Re: resource limits
On Fri, 3 Nov 2000, Kasatenko Ivan Alex. wrote: > Hello Jeremy, > > Friday, November 03, 2000, 3:09:35 AM, you wrote: > > JCR> What is an easy way to find out how much of certain resources I > am using? > Try the following kernel patch: Why do I want a kernel patch? I am not having any resource problems. > http://www.asp-linux.com/ > It helped me in such a situation. Will this patch teach me the answers to my questions on how to find out how much of certain resources are currently being used? Jeremy C. Reed BSD software, documentation, resources, news... http://bsd.reedmedia.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: resource limits
On Fri, Nov 03, 2000 at 05:56:09PM +0800, Mailing List wrote: > By putting it in the /etc/init.d/apache script, it would limit the apache > server as well (www-data) user, and thats bad. We ONLY want to limit the > user's cgi processes. We haven't founded any script that suexec uses to run > user cgis, so we can't limit it that way. If you run CGIs for each host under suEXEC, you can run them as another user and thusly limit them. Under Linux, resource restrictions other than disk quotas have to be done by a parent process (such as login) for all of it's children to run with those restrictions. If you asked me, I'd hack suexec to use setrlimit(2). > - Original Message - > From: "Kasatenko Ivan Alex." <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, November 03, 2000 4:56 PM > Subject: Re: resource limits > > > Hello Jeremy, > > Friday, November 03, 2000, 3:09:35 AM, you wrote: > > JCR> What is an easy way to find out how much of certain resources I am > using? > > JCR> In particular, how can I easily find out the following in use by the > shell > JCR> and the processes started by it? > > JCR> - the total size of all process's data segments > JCR> - total resident memory size > JCR> - the number of file descriptors I have in use (open files) > JCR> - the total stack size I have in use > JCR> - total CPU time in seconds > JCR> - total number of processes (per this session) > JCR> - total amount of virtual memory used by the shell > > JCR> Does the "maximum resident set size" limit for all processes or just > one > JCR> process? If for all, then how can I easily find out? > > JCR> What does "pipe size" mean? How can I know how much I am using? > > JCR> How do sh/bash ulimits or csh limits correlate with > JCR> /etc/security/limits.conf, /etc/limits, /etc/login.defs (ULIMIT) or > JCR> BSD-type login.conf session resource limits settings? > > JCR> Does anyone have any answers to any of these questions? > > JCR> Thanks > > JCR> Jeremy C. Reed > JCR> http://www.reedmedia.net/ > JCR> http://bsd.reedmedia.net/ > > > JCR> -- > JCR> To UNSUBSCRIBE, email to [EMAIL PROTECTED] > JCR> with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > Try the following kernel patch: > http://www.asp-linux.com/ > It helped me in such a situation. > > -- > Regards, > Ivanmailto:[EMAIL PROTECTED] > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Michael Bacarella <[EMAIL PROTECTED]> ;finger address for public key GPG Key Fingerprint: B4E4 82F5 BCAC AB83 E6F7 B5AA 933E 2A75 79A4 A9C1 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: resource limits
We tried that too, but it doesn't seem to limit actual cgis. It does limit the actual apache process. This is strange to us, as we though all child processes would inherit the limit. We don't use the stock suexec, because we recompiled it to use /home Perhaps this has a factor to play? - Original Message - From: "Thomas Köppe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 03, 2000 6:21 PM Subject: Re: resource limits From: "Andreas Rabus" <[EMAIL PROTECTED]> Sent: Friday, November 03, 2000 11:09 AM >If you put something like the folowing line in httpd.conf, all prcess >started from within the apache will be limited in theire memory usage. In >this exampel to 50MB. >RLimitMEM 52428800 52428800 >Sorry, dont know the exact Syntax of that Option... Please visit: http://www.apache.org/docs/mod/core.html#rlimitcpu Regards, Thomas Köppe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: resource limits
From: "Andreas Rabus" <[EMAIL PROTECTED]> Sent: Friday, November 03, 2000 11:09 AM >If you put something like the folowing line in httpd.conf, all prcess >started from within the apache will be limited in theire memory usage. In >this exampel to 50MB. >RLimitMEM 52428800 52428800 >Sorry, dont know the exact Syntax of that Option... Please visit: http://www.apache.org/docs/mod/core.html#rlimitcpu Regards, Thomas Köppe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: resource limits
On Fri, Nov 03, 2000 at 05:56:09PM +0800, Mailing List wrote: | Actually, I have a related question. | | We offering web hosting to our clients. When people run huge CGIs, normally | we are notified, and kill them manually. We've also got a small script we | run periodically to kill of any "stuck" or "hanged" processes by users' cgis | (we use suexec so they run under their usernames). | | HOWEVER, as this is a reactive measure, rather than a PROactive measure, | we'd rather have a way of LIMITING their usage like we do diskspace. | | By putting it in the /etc/init.d/apache script, it would limit the apache | server as well (www-data) user, and thats bad. We ONLY want to limit the | user's cgi processes. We haven't founded any script that suexec uses to run | user cgis, so we can't limit it that way. | | Any ideas??? | | Thanks in advance. [.. snipp ..] We use suexec and this config in httpd.conf DocumentRoot /usr/local/apache/htdocs/bikeshop User bikeshop Group users RLimitCPU 30 30 RLimitMEM 5000 5000 ScriptAlias /cgi-bin/ /usr/local/apache/htdocs/bikeshop/cgi-bin/ References: http://www.apache.org/docs-1.2/mod/core.html#rlimitcpu http://www.apache.org/docs-1.2/mod/core.html#rlimitmem http://www.apache.org/docs-1.2/mod/core.html#rlimitnproc -- Fredrik Steen %{---+ | <[EMAIL PROTECTED]> | | +46 (0)54 7756212 | +---%} -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: resource limits
Actually, I have a related question. We offering web hosting to our clients. When people run huge CGIs, normally we are notified, and kill them manually. We've also got a small script we run periodically to kill of any "stuck" or "hanged" processes by users' cgis (we use suexec so they run under their usernames). HOWEVER, as this is a reactive measure, rather than a PROactive measure, we'd rather have a way of LIMITING their usage like we do diskspace. By putting it in the /etc/init.d/apache script, it would limit the apache server as well (www-data) user, and thats bad. We ONLY want to limit the user's cgi processes. We haven't founded any script that suexec uses to run user cgis, so we can't limit it that way. Any ideas??? Thanks in advance. - Original Message - From: "Kasatenko Ivan Alex." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 03, 2000 4:56 PM Subject: Re: resource limits Hello Jeremy, Friday, November 03, 2000, 3:09:35 AM, you wrote: JCR> What is an easy way to find out how much of certain resources I am using? JCR> In particular, how can I easily find out the following in use by the shell JCR> and the processes started by it? JCR> - the total size of all process's data segments JCR> - total resident memory size JCR> - the number of file descriptors I have in use (open files) JCR> - the total stack size I have in use JCR> - total CPU time in seconds JCR> - total number of processes (per this session) JCR> - total amount of virtual memory used by the shell JCR> Does the "maximum resident set size" limit for all processes or just one JCR> process? If for all, then how can I easily find out? JCR> What does "pipe size" mean? How can I know how much I am using? JCR> How do sh/bash ulimits or csh limits correlate with JCR> /etc/security/limits.conf, /etc/limits, /etc/login.defs (ULIMIT) or JCR> BSD-type login.conf session resource limits settings? JCR> Does anyone have any answers to any of these questions? JCR> Thanks JCR> Jeremy C. Reed JCR> http://www.reedmedia.net/ JCR> http://bsd.reedmedia.net/ JCR> -- JCR> To UNSUBSCRIBE, email to [EMAIL PROTECTED] JCR> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Try the following kernel patch: http://www.asp-linux.com/ It helped me in such a situation. -- Regards, Ivanmailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: resource limits
