.

See discussion 
https://lists.linuxcontainers.org/pipermail/lxc-devel/2013-May/004371.html 
for more details.
Patch set which implements it: 
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1348688

In the end, should I assume that there is no other way to prevent fork 
bomb inside linux containers other than using unprivileged container and 
some security features of Apparmor?

Regards,
Nishant

On 2014-11-20 02:24, Tamas Papp wrote:
> On 11/20/2014 05:19 AM, Nishant Agrawal wrote:
>> Hi Folks,
>> 
>> I am trying to run fork bomb test inside a container to measure the 
>> extent of isolation containers provide. I am observing that even after 
>> putting all the available limits my host system becomes unresponsive 
>> after some time. Can someone throw light what should be the issue? 
>> Doesn't LXC handles situations like forkbomb?
>> 
>> I am running linux kernel 3.13.0.36generic.
>> I am setting below limits on the program,
>> 
>>  memory.limit_in_bytes 2G
>>  memory.soft_limit_in_bytes 1G
>>  memory.memsw.limit_in_bytes 3G
>>  memory.kmem.limit_in_bytes - 1G
>> 
>> Any help is appreciated.
> 
> IMO the problem is that  the number of processes are not and cannot be 
> limited.
> There was a kernel patch but as far as I can it was not accepted on 
> LKML.
> 
> However, you may try to run an unprivileged container and control the
> resource usage via ulimit.
> 
> 
> cheers,
> tamas
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


More information about the lxc-devel mailing list