Re: maximum number of processes on kernel 2.4.x
I usually ad this to the bottom of /etc/security/limits.conf * softnofile 4096 * hardnofile 8192 and I set the ulimits in /etc/profile. This seems to do the trick for me. Now, if only I could increase the number of threads I can run with IBM Java. As soon as you dick about with libc to increase the system threads, it coredumps. -- Ian Cass - Original Message - From: "Wayne Tucker" <[EMAIL PROTECTED]> To: "Russell Coker" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, March 12, 2002 8:03 PM Subject: Re: maximum number of processes on kernel 2.4.x > On Tue, Mar 12, 2002 at 12:15:26PM +0100, Russell Coker wrote: > > BTW, why exactly do you need to have so many root owned processes? > > > > Every root owned process is a potential security hole. Is it possible to > > make some of these things use non-root? > > The server is running CommuniGate Pro, which must be run as root. I'm > not particularly comfortable with the idea myself, but since the > server is only doing email, then if somebody compromises the mail > software, they have control over everything important that happens on > the server anyhow. > > It looks like the real problem was actually the pam_limits module that > is being loaded from the various pam.d configuration files. It was > doing a setrlimit(RLIMIT_NPROC, 256), which resulted in it not being > able to perform the various setuid/setgid calls and whatnot and then > spawn the login shell. > > Thanks again for your help, > > Wayne > > > -- > Wayne A. Tucker - [EMAIL PROTECTED] > Network Engineer, Donobi Inc. > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: maximum number of processes on kernel 2.4.x
On Tue, 12 Mar 2002 21:03, Wayne Tucker wrote: > On Tue, Mar 12, 2002 at 12:15:26PM +0100, Russell Coker wrote: > > BTW, why exactly do you need to have so many root owned processes? > > > > Every root owned process is a potential security hole. Is it possible to > > make some of these things use non-root? > > The server is running CommuniGate Pro, which must be run as root. I'm > not particularly comfortable with the idea myself, but since the > server is only doing email, then if somebody compromises the mail > software, they have control over everything important that happens on > the server anyhow. > > It looks like the real problem was actually the pam_limits module that > is being loaded from the various pam.d configuration files. It was That's a bug. A daemon should not be using pam unless it's for a user login. I presume it was more than just the POP server having a problem... > doing a setrlimit(RLIMIT_NPROC, 256), which resulted in it not being > able to perform the various setuid/setgid calls and whatnot and then > spawn the login shell. Also you can edit /etc/security/limits.conf to change the settings... -- If you send email to me or to a mailing list that I use which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: maximum number of processes on kernel 2.4.x
On Tue, Mar 12, 2002 at 12:15:26PM +0100, Russell Coker wrote: > BTW, why exactly do you need to have so many root owned processes? > > Every root owned process is a potential security hole. Is it possible to > make some of these things use non-root? The server is running CommuniGate Pro, which must be run as root. I'm not particularly comfortable with the idea myself, but since the server is only doing email, then if somebody compromises the mail software, they have control over everything important that happens on the server anyhow. It looks like the real problem was actually the pam_limits module that is being loaded from the various pam.d configuration files. It was doing a setrlimit(RLIMIT_NPROC, 256), which resulted in it not being able to perform the various setuid/setgid calls and whatnot and then spawn the login shell. Thanks again for your help, Wayne -- Wayne A. Tucker - [EMAIL PROTECTED] Network Engineer, Donobi Inc. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: maximum number of processes on kernel 2.4.x
BTW, why exactly do you need to have so many root owned processes? Every root owned process is a potential security hole. Is it possible to make some of these things use non-root? -- If you send email to me or to a mailing list that I use which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: maximum number of processes on kernel 2.4.x
Hello !
> Does anybody know how to change the maximum number of tasks/processes
> available under the 2.4.x kernels, similar to tuning NR_TASKS and
> MAX_TASKS_PER_USER in 2.2.x and 2.3.x? Our mail software sometimes
> requires a large number of processes, and we cannot ssh into the server
> once the number of processes belonging to root reaches 256.
>
> Thanks for any help that you can provide,
>
> Wayne
I'm set max. processes count (using "ulimit -u") in sendmail start script
(right before first (parent to others) daemon is executed) and in sendmail
config file ("MaxDaemonChildren" parameter). And so on for all other daemons.
Summary, if all services runs max. available children count, there is some
available processes (total running processes count lesser than max. available
processes) and free virtual memory for run some sshd and shells to log on. I
think, there is no need to change kernel data structures.
P.S. Excuse me for my ugly English. :)
--
With Best Regards,
Denis A. Kulgeyko
DK666-UANIC
e-mail: [EMAIL PROTECTED]
ICQ: 81607525
SMS: [EMAIL PROTECTED]
--
UNIXes ... they are VERY friendly.
But .. they chooses their friends VERY carefully ... :)
^]:wq!
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: maximum number of processes on kernel 2.4.x
On Tue, 12 Mar 2002 03:58, Wayne Tucker wrote: > The limit of 256 is coming from the `ulimit -s` command (bash). Just > as a test, I also threw together a program to call getrlimit and > display the result. Here's what I get: > > wayne@ironman:~$ cat /proc/version > Linux version 2.4.17 (root@ironman) (gcc version 2.95.4 20011006 (Debian > prerelease)) #1 Wed Jan 2 21:55:45 PST 2002 wayne@ironman:~$ ./showrlimit > cur: 256 max: 4294967295 > > (now I really understand what you mwant when you said that my system > would be dead long before it got there ;) The real limit isn't going to be 4 billion processes. That just means that it won't be the ulimit stopping you. As you've apparently noticed the limits are set by login programs. This should only be a problem if you ssh into a machine to start a daemon, daemons started by init should not have any such limits. -- If you send email to me or to a mailing list that I use which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: maximum number of processes on kernel 2.4.x
I believe I have found a fix. I'm not sure where the RLIMIT_NPROC
value of 256 was coming from, but it can be changed by creating an
initscript (5) file on your system and setting the various limits
through there. Here's the new script from my system:
#
# initscript Executed by init(8) for every program it
# wants to spawn like this:
#
# /bin/sh /etc/initscript
#
ulimit -Hu 1024
ulimit -Su 512
# Execute the program.
eval exec "$4"
<--- (cut here, insert tab a into slot b)
Also, it looks like ssh was setting its own limits via pam. Oddly
enough, it also was setting RLIMIT_NPROC to 256. On Debian, this can
be changed in /etc/security/limits.conf.
Thanks for the help, Russell. I'd probably still be looking through
the kernel sources if I hadn't asked! =)
Wayne
--
Wayne A. Tucker - [EMAIL PROTECTED]
Network Engineer, Donobi Inc.
On Mon, Mar 11, 2002 at 06:58:50PM -0800, Wayne Tucker wrote:
> On Tue, Mar 12, 2002 at 02:52:36AM +0100, Russell Coker wrote:
> > On Tue, 12 Mar 2002 02:33, Wayne Tucker wrote:
> > > > I guess that you have some problem related to ulimit...
> > >
> > > [snip]
> > >
> > > Is the "default" number of processes allowed by ulimit/setrlimit
> > > determined in the kernel, or is it being set from somewhere in the
> > > init scripts? Are resource limits inherited from the parent process,
> > > and can the default for daemons be changed somewhere in the init
> > > process so that they can be effective for daemon processes that start
> > > on bootup? The system does not have any users other than admins, so
> > > for our purposes it would be safe for us to have RLIMIT_NPROC set to
> > > something higher such as 512.
> >
> > I think that generally ulimit is not set in init scripts. However some init
> > scripts may end up sourcing /etc/profile (this is not a good idea), and
> > people often put ulimit commands in /etc/profile...
> >
> > The kernel definately doesn't put any significant limits in.
> >
> > Are you certain that it's a limit on the number of processes? Or might it be
> > some other limit that hits in when you have 256 processes?
> >
> > Check in /proc/sys/fs and see if the first field in file-nr is near the value
> > of file-max. Also do the same check for inode-max if it exists.
>
>
> The limit of 256 is coming from the `ulimit -s` command (bash). Just
> as a test, I also threw together a program to call getrlimit and
> display the result. Here's what I get:
>
> wayne@ironman:~$ cat /proc/version
> Linux version 2.4.17 (root@ironman) (gcc version 2.95.4 20011006 (Debian
>prerelease)) #1 Wed Jan 2 21:55:45 PST 2002
> wayne@ironman:~$ ./showrlimit
> cur: 256 max: 4294967295
>
> (now I really understand what you mwant when you said that my system
> would be dead long before it got there ;)
>
> I thought that this may have been coming from somewhere in bash, so I
> set up another account using tcsh, but I get the same result. I also
> ran an strace on bash, but I don't see any getrlimit calls in there.