Hello Jeremy, Friday, November 03, 2000, 3:09:35 AM, you wrote: JCR> What is an easy way to find out how much of certain resources I am using? JCR> In particular, how can I easily find out the following in use by the shell JCR> and the processes started by it? JCR> - the total size of all process's data segments JCR> - total resident memory size JCR> - the number of file descriptors I have in use (open files) JCR> - the total stack size I have in use JCR> - total CPU time in seconds JCR> - total number of processes (per this session) JCR> - total amount of virtual memory used by the shell JCR> Does the "maximum resident set size" limit for all processes or just one JCR> process? If for all, then how can I easily find out? JCR> What does "pipe size" mean? How can I know how much I am using? JCR> How do sh/bash ulimits or csh limits correlate with JCR> /etc/security/limits.conf, /etc/limits, /etc/login.defs (ULIMIT) or JCR> BSD-type login.conf session resource limits settings? JCR> Does anyone have any answers to any of these questions? JCR> Thanks JCR> Jeremy C. Reed JCR> http://www.reedmedia.net/ JCR> http://bsd.reedmedia.net/ JCR> -- JCR> To UNSUBSCRIBE, email to [EMAIL PROTECTED] JCR> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Try the following kernel patch: http://www.asp-linux.com/ It helped me in such a situation. -- Regards, Ivanmailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: resource limits?
Fork bomb not work.. But while (1) malloc(1000); You must limit memoryuse Dariush Pietrzak wrote: > > > > root$ man ulimit > > Isn't this a bash shell level thing? > > % ulimit > > ulimit: Command not found. > > > So what happens when you have users using tcsh? ulimit is not available in >limit [-h] [resource [maximum-use]] > > > tcsh. Can't users also change their ulimit settings? What about preventing > they can only lower limits enforced by admin. > > > fork bombs & such? > this is limit's output at one of our university servers: > >limit > cputime unlimited > filesizeunlimited > datasizeunlimited > stacksize 8192 kbytes > coredumpsize100 kbytes > memoryuse unlimited > descriptors 256 > memorylockedunlimited > maxproc 256 > openfiles 256 > > fork bomb won't do much with limited maxproc etc.. > > under Debian GNU/Linux you set it in /etc/login.defs: > > # > # Login configuration initializations: > # > # ERASECHAR Terminal ERASE character ('\010' = backspace). > # KILLCHARTerminal KILL character ('\025' = CTRL/U). > # UMASK Default "umask" value. > # ULIMIT Default "ulimit" value. > # > # The ERASECHAR and KILLCHAR are used only on System V machines. > # The ULIMIT is used only if the system supports it. > # (now it works with setrlimit too; ulimit is in 512-byte units) > # > # Prefix these values with "0" to get octal, "0x" to get hexadecimal. > # > ERASECHAR 0177 > KILLCHAR025 > UMASK 002 > ULIMIT 2097152 > # ^ > # > > regards, > Eyck > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: resource limits?
> > root$ man ulimit > Isn't this a bash shell level thing? > % ulimit > ulimit: Command not found. > So what happens when you have users using tcsh? ulimit is not available in limit [-h] [resource [maximum-use]] > tcsh. Can't users also change their ulimit settings? What about preventing they can only lower limits enforced by admin. > fork bombs & such? this is limit's output at one of our university servers: >limit cputime unlimited filesizeunlimited datasizeunlimited stacksize 8192 kbytes coredumpsize100 kbytes memoryuse unlimited descriptors 256 memorylockedunlimited maxproc 256 openfiles 256 fork bomb won't do much with limited maxproc etc.. under Debian GNU/Linux you set it in /etc/login.defs: # # Login configuration initializations: # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHARTerminal KILL character ('\025' = CTRL/U). # UMASK Default "umask" value. # ULIMIT Default "ulimit" value. # # The ERASECHAR and KILLCHAR are used only on System V machines. # The ULIMIT is used only if the system supports it. # (now it works with setrlimit too; ulimit is in 512-byte units) # # Prefix these values with "0" to get octal, "0x" to get hexadecimal. # ERASECHAR 0177 KILLCHAR025 UMASK 002 ULIMIT 2097152 # ^ # regards, Eyck
Re: resource limits?
Fork bomb not work.. But while (1) malloc(1000); You must limit memoryuse Dariush Pietrzak wrote: > > > > root$ man ulimit > > Isn't this a bash shell level thing? > > % ulimit > > ulimit: Command not found. > > > So what happens when you have users using tcsh? ulimit is not available in >limit [-h] [resource [maximum-use]] > > > tcsh. Can't users also change their ulimit settings? What about preventing > they can only lower limits enforced by admin. > > > fork bombs & such? > this is limit's output at one of our university servers: > >limit > cputime unlimited > filesizeunlimited > datasizeunlimited > stacksize 8192 kbytes > coredumpsize100 kbytes > memoryuse unlimited > descriptors 256 > memorylockedunlimited > maxproc 256 > openfiles 256 > > fork bomb won't do much with limited maxproc etc.. > > under Debian GNU/Linux you set it in /etc/login.defs: > > # > # Login configuration initializations: > # > # ERASECHAR Terminal ERASE character ('\010' = backspace). > # KILLCHARTerminal KILL character ('\025' = CTRL/U). > # UMASK Default "umask" value. > # ULIMIT Default "ulimit" value. > # > # The ERASECHAR and KILLCHAR are used only on System V machines. > # The ULIMIT is used only if the system supports it. > # (now it works with setrlimit too; ulimit is in 512-byte units) > # > # Prefix these values with "0" to get octal, "0x" to get hexadecimal. > # > ERASECHAR 0177 > KILLCHAR025 > UMASK 002 > ULIMIT 2097152 > # ^ > # > > regards, > Eyck > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: resource limits?
> > root$ man ulimit > Isn't this a bash shell level thing? > % ulimit > ulimit: Command not found. > So what happens when you have users using tcsh? ulimit is not available in limit [-h] [resource [maximum-use]] > tcsh. Can't users also change their ulimit settings? What about preventing they can only lower limits enforced by admin. > fork bombs & such? this is limit's output at one of our university servers: >limit cputime unlimited filesizeunlimited datasizeunlimited stacksize 8192 kbytes coredumpsize100 kbytes memoryuse unlimited descriptors 256 memorylockedunlimited maxproc 256 openfiles 256 fork bomb won't do much with limited maxproc etc.. under Debian GNU/Linux you set it in /etc/login.defs: # # Login configuration initializations: # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHARTerminal KILL character ('\025' = CTRL/U). # UMASK Default "umask" value. # ULIMIT Default "ulimit" value. # # The ERASECHAR and KILLCHAR are used only on System V machines. # The ULIMIT is used only if the system supports it. # (now it works with setrlimit too; ulimit is in 512-byte units) # # Prefix these values with "0" to get octal, "0x" to get hexadecimal. # ERASECHAR 0177 KILLCHAR025 UMASK 002 ULIMIT 2097152 # ^ # regards, Eyck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: resource limits?
-BEGIN PGP SIGNED MESSAGE- On Tue, 20 Jun 2000, Joaquin Ferrero wrote: > >Is there a tested & reliable kernel module/hack that would provide the > >capability to limit resources? My intent is to limit the amount of > >processes, forks per second, memory, cpu, etc a user can utilize. Doesn't > >necessarily have to be a kernel module/hack, just some trusted & reliable > >method of limiting resources and preventing dos attacks (such as fork > >bombs). > > root$ man ulimit Isn't this a bash shell level thing? % ulimit ulimit: Command not found. So what happens when you have users using tcsh? ulimit is not available in tcsh. Can't users also change their ulimit settings? What about preventing fork bombs & such? - -- Hey, don't be surprised if millions die in plague and murder, true happiness lies beyond your fries and burger. -Neil Hannon -BEGIN PGP SIGNATURE- Version: 2.6.2 iQEVAwUBOVABz425JqSrqvhBAQFQeQf/ZcpafYqE6aIRvX5dWzEkS64ZoEf6kVN+ ydaCpbwTLIh8DMpLP36DNRrS4LgIFDl3Cw8eNBqkM7j2TIRfaG6qDAsR33ZgZu70 5z/Oc8yMJkyvzaF6IkumI1n8VMlysbnLH3NjAvrZvSlvMu5h6wW1xrzYL1us5aYW aMJuAEKiU34RYv/zLDOzsRrFqRLaf7IDn+QCznKLqLv5Y7Irqifc3Y7j0RZsTI3y EBmeADFx2VAexf2bflaKVVWSwae3aQ7mCbFsJAIpcN+2+SB+06sEeAFbmPxNjAI2 PzK1pb/wD+AypZhh0kH4XciO6PgJ39yHWKZEzH+esPsbrBEtKjANgA== =0pOH -END PGP SIGNATURE-
Re: resource limits?
-BEGIN PGP SIGNED MESSAGE- On Tue, 20 Jun 2000, Joaquin Ferrero wrote: > >Is there a tested & reliable kernel module/hack that would provide the > >capability to limit resources? My intent is to limit the amount of > >processes, forks per second, memory, cpu, etc a user can utilize. Doesn't > >necessarily have to be a kernel module/hack, just some trusted & reliable > >method of limiting resources and preventing dos attacks (such as fork > >bombs). > > root$ man ulimit Isn't this a bash shell level thing? % ulimit ulimit: Command not found. So what happens when you have users using tcsh? ulimit is not available in tcsh. Can't users also change their ulimit settings? What about preventing fork bombs & such? - -- Hey, don't be surprised if millions die in plague and murder, true happiness lies beyond your fries and burger. -Neil Hannon -BEGIN PGP SIGNATURE- Version: 2.6.2 iQEVAwUBOVABz425JqSrqvhBAQFQeQf/ZcpafYqE6aIRvX5dWzEkS64ZoEf6kVN+ ydaCpbwTLIh8DMpLP36DNRrS4LgIFDl3Cw8eNBqkM7j2TIRfaG6qDAsR33ZgZu70 5z/Oc8yMJkyvzaF6IkumI1n8VMlysbnLH3NjAvrZvSlvMu5h6wW1xrzYL1us5aYW aMJuAEKiU34RYv/zLDOzsRrFqRLaf7IDn+QCznKLqLv5Y7Irqifc3Y7j0RZsTI3y EBmeADFx2VAexf2bflaKVVWSwae3aQ7mCbFsJAIpcN+2+SB+06sEeAFbmPxNjAI2 PzK1pb/wD+AypZhh0kH4XciO6PgJ39yHWKZEzH+esPsbrBEtKjANgA== =0pOH -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: resource limits?
>Is there a tested & reliable kernel module/hack that would provide the >capability to limit resources? My intent is to limit the amount of >processes, forks per second, memory, cpu, etc a user can utilize. Doesn't >necessarily have to be a kernel module/hack, just some trusted & reliable >method of limiting resources and preventing dos attacks (such as fork >bombs). root$ man ulimit Joaquin Ferrero [EMAIL PROTECTED]
Re: resource limits?
>Is there a tested & reliable kernel module/hack that would provide the >capability to limit resources? My intent is to limit the amount of >processes, forks per second, memory, cpu, etc a user can utilize. Doesn't >necessarily have to be a kernel module/hack, just some trusted & reliable >method of limiting resources and preventing dos attacks (such as fork >bombs). root$ man ulimit Joaquin Ferrero [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]