The road so far….

August 22, 2014

Limiting Fork Bomb in Docker

Filed under: Linux — Tags: , — Rahul Sharma @ 12:55 pm

Docker is a great tool for experimenting and learning. If you haven’t tried it till now then do give it try !  You can play with-in it without messing your own system. We can also built limitations for the container so that the host does not have any major impact in case the container goes berserk. While it was easy to put limitations for memory and CPU utilization, last few days I spend major amount of time in figuring out ‘how to handle a fork bomb ?’
There are various technologies(cgroups, pam_limits) to limit things in Linux.  Both offer ways to limit the fork bomb. In cgroups we have to set *memory.kmem.limit_in_bytes* (limits the available  memory to kernel) and in pam_limits we need to set *nproc* (limits number of process for a user). Cgroups  option is not yet supported in Docker, so I will list out steps to limit using pam_limits(nproc).

 

Stop Docker demon, on Ubuntu 1404 we can do this by :

 sudo service docker.io stop

 

Append limits to the demon configuration. The file that we are trying to amend is /etc/init/docker.io.conf.  Add the limits to the end of the file. Besides nproc I have added limits to file-size and file-descriptors :

........................
"$DOCKER" -d $DOCKER_OPTS
end script
limit nproc 20 100
limit nofile 50 100
limit fsize 102400000 204800000

 

Start Docker demon, on Ubuntu 1404 we can do this by :

 sudo service docker.io start

 

Now the limits are available in docker containers BUT only when we are logged-in as a User. I have taken the ubutu image and added a user in the following Dockerfile. 

# pull base image.
FROM ubuntu:trusty

# maintainer details
MAINTAINER self

# create user
RUN useradd -m -d /home/myuser -p myuser myuser && chsh -s /bin/bash myuser

# set working directory
WORKDIR /home/myuser

# run terminal
#CMD ["/bin/bash"]

 

Save the file as “Dockerfile”  and  build image from this:

docker build -t ubuntu-user .

 

Now login into the container using *myuser*

docker run -it -u myuser ubuntu-user /bin/bash

 

You can see the limits using the *ulimit -a* command

..............
open files (-n) 50
pipe size (512 bytes, -p) 8
stack size (kbytes, -s) 8192
cpu time (seconds, -t) 60
max user processes (-u) 20
...................

 

Now we can test a fork bomb inside the container. 

 :(){ :|:& };:

 

New processes will not be allowed after the limit is reached. It will display the following output :

bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes.....................

The host should still respond and we can do *docker kill* to kill the container.

Advertisements

4 Comments »

  1. how could you use -u parameter?docker provide this option for us or you have modify docker?

    Comment by Cha — June 16, 2015 @ 12:22 pm

  2. nproc limits number of processes per user (UID) instead of per session or per container. Keep that in mind. More details are available in these issues on docker github: https://github.com/docker/docker/issues/12695 https://github.com/docker/docker/issues/6479

    Comment by Vlad — July 5, 2015 @ 11:37 am

  3. […] fair (or guaranteed) resource allocation. It can be tricky to learn. Fork bomb attacks have been known to work on Docker, but work has been done on […]

    Pingback by Hitler Uses Docker, Annotated | zwischenzugs — April 12, 2016 @ 1:31 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: