Re: [PATCH 06/45] KEYS: Make the keyring quotas controllable through /proc/sys [ver #35]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

David Howells schrieb:

Make the keyring quotas controllable through /proc/sys files:

 (*) /proc/sys/kernel/keys/root_maxkeys
     /proc/sys/kernel/keys/root_maxbytes

     Maximum number of keys that root may have and the maximum total number of
     bytes of data that root may have stored in those keys.

 (*) /proc/sys/kernel/keys/maxkeys
     /proc/sys/kernel/keys/maxbytes

     Maximum number of keys that each non-root user may have and the maximum
     total number of bytes of data that each of those users may have stored in
     their keys.

Also increase the quotas as a number of people have been complaining that it's
not big enough.  I'm not sure that it's big enough now either, but on the
other hand, it can now be set in /etc/sysctl.conf.



Hello David,

you're our hero! ;-)
We just hit this wall while migrating from RHEl 3 to RHEL 5 with some of our webservers. 

[root@lvr11 ~]# cat /proc/key-users
    0:    99 98/98 96/100 1681/10000
   32:     2 2/2 2/100 56/10000
   38:     2 2/2 2/100 56/10000
   43:     2 2/2 2/100 56/10000
   51:     2 2/2 2/100 56/10000
   68:     2 2/2 2/100 56/10000
   81:     2 2/2 2/100 56/10000
   99:     2 2/2 2/100 56/10000
  348:     2 2/2 2/100 58/10000
42216:     2 2/2 2/100 62/10000
55188:     3 3/3 3/100 72/10000
56537:     2 2/2 2/100 62/10000
63743:     2 2/2 2/100 62/10000
68054:     2 2/2 2/100 62/10000

....
We're using OpenAFS on our systems and most of our webpages are stored in AFS. We have a lot of small projects for which a separate server would be a waste of 'metal'. Even in a virtual environment. So we're hosting a lot of apache instances on a single machine. Beause suexec doesn't work in an AFS environment, each instance is started by root with its own IP (to be able to talk HTTPS) and in a PAG with a separate token for a service user (to isolate the projects). Although each apache switches over to the service user, the initial tokens are acquired by root. 

On RHEL 3 with the old 2.4 kernel this was never a problem. But now...
Btw.: We have some machines with about hundred (!) different projects which need tokens. 


Best regards,

Berthold Cogel

--
Dr. Berthold Cogel                             University of Cologne
E-Mail: cogel@xxxxxxxxxxxx                     ZAIK-US (RRZK)
Tel.:   +49(0)221/470-7873                     Robert-Koch-Str. 10
FAX:    +49(0)221/478-85845                    D-50931 Cologne - Germany
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux