lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201111210157.pAL1vbRo089486@www262.sakura.ne.jp>
Date:	Mon, 21 Nov 2011 10:57:37 +0900
From:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:	ebiederm@...ssion.com
Cc:	netdev@...r.kernel.org
Subject: Re: [PATCH for 2.6.32 (untested)] netns: Add quota for number of NET_NS instances.

Eric W. Biederman wrote:
> Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> writes:
> 
> > In order to solve below problems, can we add sysctl variable for
> > restricting number of NET_NS instances?
> 
> I don't have any particular problems with patch but I don't think it
> will result in a working system that is easy to keep working.  Tuning
> static limits can be fickle.

What I worry is that, although clone() is an operation that is allowed to
sleep, waiting for too long might be annoying for users, especially when the
user cannot easily send Ctrl-C or SIGKILL. (I think ftp client is an example.)

> My inclination in this case the practical fix is that during network
> namespace allocation someone take a look at the cleanup_list.  See
> that there is ongoing cleanup activity, and wait until at least one
> network namespace has cleaned up.  Perhaps by creating a work struct
> and waiting for it to cycle through the netns workqueue.

Are you suggesting that we should wait only when "the number of NET_NS
instances exceeded quota" and "there is a dead NET_NS instance"?
In other words, let clone() fail immediately if "the number of NET_NS
instances exceeded quota" but "cleanup_list is empty"?

If you are suggesting that we should always wait until "the number of NET_NS
instances becomes smaller than quota", clone() might sleep too long when the
user cannot easily send signals.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