On Thu, 2007-05-10 at 14:11 -0400, Jeff Victor wrote:

> However, this model does not solve the problem that is documented in 
> Clarkson's paper: the "out-of-the-box" experience does not protect 
> well-behaved zones from poorly-behaved zones, or a DoS attack.

I see where you are going with this Jeff, and there are some good ideas
behind all of this.   I have a great desire to rephrase your question
without the reference to zones - how well is Solaris itself
protected against the various forms of DoS attack ?   Do the controls
here suggest rational defaults for zones (ie, should we just inherit
the limits/protections from the Solaris parent) ?

One area where I struggle on this issue - you have to decide between
two different corner cases (both from situations where the person
isn't committed to the documentation): would I rather deal with a
problem that an application dies for no apparent reason or that
DoS situations can happen ?

They are both corner cases right out of the Clarkson paper.   In the
first case, setting default limits could cause apps to throttle or
perhaps fail when reaching their resource cap limits.   In the next
Clarkson paper :-) this will lead to the assumption that Solaris is
either slow or unstable - of which neither is true.   So we have to
explain where the resource controls are, how to tune them, etc.
Reminds me of when we used to play with lotsfree and handspread.

In the second case, unmanaged workloads (which are simple to
administer) can become unmanageable in the presence of hostile
attacks.   And I'm assuming here that about a billion buzzers and
sirens are going to be going off from the  log scrapers
(you do at least scrape logs, don't you....) which indicates there
is a trouble in the neighborhood.   So it's not like this is happening
in a vacuum and once diagnosed should be relatively easy to restore
proper equilibrium.

Perhaps this is a case where the unintended consequences of
simplicity may have profound implications ?   Said another way -
I have customers running web servers, simple network daemons, and
Oracle in zones and I have no earthly idea how to suggest a
rational set of defaults, other than inheriting those of the
Solaris parent (which takes me back to my original thought fragment -
is this really a zones issue???).


zones-discuss mailing list

Reply via email to