Re: userns, netns, and quick physical memory consumption by unprivileged user

2016-03-14 Thread Michal Hocko
On Fri 11-03-16 18:06:59, Yuriy M. Kaminskiy wrote: [...] > And also tried with memcg: > t=/sys/fs/cgroup/memory/test1;mkdir $t;echo 0 >$t/tasks; > echo 48M >$t/memory.limit_in_bytes; su testuser [...] > and it has not helped at all (rather opposite, it ended up with killed > init and kernel

Re: userns, netns, and quick physical memory consumption by unprivileged user

2016-03-14 Thread Michal Hocko
On Fri 11-03-16 18:06:59, Yuriy M. Kaminskiy wrote: [...] > And also tried with memcg: > t=/sys/fs/cgroup/memory/test1;mkdir $t;echo 0 >$t/tasks; > echo 48M >$t/memory.limit_in_bytes; su testuser [...] > and it has not helped at all (rather opposite, it ended up with killed > init and kernel

Re: userns, netns, and quick physical memory consumption by unprivileged user

2016-03-12 Thread Pablo Neira Ayuso
On Fri, Mar 11, 2016 at 04:34:06PM +0100, Florian Westphal wrote: > Yuriy M. Kaminskiy wrote: > > BTW, all those hash/conntrack/etc default sizes was calculated from > > physical memory size in assumption there will be only *one* instance of > > those tables. Obviously,

Re: userns, netns, and quick physical memory consumption by unprivileged user

2016-03-12 Thread Pablo Neira Ayuso
On Fri, Mar 11, 2016 at 04:34:06PM +0100, Florian Westphal wrote: > Yuriy M. Kaminskiy wrote: > > BTW, all those hash/conntrack/etc default sizes was calculated from > > physical memory size in assumption there will be only *one* instance of > > those tables. Obviously, introduction of network

Re: userns, netns, and quick physical memory consumption by unprivileged user

2016-03-11 Thread Yuriy M. Kaminskiy
ping (+ more test results at bottom) On Wed, 02 Mar 2016, I wrote: > While looking at CVE-2016-2847, I remembered about infamous > nf_conntrack: falling back to vmalloc > message, that was often triggered by network namespace creation (message > was removed recently, but it changed nothing

Re: userns, netns, and quick physical memory consumption by unprivileged user

2016-03-11 Thread Yuriy M. Kaminskiy
ping (+ more test results at bottom) On Wed, 02 Mar 2016, I wrote: > While looking at CVE-2016-2847, I remembered about infamous > nf_conntrack: falling back to vmalloc > message, that was often triggered by network namespace creation (message > was removed recently, but it changed nothing

Re: userns, netns, and quick physical memory consumption by unprivileged user

2016-03-11 Thread Florian Westphal
Yuriy M. Kaminskiy wrote: > BTW, all those hash/conntrack/etc default sizes was calculated from > physical memory size in assumption there will be only *one* instance of > those tables. Obviously, introduction of network namespaces (and > especially unprivileged user-ns) thrown

Re: userns, netns, and quick physical memory consumption by unprivileged user

2016-03-11 Thread Florian Westphal
Yuriy M. Kaminskiy wrote: > BTW, all those hash/conntrack/etc default sizes was calculated from > physical memory size in assumption there will be only *one* instance of > those tables. Obviously, introduction of network namespaces (and > especially unprivileged user-ns) thrown this assumption in