# Jails and resource limits



## tanked (Jul 18, 2011)

Hello, I'm currently experimenting with jails and was wondering about per-jail resource limits; I know there is a project to implement this but as far as I can tell it is currently stalled. If an attacker could break into a jail and from there starve the host system, and any other jails running on it, of resources then is this not a rather large hole in the current implementation of jails? I suppose it can be mitigated with login classes for users but thats not entirely satisfactory. Any comments welcome.


----------



## fbsd1 (Jul 22, 2011)

Directory based jails share disk space with the host and if an attacker compromised a jail he could run a job to create files consuming disk space until it chocked the host to death. There is simple fix to this by creating your directory jail in a sparse file. Qjail has a jail create option to do this for you automatically.


----------



## tanked (Jul 24, 2011)

Thankyou, but I was thinking of something more along the lines of someone breaking into a jail and exhausting the memory and CPU resources of both the jail and host systems - or is this not possible from inside a jail?


----------



## mk (Jul 24, 2011)

Create jail login class in /etc/login.conf, for every jail add user, add every jail user to that class. Enforce disk quota per user, not by group.


----------



## allanjude@ (Jul 24, 2011)

You can somewhat limit a jail by adjusting it's cpuset, by only allowing each jail to use a specific subset of your cpus/cores, you can prevent any one jail from dominating 100% of your system. 

for more on Jail Resource Limits, see the google SoC page http://wiki.freebsd.org/JailResourceLimits


----------



## manefesto (Jul 25, 2011)

jail limits now worked ?
When the project is brought to a final state?


----------



## tanked (Jul 25, 2011)

nearsourceit said:
			
		

> You can somewhat limit a jail by adjusting it's cpuset, by only allowing each jail to use a specific subset of your cpus/cores, you can prevent any one jail from dominating 100% of your system.
> 
> for more on Jail Resource Limits, see the google SoC page http://wiki.freebsd.org/JailResourceLimits



That only works if you have a machine with multiple cores instead of the crappy pentium 3 800MHz that I have  Also I looked at the following link which seems to suggest the effort to implement proper resource limits is stalled:

http://wiki.freebsd.org/Jails

As I initially suspected resource limiting measures will have to be done with a combination of login classes and CPU core affinity settings (if you have a multicore machine )

EDIT: Heirarchical resource limits, merged into CURRENT, can also apply to jails so it looks like proper jail resource limits will be available in FreeBSD 9:

http://wiki.freebsd.org/Hierarchical_Resource_Limits


----------



## minimike (Jul 26, 2011)

For hierarchical resource limits are there some Patches for 8.2-RELENG available?

cheers
Darko


----------



## SirDice (Jul 26, 2011)

Probably not yet but patches like these tend to get MFC'ed after a while.


----------