>
> The system is running woody, and most of the init scripts are
> untouched. Interestingly enough, this is what I get on a system that
> is running potato with (Adrian?) Bunk's 2.4-series kernel packages:
>
> groucho:~$ cat /proc/version
> Linux version 2.4.14 (root@ironman) (gcc version 2.95.4 20011006 (Debian
>prerelease)) #1 Fri Nov 9 10:44:55 PST 2001
> groucho:~$ ./showrlimit
> cur: 2038 max: 2038
>
> It doesn't seem to be a kernel issue, either, as I this is what I get
> on another woody system:
>
> harpo:~$ cat /proc/version
> Linux version 2.4.14 (root@ironman) (gcc version 2.95.4 20011006 (Debian
>prerelease)) #1 Fri Nov 9 10:44:55 PST 2001
> harpo:~$ ./showrlimit
> cur: 256 max: 4294967295
>
> The hardware in these last 2 machines is virtually identical, with the
> exception of the latter one having a larger hard drive.
>
>
> If I do a ulimit -n 1024 and then su to another account, RLIMIT_NPROC
> is set back to 256. I'm trying to figure out how to run strace on the
> su session, but I can't get it to take the password.
>
> Here's the code that I used to call getrlimit:
>
> #include
> #include
> #include
> #include
>
> int main(void)
> {
> struct rlimit rlimit_cur;
>
> getrlimit(RLIMIT_NPROC, &rlimit_cur);
> printf("cur: %lu max: %lu\n", rlimit_cur.rlim_cur, rlimit_cur.rlim_max);
> return(0);
> }
>
>
> Any thoughts?
>
> Many thanks,
>
> Wayne
>
>
> --
> Wayne A. Tucker - [EMAIL PROTECTED]
> Network Engineer, Donobi Inc.
>
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: maximum number of processes on kernel 2.4.x
On Tue, Mar 12, 2002 at 02:52:36AM +0100, Russell Coker wrote:
> On Tue, 12 Mar 2002 02:33, Wayne Tucker wrote:
> > > I guess that you have some problem related to ulimit...
> >
> > [snip]
> >
> > Is the "default" number of processes allowed by ulimit/setrlimit
> > determined in the kernel, or is it being set from somewhere in the
> > init scripts? Are resource limits inherited from the parent process,
> > and can the default for daemons be changed somewhere in the init
> > process so that they can be effective for daemon processes that start
> > on bootup? The system does not have any users other than admins, so
> > for our purposes it would be safe for us to have RLIMIT_NPROC set to
> > something higher such as 512.
>
> I think that generally ulimit is not set in init scripts. However some init
> scripts may end up sourcing /etc/profile (this is not a good idea), and
> people often put ulimit commands in /etc/profile...
>
> The kernel definately doesn't put any significant limits in.
>
> Are you certain that it's a limit on the number of processes? Or might it be
> some other limit that hits in when you have 256 processes?
>
> Check in /proc/sys/fs and see if the first field in file-nr is near the value
> of file-max. Also do the same check for inode-max if it exists.
The limit of 256 is coming from the `ulimit -s` command (bash). Just
as a test, I also threw together a program to call getrlimit and
display the result. Here's what I get:
wayne@ironman:~$ cat /proc/version
Linux version 2.4.17 (root@ironman) (gcc version 2.95.4 20011006 (Debian prerelease))
#1 Wed Jan 2 21:55:45 PST 2002
wayne@ironman:~$ ./showrlimit
cur: 256 max: 4294967295
(now I really understand what you mwant when you said that my system
would be dead long before it got there ;)
I thought that this may have been coming from somewhere in bash, so I
set up another account using tcsh, but I get the same result. I also
ran an strace on bash, but I don't see any getrlimit calls in there.
The system is running woody, and most of the init scripts are
untouched. Interestingly enough, this is what I get on a system that
is running potato with (Adrian?) Bunk's 2.4-series kernel packages:
groucho:~$ cat /proc/version
Linux version 2.4.14 (root@ironman) (gcc version 2.95.4 20011006 (Debian prerelease))
#1 Fri Nov 9 10:44:55 PST 2001
groucho:~$ ./showrlimit
cur: 2038 max: 2038
It doesn't seem to be a kernel issue, either, as I this is what I get
on another woody system:
harpo:~$ cat /proc/version
Linux version 2.4.14 (root@ironman) (gcc version 2.95.4 20011006 (Debian prerelease))
#1 Fri Nov 9 10:44:55 PST 2001
harpo:~$ ./showrlimit
cur: 256 max: 4294967295
The hardware in these last 2 machines is virtually identical, with the
exception of the latter one having a larger hard drive.
If I do a ulimit -n 1024 and then su to another account, RLIMIT_NPROC
is set back to 256. I'm trying to figure out how to run strace on the
su session, but I can't get it to take the password.
