Bug#923889: google-compute-image-packages - DoS via serial console write
On Fri, Mar 08, 2019 at 10:59:33AM +0100, Bastian Blank wrote:
> In normal operation, the rate limit of journald might make sure it does
> not come to really blocking.
Ahh, that would do it, thanks.
> What happens for use cases where you need to disable this rate limit?
> Mail servers which Postfix, which exclusively uses syslog that is
> redirected to the journal, need this, or they will loose logs.
>
> On Azure we tried the same for a short time period. It got quiet messy
> and also triggered bugs in the platform.
For sure - I wasn't defending the change, just surprised when I couldn't
reproduce the problem.
> I assume the initial goal was to get the log output of the provisioning
> daemons on the serial console. This goal was also mentioned in the
> formerly shipped rsyslog config snippet.
>
> Forwarding all log traffic there completely destroys that ability, as it
> will be drowned by irrelevant log traffic. Also the log buffer is
> limited in size.
Yep, agreed.
Ross
Reply to: