[colug-432] ulimit
Rick Hornsby
richardjhornsby at gmail.com
Sat Jan 14 16:50:24 EST 2012
On Jan 14, 2012, at 15:33 , Jon Miller wrote:
> Does your /etc/Pam.d/su file use Pam_limits?
Yes, I think it does indirectly.
there is a line in /etc/pam.d/su:
session include system-auth
in /etc/pam.d/system-auth is
session required pam_limits.so
I added "debug" to the end of that line and ran a couple of su commands, but didn't see anything in /var/log/messages
-rick
> - Jon Miller
>
> On Jan 14, 2012 4:31 PM, "Rick Hornsby" <richardjhornsby at gmail.com> wrote:
>
> Unfortunately, this has come up again. I thought we were right setting the ulimit in /etc/security/limits.conf, but when I looked at the actual tomcat process which was started from an init script which contains this line:
>
> su - tomcat $TOMCAT_INSTANCE/bin/startup.sh
>
> The FD limit is maybe getting inherited from the shell which started it - root's. The value for root is the system default of 1024, but 8192 for the tomcat user in /etc/security/limits.conf.
>
> I also tested this by kicking off tail using sudo (su terminated with a '&' acts the same)
>
> sudo -bu tomcat tail -f /var/log/dmesg > /dev/null
>
> When I check the limit in /proc/PID/limits, it is 1024 not 8192. If instead of doing sudo right away, I do
>
> ulimit -n someval; sudo -bu tomcat …
>
> then the tail process, owned by tomcat, gets a limit of someval.
>
> I really don't want to do a hack and have the init script read /etc/security/limits.conf for the tomcat user, change the value and start tomcat …
>
>
> any other thoughts?
>
> thanks
> -rick
>
> On Dec 19, 2011, at 17:38 , Jon Miller wrote:
>
> > Yes Jeff, you are correct and have the best answer to the question. My
> > answer was the "cowboy" answer which really isn't expected to be
> > followed but merely interesting to mention what you can accomplish via
> > a kernel module hack. And as you've pointed out, you can update your
> > ulimit value, within your hard limit, from within the process itself.
> > In my scenario, I needed to alter a process I did not own and
> > furthermore update a value potentiall beyond it's hard limit. Again,
> > that was my cowboy solution.
> >
> > -- Jon Miller
> >
> > On Mon, Dec 19, 2011 at 4:17 PM, Jeff Frontz <jeff.frontz at gmail.com> wrote:
> >> Slight correction - you can change ulimit values on a running process on a
> >> stock 2.6 kernel, but only from inside the process (via a call to setrlimit)
> >> and only to decrease it in an unprivileged process.
> >>
> >>> From the FC7 setrlimit(2) man page:
> >>
> >> The soft limit is the value that the kernel enforces for the
> >> corre-
> >> sponding resource. The hard limit acts as a ceiling for the
> >> soft
> >> limit: an unprivileged process may only set its soft limit to a
> >> value
> >> in the range from 0 up to the hard limit, and (irreversibly) lower
> >> its
> >> hard limit. A privileged process (under Linux: one with
> >> the
> >> CAP_SYS_RESOURCE capability) may make arbitrary changes to either
> >> limit
> >> value.
> >>
> >> Jeff
> >>
> >>
> >> On Mon, Dec 19, 2011 at 4:05 PM, Jon Miller <jonebird at gmail.com> wrote:
> >>>
> >>> Correct, you're not supposed to be able to change a ulimit value of a
> >>> currently running process. That said, I've done it before via a custom
> >>> kernel module. I was actually originally interested in resetting a
> >>> signal handler for a currently running process in order to
> >>> successfully generate a corefile. In the process of testing, we found
> >>> out that the corefile I was getting was zero bytes because their
> >>> ulimit for corefile size was set to 0. So, I made another update to
> >>> the kernel module and was able to change the corefile size ulimit
> >>> value to unlimited on the fly too.
> >>>
> >>> All the while we had a case open with Novell & IBM and needless to
> >>> say, they didn't like the idea of me creating a kernel module but it
> >>> worked and we got the desired corefile finally. I have a short writeup
> >>> on the ordeal on my blog:
> >>>
> >>> http://jonebird.com/2007/06/21/stripping-another-process-of-its-signal-handler/
> >>>
> >>> -- Jon Miller
> >>>
> >>> On Mon, Dec 19, 2011 at 3:26 PM, Rick Hornsby <richardjhornsby at gmail.com>
> >>> wrote:
> >>>>
> >>>> On Fri, Dec 2, 2011 at 2:57 PM, Mark Aufdencamp <mark at aufdencamp.com>
> >>>> wrote:
> >>>>> A helpful link:
> >>>>>
> >>>>>
> >>>>> http://www.cyberciti.biz/faq/linux-increase-the-maximum-number-of-open-files/
> >>>>
> >>>> Thanks. That was one of the things I read before posting that got me
> >>>> really turned around. The language is very confusing, especially when
> >>>> he says things like "75000 files normal user can have open in single
> >>>> login session." That makes it seem like it is almost a per-user
> >>>> (per-session more specifically) limit.
> >>>>
> >>>> Someone else said that the ulimit was a per-process restriction, and
> >>>> this appears to be true. /proc/<pid>/limits confirms this.
> >>>>
> >>>> Recompiling the kernel isn't an option, but it is good to know that
> >>>> this is where the default of 1024 comes from. Based on what folks
> >>>> suggested here and additional research, /etc/security/limits.conf is
> >>>> the place to set it. Something that took me a while to get is the
> >>>> soft/hard limits. Unlike disk/printer quotas, these different limits
> >>>> do not refer to warnings or other information that lets the user know
> >>>> they're about to run out. Rather, the hard limit is the
> >>>> kernel-enforced maximum. The soft limit can be set by the user, up to
> >>>> the hard limit. So maybe the hard limit is 1024, but they decide a
> >>>> process has run away if it hits 128 open FDs. That would be a use for
> >>>> the soft limit. I believe, like a pid's nice value, the user can
> >>>> lower their own hard limit (priority), but once lowered, they cannot
> >>>> raise it.
> >>>>
> >>>> It does not, however, appear that it is possible to change the ulimit
> >>>> of a currently running process. When a process starts up, the
> >>>> kernel(?) figures out what limits it should have, and those last for
> >>>> the life of the pid.
> >>>>
> >>>> ulimit is just one of those things that seems to be poorly documented
> >>>> and not well understood.
> >>>>
> >>>> -rick
> >>>> _______________________________________________
> >>>> colug-432 mailing list
> >>>> colug-432 at colug.net
> >>>> http://lists.colug.net/mailman/listinfo/colug-432
> >>>
> >>> _______________________________________________
> >>> colug-432 mailing list
> >>> colug-432 at colug.net
> >>> http://lists.colug.net/mailman/listinfo/colug-432
> >>
> >>
> >>
> >> _______________________________________________
> >> colug-432 mailing list
> >> colug-432 at colug.net
> >> http://lists.colug.net/mailman/listinfo/colug-432
> >>
> >
> > _______________________________________________
> > colug-432 mailing list
> > colug-432 at colug.net
> > http://lists.colug.net/mailman/listinfo/colug-432
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
More information about the colug-432
mailing list