You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Patrick Proniewski <pa...@univ-lyon2.fr> on 2011/05/25 11:18:32 UTC
[users@httpd] Strange problem with RLimitNPROC / Apache 2.2 / FreeBSD
Hello,
I'm running an Apache server for about 250 web sites:
FreeBSD 8.2-RELEASE #0, amd64
Apache 2.2.17
I've setup few limits to ensure things won't go wild:
RLimitCPU 300 600
RLimitMEM 10485760 52428800
RLimitNPROC 10 50
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
ServerLimit 512
MaxClients 512
MaxRequestsPerChild 20000
</IfModule>
Everything is working ok.
I've installed a proprietary CGI (coded in C I guess) and when I try to test it, I read this in my system logs:
kernel: maxproc limit exceeded by uid 80, please see tuning(7) and login.conf(5).
one line for every GET request on the CGI URL.
The number of httpd process is fairly low (around 30-50 at the time of the testing).
My audit trail (from OpenBSM auditd) shows that the CGI I'm testing is the only process forked by Apache, so no other process is ruining my tests.
RLimitNPROC is supposed to apply only to process forked by Apache, not to httpd processes. So my unique CGI process is way under the limit of RLimitNPROC.
I've used truss and ktrace on the CGI binary, and found out that it forks the uname process. If I disable RLimit's in Apache config, the GET request to the CGI returns some html code and the output of uname command. If I enable RLimit's, the CGI returns only the html part, not the output of uname command.
So I guess the CGI is not able to fork uname when running with RLimit's enabled. How is it possible that forking uname will go beyond "RLimitNPROC 10 50"?
Any idea is welcome.
Patrick PRONIEWSKI
--
Administrateur Système - DSI - Université Lumière Lyon 2
Re: [users@httpd] Strange problem with RLimitNPROC / Apache 2.2 / FreeBSD
Posted by Patrick Proniewski <pa...@univ-lyon2.fr>.
Hello,
After further experimentations, I've found out that, on FreeBSD, RLimitNPROC takes into account every httpd processes. So it's a big contradiction of the official documentation, and it makes RLimitNPROC absolutely useless.
On 25 mai 2011, at 11:18, Patrick Proniewski wrote:
> Hello,
>
> I'm running an Apache server for about 250 web sites:
> FreeBSD 8.2-RELEASE #0, amd64
> Apache 2.2.17
>
> I've setup few limits to ensure things won't go wild:
>
> RLimitCPU 300 600
> RLimitMEM 10485760 52428800
> RLimitNPROC 10 50
>
> <IfModule mpm_prefork_module>
> StartServers 5
> MinSpareServers 5
> MaxSpareServers 10
> ServerLimit 512
> MaxClients 512
> MaxRequestsPerChild 20000
> </IfModule>
>
> Everything is working ok.
>
> I've installed a proprietary CGI (coded in C I guess) and when I try to test it, I read this in my system logs:
> kernel: maxproc limit exceeded by uid 80, please see tuning(7) and login.conf(5).
> one line for every GET request on the CGI URL.
>
> The number of httpd process is fairly low (around 30-50 at the time of the testing).
> My audit trail (from OpenBSM auditd) shows that the CGI I'm testing is the only process forked by Apache, so no other process is ruining my tests.
>
> RLimitNPROC is supposed to apply only to process forked by Apache, not to httpd processes. So my unique CGI process is way under the limit of RLimitNPROC.
>
> I've used truss and ktrace on the CGI binary, and found out that it forks the uname process. If I disable RLimit's in Apache config, the GET request to the CGI returns some html code and the output of uname command. If I enable RLimit's, the CGI returns only the html part, not the output of uname command.
>
> So I guess the CGI is not able to fork uname when running with RLimit's enabled. How is it possible that forking uname will go beyond "RLimitNPROC 10 50"?
>
> Any idea is welcome.
>
> Patrick PRONIEWSKI
> --
> Administrateur Système - DSI - Université Lumière Lyon 2
>
Patrick PRONIEWSKI
--
Administrateur Système - DSI - Université Lumière Lyon 2
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org