[lxc-devel] [lxd/master] containers: Default to pids cgroup for fork bomb mitigation
stgraber on Github
lxc-bot at linuxcontainers.org
Fri Feb 2 09:53:13 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180202/27a2bc9d/attachment.bin>
-------------- next part --------------
From 959b822027b16cba6d47aaf222dd0a7eb07a3b9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Fri, 2 Feb 2018 10:52:51 +0100
Subject: [PATCH] containers: Default to pids cgroup for fork bomb mitigation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/container_lxc.go | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 16c461ef0..301c69b26 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -2519,17 +2519,23 @@ func (c *containerLXC) Stop(stateful bool) error {
return err
}
- // Attempt to freeze the container first, helps massively with fork bombs
- freezer := make(chan bool, 1)
- go func() {
- c.Freeze()
- freezer <- true
- }()
-
- select {
- case <-freezer:
- case <-time.After(time.Second * 5):
- c.Unfreeze()
+ // Fork-bomb mitigation, prevent forking from this point on
+ if c.state.OS.CGroupPidsController {
+ // Attempt to disable forking new processes
+ c.CGroupSet("pids.max", "0")
+ } else {
+ // Attempt to freeze the container
+ freezer := make(chan bool, 1)
+ go func() {
+ c.Freeze()
+ freezer <- true
+ }()
+
+ select {
+ case <-freezer:
+ case <-time.After(time.Second * 5):
+ c.Unfreeze()
+ }
}
if err := c.c.Stop(); err != nil {
More information about the lxc-devel
mailing list