CONFIG_NET_NS

Steve Beattie sbeattie at ubuntu.com
Tue Jun 7 00:13:21 UTC 2011 

On Mon, Jun 06, 2011 at 11:30:08AM -0500, Serge Hallyn wrote:
> Quoting Tim Gardner (tim.gardner at canonical.com):
> > On 06/01/2011 12:57 PM, Serge Hallyn wrote:
> > >Hi,
> > >
> > >vsftpd spawns a network namespace in response to each client connection.
> > >Lucid kernel is slow to release network namespaces, which results, in
> > >bug 720095, in an easy remote DOS.  The maverick kernel has a fix for
> > >this, but it is hard to cherrypick.
> > >
> > >The bug was resolved by compiling the lucid kernel without
> > >CONFIG_NET_NS.  I'm emailing to ask that we reconsider that solution.
> > >
> > >Turning off CONFIG_NET_NS prevents libvirt from creating all containers
> > >(lxc:///), and prevents lxc from creating most useful containers,
> > >resulting in bug 790863.  There is the workaround of installing the
> > >backported kernel, but I don't believe that will satiate users who
> > >really want LTS stability.  For those users, we are effectively telling
> > >them that they cannot use containers until 12/04.
> > >
> > 
> > What is wrong with suggesting the use of LTS backported kernels? The
> > UDS decision to support these kernels until the next LTS should
> > provide the same level of stability. We (the kernel team) are very
> 
> I guess that depends on how LTS customers feel about "potential of
> regressions, but supported" versus "the only updates will be security
> updates."
> 
> I hadn't realized that the LTS backported kernsl are supported.  I
> thought it was less formal than that.
> 
> I'll leave it sit here, then.  Thanks again.

It was also pointed out[1] by Chris Evans, the author of vsftpd, that
disabling the use of network namespaces by vsftpd just requires setting:

  isolate_network=NO

in vsftpd.conf.

Ah, looking at the bug report, it seems you proposed a patch vsftpd to
turn off network isolation (i.e. use of CLONE_NEWNET) by default for
lucid, but then didn't pursue that any further. Perhaps that's the way
forward, to disable by default in vsftpd there and look for additional
sources in the lucid archive that allow a new network namespace to
be triggered by an unprivileged user (as vsftpd does here). The only
downside would be anything outside of the archive that made use of
CLONE_NEWNET could potentially cause the issue to be triggered.

[1] http://www.openwall.com/lists/oss-security/2011/06/06/10

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20110606/463b55de/attachment.pgp>

More information about the ubuntu-server mailing list