The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4215
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
From 959b822027b16cba6d47aaf222dd0a7eb07a3b9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Fri, 2 Feb 2018 10:52:51 +0100
Subject: [PATCH] containers: Default to pids cgroup for fork bomb mitigation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/container_lxc.go | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 16c461ef0..301c69b26 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -2519,17 +2519,23 @@ func (c *containerLXC) Stop(stateful bool) error {
return err
}
- // Attempt to freeze the container first, helps massively with fork
bombs
- freezer := make(chan bool, 1)
- go func() {
- c.Freeze()
- freezer <- true
- }()
-
- select {
- case <-freezer:
- case <-time.After(time.Second * 5):
- c.Unfreeze()
+ // Fork-bomb mitigation, prevent forking from this point on
+ if c.state.OS.CGroupPidsController {
+ // Attempt to disable forking new processes
+ c.CGroupSet("pids.max", "0")
+ } else {
+ // Attempt to freeze the container
+ freezer := make(chan bool, 1)
+ go func() {
+ c.Freeze()
+ freezer <- true
+ }()
+
+ select {
+ case <-freezer:
+ case <-time.After(time.Second * 5):
+ c.Unfreeze()
+ }
}
if err := c.c.Stop(); err != nil {
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
