CONFIG_NET_NS
Serge Hallyn
serge.hallyn at canonical.com
Mon Jun 6 16:30:08 UTC 2011
Quoting Tim Gardner (tim.gardner at canonical.com):
> On 06/01/2011 12:57 PM, Serge Hallyn wrote:
> >Hi,
> >
> >vsftpd spawns a network namespace in response to each client connection.
> >Lucid kernel is slow to release network namespaces, which results, in
> >bug 720095, in an easy remote DOS. The maverick kernel has a fix for
> >this, but it is hard to cherrypick.
> >
> >The bug was resolved by compiling the lucid kernel without
> >CONFIG_NET_NS. I'm emailing to ask that we reconsider that solution.
> >
> >Turning off CONFIG_NET_NS prevents libvirt from creating all containers
> >(lxc:///), and prevents lxc from creating most useful containers,
> >resulting in bug 790863. There is the workaround of installing the
> >backported kernel, but I don't believe that will satiate users who
> >really want LTS stability. For those users, we are effectively telling
> >them that they cannot use containers until 12/04.
> >
>
> What is wrong with suggesting the use of LTS backported kernels? The
> UDS decision to support these kernels until the next LTS should
> provide the same level of stability. We (the kernel team) are very
I guess that depends on how LTS customers feel about "potential of
regressions, but supported" versus "the only updates will be security
updates."
I hadn't realized that the LTS backported kernsl are supported. I
thought it was less formal than that.
I'll leave it sit here, then. Thanks again.
-serge
More information about the ubuntu-server
mailing list