Bug#923889: google-compute-image-packages - DoS via serial console write
On Fri, Mar 08, 2019 at 10:59:33AM +0100, Bastian Blank wrote: > In normal operation, the rate limit of journald might make sure it does > not come to really blocking. Ahh, that would do it, thanks. > What happens for use cases where you need to disable this rate limit? > Mail servers which Postfix, which exclusively uses syslog that is > redirected to the journal, need this, or they will loose logs. > > On Azure we tried the same for a short time period. It got quiet messy > and also triggered bugs in the platform. For sure - I wasn't defending the change, just surprised when I couldn't reproduce the problem. > I assume the initial goal was to get the log output of the provisioning > daemons on the serial console. This goal was also mentioned in the > formerly shipped rsyslog config snippet. > > Forwarding all log traffic there completely destroys that ability, as it > will be drowned by irrelevant log traffic. Also the log buffer is > limited in size. Yep, agreed. Ross
Bug#923889: google-compute-image-packages - DoS via serial console write
On Thu, Mar 07, 2019 at 02:25:12PM -0800, Ross Vandegrift wrote: > On Wed, Mar 06, 2019 at 07:49:38PM +0100, Bastian Blank wrote: > > This package instructs journald to duplicate everything sent to the > > journal to the serial console. The serial console is a pretty rate > > limited log output device and blocking there will make all software with > > any log output block. > This doesn't seem to affect all software - I tried to reproduce with > logger, but it doesn't block. Maybe this only affects some logging > transports? In normal operation, the rate limit of journald might make sure it does not come to really blocking. What happens for use cases where you need to disable this rate limit? Mail servers which Postfix, which exclusively uses syslog that is redirected to the journal, need this, or they will loose logs. On Azure we tried the same for a short time period. It got quiet messy and also triggered bugs in the platform. > I agree it's a problematic default - GCE serial console data is > currently stored unencrypted. That could be an unpleasent surprise. I assume the initial goal was to get the log output of the provisioning daemons on the serial console. This goal was also mentioned in the formerly shipped rsyslog config snippet. Forwarding all log traffic there completely destroys that ability, as it will be drowned by irrelevant log traffic. Also the log buffer is limited in size. Regards, Bastian -- Women professionals do tend to over-compensate. -- Dr. Elizabeth Dehaver, "Where No Man Has Gone Before", stardate 1312.9.
Bug#923889: google-compute-image-packages - DoS via serial console write
On 3/7/19 11:25 PM, Ross Vandegrift wrote: > On Wed, Mar 06, 2019 at 07:49:38PM +0100, Bastian Blank wrote: >> This package instructs journald to duplicate everything sent to the >> journal to the serial console. The serial console is a pretty rate >> limited log output device and blocking there will make all software with >> any log output block. > > This doesn't seem to affect all software - I tried to reproduce with > logger, but it doesn't block. Maybe this only affects some logging > transports? > > I agree it's a problematic default - GCE serial console data is > currently stored unencrypted. That could be an unpleasent surprise. > > Ross Ross, Bastian is right that what's been done is a very bad idea. I would suggest that you the issue is taken seriously, and the change be reverted. In many situation, the serial port wont be fast enough. Cheers, Thomas Goirand (zigo)
Bug#923889: google-compute-image-packages - DoS via serial console write
On Wed, Mar 06, 2019 at 07:49:38PM +0100, Bastian Blank wrote: > This package instructs journald to duplicate everything sent to the > journal to the serial console. The serial console is a pretty rate > limited log output device and blocking there will make all software with > any log output block. This doesn't seem to affect all software - I tried to reproduce with logger, but it doesn't block. Maybe this only affects some logging transports? I agree it's a problematic default - GCE serial console data is currently stored unencrypted. That could be an unpleasent surprise. Ross
Bug#923889: google-compute-image-packages - DoS via serial console write
Package: google-compute-image-packages Version: 20190124-2 Severity: grave This package instructs journald to duplicate everything sent to the journal to the serial console. The serial console is a pretty rate limited log output device and blocking there will make all software with any log output block. Bastian -- We have found all life forms in the galaxy are capable of superior development. -- Kirk, "The Gamesters of Triskelion", stardate 3211.7
