|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] xenconsoled CPU denial of service problem
I was examining what would happen if I ballooned a guest down to 15 MB in size, and besides the obvious (kernel kills everything in sight :-), I found a non-trivial CPU denial of service problem with xenconsoled. When I ballooned the guest down the DomU kernel went mental printing out Out of Memory: Kill process 2 (migration/0) score 0 and children. Out of Memory: Kill process 2 (migration/0) score 0 and children. Out of Memory: Kill process 2 (migration/0) score 0 and children. Out of Memory: Kill process 2 (migration/0) score 0 and children. ..... over & over again, as fast as it could - using 100% of CPU time allocated to that DomU by the schedular. This isn't a problem in itself because with sensible schedular settings the impact on other DomU's would be minimal. The problem is that at the same time, xenconsoled consumes 100% of the CPU time available to Domain-0 trying to read the console data generated by the DomU OS. It is processing the console data from DomU, even though there are no (xm console) client sessions with the slave end of the Psuedo-TTY open. Now the particular ballooning scenario I used falls under the "don't do that then" category, but more generally this is still a problem. Any DomU OS can inflict a CPU denial of service attack on Domain-0 (and thus other Dom-U) simply by generating a huge quantity of data on its (serial) console - either accidentally, or maliciously I've been looking at the the xenconsoled source to see if there's any way this can be resolved. With no xm console clients attached, the xenconsoled is spinning select(10, [5 6 7 8 9], [6], NULL, NULL) = 1 (in [5]) read(5, "\24\0\0\0", 4) = 4 mremap(0x2aaaaaac0000, 1052672, 1052672, MREMAP_MAYMOVE) = 0x2aaaaaac0000 ioctl(5, EVIOCGKEYCODE, 0x7fffc89a1f50) = 0 mremap(0x2aaaaaac0000, 1052672, 1052672, MREMAP_MAYMOVE) = 0x2aaaaaac0000 write(5, "\24\0\0\0", 4) = 4 Which corresponds to handle_ring_read() in tools/console/daemon/io.c What I'd like to do is figure out a way to avoid processing the ring buffer if there are is no client connected to the /dev/pts/NNN slave tty associated with the domain. I tried to detect presence of a client by adding the master TTY filehandle to the writefds set in select(), but it appears the master end of a tty is signalled writable even if the other end is disconnected. Does anyone know of any alternative approach to detecting whether the fd for the master end of a psuedo-TTY, has a its end slave open / active ? Without being able to detect this I don't see any good way to avoid the DOS attack in the general case - only other option would be to start dropping data once > a certain rate, but this isn't really very desirable because there are (debug) scenarios in which you really do want the ability to capture all data. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |