[lxc-devel] [lxd/master] containers: Default to pids cgroup for fork bomb mitigation

[stgraber on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180202/27a2bc9d/attachment.bin>
-------------- next part --------------
From 959b822027b16cba6d47aaf222dd0a7eb07a3b9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Fri, 2 Feb 2018 10:52:51 +0100
Subject: [PATCH] containers: Default to pids cgroup for fork bomb mitigation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container_lxc.go | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 16c461ef0..301c69b26 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -2519,17 +2519,23 @@ func (c *containerLXC) Stop(stateful bool) error {
 		return err
 	}
 
-	// Attempt to freeze the container first, helps massively with fork bombs
-	freezer := make(chan bool, 1)
-	go func() {
-		c.Freeze()
-		freezer <- true
-	}()
-
-	select {
-	case <-freezer:
-	case <-time.After(time.Second * 5):
-		c.Unfreeze()
+	// Fork-bomb mitigation, prevent forking from this point on
+	if c.state.OS.CGroupPidsController {
+		// Attempt to disable forking new processes
+		c.CGroupSet("pids.max", "0")
+	} else {
+		// Attempt to freeze the container
+		freezer := make(chan bool, 1)
+		go func() {
+			c.Freeze()
+			freezer <- true
+		}()
+
+		select {
+		case <-freezer:
+		case <-time.After(time.Second * 5):
+			c.Unfreeze()
+		}
 	}
 
 	if err := c.c.Stop(); err != nil {