Re: Strange problem with RLimitNPROC / Apache 2.2 / FreeBSD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

After further experimentations, I've found out that, on FreeBSD, RLimitNPROC takes into account every httpd processes. So it's a big contradiction of the official documentation, and it makes RLimitNPROC absolutely useless.


On 25 mai 2011, at 11:18, Patrick Proniewski wrote:

> Hello,
> 
> I'm running an Apache server for about 250 web sites:
> 	FreeBSD 8.2-RELEASE #0, amd64
> 	Apache 2.2.17
> 
> I've setup few limits to ensure things won't go wild:
> 
>   RLimitCPU 300 600
>   RLimitMEM 10485760 52428800
>   RLimitNPROC 10 50
> 
> <IfModule mpm_prefork_module>
>    StartServers          5
>    MinSpareServers       5
>    MaxSpareServers       10
>    ServerLimit           512
>    MaxClients            512
>    MaxRequestsPerChild   20000
> </IfModule>
> 
> Everything is working ok. 
> 
> I've installed a proprietary CGI (coded in C I guess) and when I try to test it, I read this in my system logs:
> 	kernel: maxproc limit exceeded by uid 80, please see tuning(7) and login.conf(5).
> one line for every GET request on the CGI URL.
> 
> The number of httpd process is fairly low (around 30-50 at the time of the testing).
> My audit trail (from OpenBSM auditd) shows that the CGI I'm testing is the only process forked by Apache, so no other process is ruining my tests.
> 
> RLimitNPROC is supposed to apply only to process forked by Apache, not to httpd processes. So my unique CGI process is way under the limit of RLimitNPROC.
> 
> I've used truss and ktrace on the CGI binary, and found out that it forks the uname process. If I disable RLimit's in Apache config, the GET request to the CGI returns some html code and the output of uname command. If I enable RLimit's, the CGI returns only the html part, not the output of uname command.
> 
> So I guess the CGI is not able to fork uname when running with RLimit's enabled. How is it possible that forking uname will go beyond "RLimitNPROC 10 50"?
> 
> Any idea is welcome.
> 
> Patrick PRONIEWSKI
> -- 
> Administrateur Système - DSI - Université Lumière Lyon 2
> 

Patrick PRONIEWSKI
-- 
Administrateur Système - DSI - Université Lumière Lyon 2


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux