Bug 68781 - [LXC] Shape "/dev/random" bandwidth
Summary: [LXC] Shape "/dev/random" bandwidth
Status: NEW
Alias: None
Product: Other
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: other_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-16 07:42 UTC by Dmitry Yu Okunev
Modified: 2020-07-20 07:48 UTC (History)
2 users (show)

See Also:
Kernel Version: 3.10.11, 3.9.5
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dmitry Yu Okunev 2014-01-16 07:42:12 UTC 
Hello.

I've faced with isolation problem between LXC.

I understand that every LXC is using the same entropy source with "/dev/random". But it's bandwidth (bytes per second) is very limited. So it's possible to block "/dev/random" from any container that is permitted to read it. I mean that's possible to run 10000 "cat /dev/random" processes from LXC and that will block "/dev/random" for host system and another LXCs on the host.

Here's an example:

Container X:
# dd if=/dev/random of=/dev/null bs=1 count=100
100+0 records in
100+0 records out
100 bytes (100 B) copied, 10.4023 s, 0.0 kB/s

Container Y:
# cat /dev/random& cat /dev/random& cat /dev/random& cat /dev/random& cat /dev/random& cat /dev/random&

Container X:
# dd if=/dev/random of=/dev/null bs=1 count=100
100+0 records in
100+0 records out
100 bytes (100 B) copied, 61.9266 s, 0.0 kB/s

As you can see, speed of "/dev/random" was been decreased in 6 times.
In a similar manner it may be decreased in 10000 or even more. This may be used for DoS-attacks on services (SSH and other) on neighboring containers.


So, IMHO, there should be some kind of "/dev/random" bandwidth shaper between LXCs. If sysadmin will be able to setup bandwidth limit (with borrowing support on idle) for "/dev/random" for every container, it will be secure enough.


P.S.: Sorry for my English.
Note You need to log in before you can comment on or make changes to this bug.