On Thu, 2007-05-10 at 14:11 -0400, Jeff Victor wrote: > However, this model does not solve the problem that is documented in > Clarkson's paper: the "out-of-the-box" experience does not protect > well-behaved zones from poorly-behaved zones, or a DoS attack.
I see where you are going with this Jeff, and there are some good ideas behind all of this. I have a great desire to rephrase your question without the reference to zones - how well is Solaris itself protected against the various forms of DoS attack ? Do the controls here suggest rational defaults for zones (ie, should we just inherit the limits/protections from the Solaris parent) ? One area where I struggle on this issue - you have to decide between two different corner cases (both from situations where the person isn't committed to the documentation): would I rather deal with a problem that an application dies for no apparent reason or that DoS situations can happen ? They are both corner cases right out of the Clarkson paper. In the first case, setting default limits could cause apps to throttle or perhaps fail when reaching their resource cap limits. In the next Clarkson paper :-) this will lead to the assumption that Solaris is either slow or unstable - of which neither is true. So we have to explain where the resource controls are, how to tune them, etc. Reminds me of when we used to play with lotsfree and handspread. In the second case, unmanaged workloads (which are simple to administer) can become unmanageable in the presence of hostile attacks. And I'm assuming here that about a billion buzzers and sirens are going to be going off from the log scrapers (you do at least scrape logs, don't you....) which indicates there is a trouble in the neighborhood. So it's not like this is happening in a vacuum and once diagnosed should be relatively easy to restore proper equilibrium. Perhaps this is a case where the unintended consequences of simplicity may have profound implications ? Said another way - I have customers running web servers, simple network daemons, and Oracle in zones and I have no earthly idea how to suggest a rational set of defaults, other than inheriting those of the Solaris parent (which takes me back to my original thought fragment - is this really a zones issue???). Bob _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org