-
-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid reusing disposable VM names for some predefined time #8512
Comments
This can be achieved by modifying
It will repeat the pool range after it consumed all 10000 possibilities set by Kindly advise if this is OK and what is the final desired behaviour. So I could make a pull request if this is acceptable. |
This approach still theoretically allows quick reuse in the unlucky situation, if some dispid in the first shuffled pool is near its end, and then near beginning in the next shuffled pool. A better solution would be trying to enforce not reusing specific dispid for some time - at least 5 min, but to be safer maybe 1h would be even better. This could be done by keeping a dict of recently used dispid with timestamps when they were last used (dispvm destroy time) and treat recently used dispid similar as currently used ones.
No, this leaks information about uptime / usage pattern too easily and is especially a concern for Whonix qubes. In any case, I don't think preventing reuse strictly until reboot is a good idea, I'll update the issue in a moment. |
OK. I have a working prototype with timestamp dictionary. Delta time till possible reuse is set to one day. Will perform few tests and post the diff. |
Ok. Here is the suggested diff. No reuse for one day. 24 hours is currently hard coded but could be moved to
|
@alimirjamali |
Excellent suggestion. I forgot about that. Or datetime.datetime.utcnow. The overall hypothetical max size of self._recent_disps will be 800KB for 100000 recent dispids. |
PR Submitted |
How to file a helpful issue
The problem you're addressing (if any)
Disposable VM names can be reused, creating a risk of VM name use after free.
The solution you'd like
Do not reuse disposable VM names for some predefined time, long enough for any timeouts to expire.
The value to a user, and who that user might be
Users will be able to write programs that need to create a disposable VM and run commands in it without fear of invoking commands in the wrong VM.
The text was updated successfully, but these errors were encountered: