On Mon, Oct 13, 2008 at 3:31 PM, mabshoff <[EMAIL PROTECTED]> wrote: > > On Oct 13, 3:05 pm, "Timothy Clemans" <[EMAIL PROTECTED]> > wrote: > > Hi Timothy, > >> I had never heard of "fork bomb" until now. According to Wikipedia, >> it's somewhat preventable by implementing a limit of the number of >> processes per user. > > just read "man ulimit" :) > >> I like the fact that Knoboo makes it easy to run the actual Sage >> processes on a completely different machine or at least in a virtual >> machine. At some point Knoboo might have a system for dealing with >> down kernel servers where one can still access and download notebooks. > > Nope, once you fork bomb and you do not have a root shell open to the > box it is game over in the vast majority of cases. Any external access > usually requires a fork of some sort and since someone just fork > bombed the box it is a gonner. > >> Would the entire Sage Notebook be ran in a VMWare image or the >> individual Sage per sage unix user processes inside their own? So like >> sage0 would have a virtual machine, sage1 would have its own, etc.
Below is a snippet from knoboo-devel that describes how to use Xen as the backed Kernel Server, allows the frontend (Application Server) and all user data to survive a backend (Kernel Server) attack. (as Dorian already described) There is a good image here: http://trac.knoboo.com/wiki/Security the describes the architecture visually. (In the diagram the Notebook processes are the Interpreters a.k.a "Engine Server"s.) Here is the thread that describes (basically) how to set up Xen on Ubuntu: === [from message http://groups.google.com/group/knoboo-devel/msg/3540f4dc131b7453] === A solution that I very much favor is setting up a dedicated virtual machine (Xen, for example) that acts as a sandbox for the kernel. The architecture of knoboo is such that you can run the 'kernel server' remotely (or, in the case of a local virtual machine, in your LAN). Then, when you start knoboo, you just specify the remote kernel like so: ./knoboo-start -h some_host_ip_or_domain_name -q the_kernel_server_port this assumes that you already started up the kernel on the virtual machine like so "./kernel-start" (which is turn relies on having knoboo on the virtual machine). The very cool part about this is that *no state* is ever kept on the kernel server, so it can blow up and no data will be lost :). It also has the benefit of allowing you to tweak the networking and resource precisely to meet your requirements because it is a completely dedicated (virtual) machine. I have experience with Xen on ubuntu, and setting it up can potentially be very easy (for debian based distros, but YMMV): get the packages: $ sudo apt-get install ubuntu-xen-server libc6-xen use 'xen-tools' (which gets installed from the above apt-get) to create a virtual machine: $ sudo xen-create-image --hostname=knoboo_kernel --dist=gutsy --ip=192.168.X.X now log into 'knoboo_kernel': $ sudo xm console knoboo_kernel Now install the knoboo dependencies. === --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://www.sagemath.org -~----------~----~----~----~------~----~------~--~---
