Jails and resource limits

[tanked]

Hello, I'm currently experimenting with jails and was wondering about per-jail resource limits; I know there is a project to implement this but as far as I can tell it is currently stalled. If an attacker could break into a jail and from there starve the host system, and any other jails running on it, of resources then is this not a rather large hole in the current implementation of jails? I suppose it can be mitigated with login classes for users but thats not entirely satisfactory. Any comments welcome.

 

[fbsd1]

Directory based jails share disk space with the host and if an attacker compromised a jail he could run a job to create files consuming disk space until it chocked the host to death. There is simple fix to this by creating your directory jail in a sparse file. Qjail has a jail create option to do this for you automatically.

 

[tanked]

Thankyou, but I was thinking of something more along the lines of someone breaking into a jail and exhausting the memory and CPU resources of both the jail and host systems - or is this not possible from inside a jail?

 

[mk]

Create jail login class in /etc/login.conf, for every jail add user, add every jail user to that class. Enforce disk quota per user, not by group.

 

[allanjude@]

You can somewhat limit a jail by adjusting it's cpuset, by only allowing each jail to use a specific subset of your cpus/cores, you can prevent any one jail from dominating 100% of your system.

for more on Jail Resource Limits, see the google SoC page http://wiki.freebsd.org/JailResourceLimits

 

[manefesto]

jail limits now worked ?
When the project is brought to a final state?

 

[tanked]

You can somewhat limit a jail by adjusting it's cpuset, by only allowing each jail to use a specific subset of your cpus/cores, you can prevent any one jail from dominating 100% of your system.

for more on Jail Resource Limits, see the google SoC page http://wiki.freebsd.org/JailResourceLimits

That only works if you have a machine with multiple cores instead of the crappy pentium 3 800MHz that I have Also I looked at the following link which seems to suggest the effort to implement proper resource limits is stalled:

http://wiki.freebsd.org/Jails

As I initially suspected resource limiting measures will have to be done with a combination of login classes and CPU core affinity settings (if you have a multicore machine )

EDIT: Heirarchical resource limits, merged into CURRENT, can also apply to jails so it looks like proper jail resource limits will be available in FreeBSD 9:

http://wiki.freebsd.org/Hierarchical_Resource_Limits

 

[minimike]

For hierarchical resource limits are there some Patches for 8.2-RELENG available?

cheers
Darko

 

[SirDice]

Probably not yet but patches like these tend to get MFC'ed after a while.