Here's the code that I used to call getrlimit:
#include
#include
#include
#include
int main(void)
{
struct rlimit rlimit_cur;
getrlimit(RLIMIT_NPROC, &rlimit_cur);
printf("cur: %lu max: %lu\n", rlimit_cur.rlim_cur, rlimit_cur.rlim_max);
return(0);
}
Any thoughts?
Many thanks,
Wayne
--
Wayne A. Tucker - [EMAIL PROTECTED]
Network Engineer, Donobi Inc.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: maximum number of processes on kernel 2.4.x
On Tue, 12 Mar 2002 02:33, Wayne Tucker wrote: > > I guess that you have some problem related to ulimit... > > [snip] > > Is the "default" number of processes allowed by ulimit/setrlimit > determined in the kernel, or is it being set from somewhere in the > init scripts? Are resource limits inherited from the parent process, > and can the default for daemons be changed somewhere in the init > process so that they can be effective for daemon processes that start > on bootup? The system does not have any users other than admins, so > for our purposes it would be safe for us to have RLIMIT_NPROC set to > something higher such as 512. I think that generally ulimit is not set in init scripts. However some init scripts may end up sourcing /etc/profile (this is not a good idea), and people often put ulimit commands in /etc/profile... The kernel definately doesn't put any significant limits in. Are you certain that it's a limit on the number of processes? Or might it be some other limit that hits in when you have 256 processes? Check in /proc/sys/fs and see if the first field in file-nr is near the value of file-max. Also do the same check for inode-max if it exists. -- If you send email to me or to a mailing list that I use which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: maximum number of processes on kernel 2.4.x
On Tue, Mar 12, 2002 at 02:03:20AM +0100, Russell Coker wrote: > On Mon, 11 Mar 2002 22:52, Wayne Tucker wrote: > > Does anybody know how to change the maximum number of tasks/processes > > available under the 2.4.x kernels, similar to tuning NR_TASKS and > > MAX_TASKS_PER_USER in 2.2.x and 2.3.x? Our mail software sometimes > > requires a large number of processes, and we cannot ssh into the server > > once the number of processes belonging to root reaches 256. > > > > Thanks for any help that you can provide, > > Below is the relevant section of fork.c in kernel 2.4.18. Whether having > half the system memory being used by non-swappable kernel data structures can > be considered "safe" is a matter of opinion. But I don't think that running > out of process table space will be a problem for you (your machine will > probably be dead before you get there). > > I guess that you have some problem related to ulimit... > [snip] Is the "default" number of processes allowed by ulimit/setrlimit determined in the kernel, or is it being set from somewhere in the init scripts? Are resource limits inherited from the parent process, and can the default for daemons be changed somewhere in the init process so that they can be effective for daemon processes that start on bootup? The system does not have any users other than admins, so for our purposes it would be safe for us to have RLIMIT_NPROC set to something higher such as 512. Many thanks, Wayne -- Wayne A. Tucker - [EMAIL PROTECTED] Network Engineer, Donobi Inc. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: maximum number of processes on kernel 2.4.x
On Mon, 11 Mar 2002 22:52, Wayne Tucker wrote:
> Does anybody know how to change the maximum number of tasks/processes
> available under the 2.4.x kernels, similar to tuning NR_TASKS and
> MAX_TASKS_PER_USER in 2.2.x and 2.3.x? Our mail software sometimes
> requires a large number of processes, and we cannot ssh into the server
> once the number of processes belonging to root reaches 256.
>
> Thanks for any help that you can provide,
Below is the relevant section of fork.c in kernel 2.4.18. Whether having
half the system memory being used by non-swappable kernel data structures can
be considered "safe" is a matter of opinion. But I don't think that running
out of process table space will be a problem for you (your machine will
probably be dead before you get there).
I guess that you have some problem related to ulimit...
void __init fork_init(unsigned long mempages)
{
/*
* The default maximum number of threads is set to a safe
* value: the thread structures can take up at most half
* of memory.
*/
max_threads = mempages / (THREAD_SIZE/PAGE_SIZE) / 8;
init_task.rlim[RLIMIT_NPROC].rlim_cur = max_threads/2;
init_task.rlim[RLIMIT_NPROC].rlim_max = max_threads/2;
}
--
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
maximum number of processes on kernel 2.4.x
Does anybody know how to change the maximum number of tasks/processes available under the 2.4.x kernels, similar to tuning NR_TASKS and MAX_TASKS_PER_USER in 2.2.x and 2.3.x? Our mail software sometimes requires a large number of processes, and we cannot ssh into the server once the number of processes belonging to root reaches 256. Thanks for any help that you can provide, Wayne -- Wayne A. Tucker - [EMAIL PROTECTED] Network Engineer, Donobi Inc. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
