|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-users] Re: malicious paravirtualized guests: securityandisolation
> > > Is there a limit on the amount of data you can write to the xenstore? > > Overflowing some limit in xenstore could be one method of causing a > > crash. > > That's funny, I was just trying to find where these were set when > xenstored is started: > > > --entry-nb <nb> limit the number of entries per domain, > --entry-size <size> limit the size of entry per domain, and > --entry-watch <nb> limit the number of watches per domain, > --transaction <nb> limit the number of transaction allowed per domain, > > So if the number of entries per domain (plus size per entry) can be > limited .. it seems that at least --entry-size is not being enforced? > > If it were, the only way to overflow the store would be from dom-0, > creating infinite domain entries @ xx bytes each until it exploded. > > Argh, I wish I was better with Python. > When testing save/restore under GPLPV, I created some scripts which do save + restore on a loop and left them running for days. Domain id's in the thousands were common during those tests. It appears that in some DomU failure cases, xenstore entries are not being cleaned up properly. With enough cruft in there, xenstore operations start to take a loooong time... operatons that should take seconds were taking minutes. A reboot fixed it up of course, but it's not really ideal. That was under 3.1.x though so those leaks may have been fixed since then. It sounds like someone has at least thought about per-domain xenstore limits though, which is encouraging. James _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |