The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4215
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
From 959b822027b16cba6d47aaf222dd0a7eb07a3b9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Fri, 2 Feb 2018 10:52:51 +0100 Subject: [PATCH] containers: Default to pids cgroup for fork bomb mitigation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/container_lxc.go | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index 16c461ef0..301c69b26 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -2519,17 +2519,23 @@ func (c *containerLXC) Stop(stateful bool) error { return err } - // Attempt to freeze the container first, helps massively with fork bombs - freezer := make(chan bool, 1) - go func() { - c.Freeze() - freezer <- true - }() - - select { - case <-freezer: - case <-time.After(time.Second * 5): - c.Unfreeze() + // Fork-bomb mitigation, prevent forking from this point on + if c.state.OS.CGroupPidsController { + // Attempt to disable forking new processes + c.CGroupSet("pids.max", "0") + } else { + // Attempt to freeze the container + freezer := make(chan bool, 1) + go func() { + c.Freeze() + freezer <- true + }() + + select { + case <-freezer: + case <-time.After(time.Second * 5): + c.Unfreeze() + } } if err := c.c.Stop(); err != nil {
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel