Xen project Mailing List

Re: [Xen-devel] XSA-180 follow-up: repurpose xenconsoled for logging

To: George Dunlap <george.dunlap@xxxxxxxxxx>

Date: Tue, 7 Jun 2016 11:18:39 +0100

Cc: George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 07 Jun 2016 10:18:48 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Tue, Jun 07, 2016 at 10:57:14AM +0100, George Dunlap wrote: > On 06/06/16 16:48, Wei Liu wrote: > >> A distro which isn't equipped to deal with these things is of no > >> practical use in the real world. > >> > >> Any distro we care about supporting is equipped to deal with logs. > >> > >>> > >>> I agree that if logging using existing logging systems were workable, > >>> that would be a better solution. Wei did actually spend a decent chunk > >>> of time looking at other options, including logrotate and journald > >>> before settling on using xenconsoled. > >>> > >>> A lot of this brainstorming and discussion happened off-list because > >>> XSA-180 was still embargoed, so I can understand why it looks like this > >>> came out of nowhere. It would probably be good for Wei to report here > >>> what he found and why he decided to propose this solution instead. > >> > >> Please do. Until there is an understanding of why the standard > >> mechanisms are not suitable, it is premature and naive to re-invent a > >> wheel. > >> > > > > With syslog and logrotate you will still end up filling up your disk. > > Logrotate can't actively rotate log files. > > FWIW CentOS 6 and 7 (which use rsyslogd and systemd-journald > respectively) seem to have rate-limiting stuff enabled by default; the > attached program causes a lot of CPU utilization, but no disk resource > exhaustion. > Not rate-limited on Debian Jessie installation. We can make recommendation that system administrators should rate-limit syslog. But CPU utilisation is also bad, just a different kind of "bad" from disk exhaustion. > > You can't just tap syslog to QEMU at the moment unless you use the > > script I sent to XSA-180 security@ discussion. That's still a hacked up > > solution. > > > > I actually don't mind having syslog deal with those, but we need to > > provide some not-so-hacked-up way for doing it. > > On Linux, it looks like you can create a socket and "connect" to /dev/log. > That's the standard interface to syslog. I believe that's what openlog() and syslog() use. We can open a socket and write to that, but you won't get what you want without providing the correct formated message. Try with: sudo socat /dev/log STDIN Wei. > -George > > #include <syslog.h> > #include <time.h> > > int main(int argc, char * argv[]) { > int rc; > > struct timespec tv = { .tv_nsec = 5000 }; > > openlog("DoS Attempt", 0, LOG_DAEMON); > > while(!(rc = nanosleep(&tv, NULL))) { > syslog(LOG_ERR, "This is a nasty attempt to DoS syslog\n"); > } > > if(rc) { > perror("nanosleep"); > } > } _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.