On Mon, Jun 06, 2011 at 11:30:08AM -0500, Serge Hallyn wrote: > Quoting Tim Gardner ([email protected]): > > On 06/01/2011 12:57 PM, Serge Hallyn wrote: > > >Hi, > > > > > >vsftpd spawns a network namespace in response to each client connection. > > >Lucid kernel is slow to release network namespaces, which results, in > > >bug 720095, in an easy remote DOS. The maverick kernel has a fix for > > >this, but it is hard to cherrypick. > > > > > >The bug was resolved by compiling the lucid kernel without > > >CONFIG_NET_NS. I'm emailing to ask that we reconsider that solution. > > > > > >Turning off CONFIG_NET_NS prevents libvirt from creating all containers > > >(lxc:///), and prevents lxc from creating most useful containers, > > >resulting in bug 790863. There is the workaround of installing the > > >backported kernel, but I don't believe that will satiate users who > > >really want LTS stability. For those users, we are effectively telling > > >them that they cannot use containers until 12/04. > > > > > > > What is wrong with suggesting the use of LTS backported kernels? The > > UDS decision to support these kernels until the next LTS should > > provide the same level of stability. We (the kernel team) are very > > I guess that depends on how LTS customers feel about "potential of > regressions, but supported" versus "the only updates will be security > updates." > > I hadn't realized that the LTS backported kernsl are supported. I > thought it was less formal than that. > > I'll leave it sit here, then. Thanks again.
It was also pointed out[1] by Chris Evans, the author of vsftpd, that disabling the use of network namespaces by vsftpd just requires setting: isolate_network=NO in vsftpd.conf. Ah, looking at the bug report, it seems you proposed a patch vsftpd to turn off network isolation (i.e. use of CLONE_NEWNET) by default for lucid, but then didn't pursue that any further. Perhaps that's the way forward, to disable by default in vsftpd there and look for additional sources in the lucid archive that allow a new network namespace to be triggered by an unprivileged user (as vsftpd does here). The only downside would be anything outside of the archive that made use of CLONE_NEWNET could potentially cause the issue to be triggered. [1] http://www.openwall.com/lists/oss-security/2011/06/06/10 -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
