Bug 1472410

Summary: /dev is mounted as a tmpfs and should be limited in size the same way that /dev/shm is.
Product: Red Hat Enterprise Linux 7 Reporter: Daniel Walsh <dwalsh>
Component: dockerAssignee: Antonio Murdaca <amurdaca>
Status: CLOSED WONTFIX QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: amurdaca, lsm5, mpatel, pasik, tsweeney, vgoyal
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-09 21:04:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
This patch might fix the issue. none

Description Daniel Walsh 2017-07-18 16:20:27 UTC 
There is a potential Denial of Service attack from a container against the host by using up 50% of available memory from writing to /dev.
Comment 1 Daniel Walsh 2017-07-18 16:22:01 UTC 
Also needs to be fixed in Fedora.
Comment 3 Daniel Walsh 2017-07-18 19:04:20 UTC 
This is really under docker.  But I am not sure it is real important.  Since /tmp size is controlled by memory cgroup, this would only allow a user to use 50% of available memory in his container.  If the admin does not set any memory limit on a container the processes inside could use 100% or memory.
Comment 4 Daniel Walsh 2017-07-18 19:06:27 UTC 
Created attachment 1300623 [details]
This patch might fix the issue.
Comment 5 Mrunal Patel 2017-07-18 19:09:21 UTC 
Yeah, that should work. Do we want to make it configurable though like the --shm-size flag in docker?
Comment 6 Daniel Walsh 2017-07-18 19:17:17 UTC 
I don't think it would ever grow to that big of a size unless the user is doing something very wrong, the only things that should be in /dev are devicenodes.
Comment 7 Vivek Goyal 2017-07-18 19:43:18 UTC 
Giving a container with a tmpfs limited with size makes sense.
Comment 8 Tom Sweeney 2020-06-09 21:04:42 UTC 
We have no plans to ship another version of Docker at this time. RHEL7 is in final support stages where only security fixes will get released.  Customers should move to use Podman which is available starting in RHEL 7.6.