AppSuite:ResourceLimits/sandbox

From Open-Xchange
Revision as of 17:39, 10 January 2017 by Marens (talk | contribs) (Created page with " == Configuration of Resource Limits == === Overview === Several ways exist to restrict resources on a linux system from a global level down to user/groups or even shells an...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Configuration of Resource Limits

Overview

Several ways exist to restrict resources on a linux system from a global level down to user/groups or even shells and the processes started by them.

Sysctl

Sysctl is used to modify kernel parameters at runtime. E.g. to set the maximum number of files

 $ sysctl -w fs.file-max=100000

To permanently set them append to the main configuration file and reload the settings

 $ echo fs.file-max=100000 >> /etc/sysctl.conf
 $ sysctl -p

More infos can be found via man sysctl

Limits.conf

Allows to restrict resources an a global, group or user level. E.g:

  $ cat /etc/security/limits.d/90-nproc.conf 
  # Default limit for number of user's processes to prevent
  # accidental fork bombs.
  # See rhbz #432903 for reasoning.
  
  *          soft    nproc     1024

From man limits.conf:

Also, please note that all limit settings are set per login. They are not global, nor are they permanent; existing only for the duration of the session.

The limits per login are applied via the pam stack. See man pam and man pam_limits for more details. As those limits are bound to sessions they don't affect most daemons started by our supported init systems or init utils. Most state that they are ignored by design, see upstart, systemd and start-stop-daemon

Ulimit

From man bash

ulimit [-HSTabcdefilmnpqrstuvx [limit]] Provides control over the resources available to the shell and to processes started by it, on systems that allow such control.

This is what we use in our System V compatible init scripts to increase resources for the open-xchange process across multiple distros. Currently only the maximum number of processes and the maximum number of open file descriptors available to a single user are increased via ulimit. The values are specified in /opt/open-xchange/ox-scriptconf.sh


Open-Xchange middleware on specific distros

The support for the mentioned mechanism of resource control differ depending on the distribution and the init system in use.

Debian 7

Init
System V style
OX Configurable Limits/Defaults
nofile, nproc

The mentioned limits can be configured via /opt/open-xchange/etc/ox-scriptconf.sh. The limits are applied via ulimit in the service's init script. The open-xchange service is finally started via start-stop-daemon which doesn't doesn't consider /etc/security/limits.*

RHEL 6 / CentOS 6

Init
Upstart, System V compatible
OX Configurable Limits/Defaults
nofile, nproc

The mentioned limits can be configured via /opt/open-xchange/etc/ox-scriptconf.sh. The limits are applied via ulimit in the service's init script. Furthermore as the open-xchange service is finally started via su ... open-xchange on this distro a user session is opened via su/pam and the default CentOS pam config reads the /etc/security/limits.* configuration by loading the pam stack like:

/etc/pam.d/su
-> /etc/pam.d/system-auth
-> pam_limits.so

If NPROC isn't configured for the open-xchange-server it's restricted to 1024 globally by default to prevent accidental fork bombs, see /etc/security/limits.d/90-nproc.conf which can result in severe problems modern multithreaded applications.

RHEL 7 / CentOS 7 / Debian 8 / SLE 12

Init
Systemd
OX Configurable Limits/Defaults
nofile, nproc

For systemd the default limits are configured directly in the service's unit file that is shipped by OX and located at /usr/lib/systemd/system/open-xchange.service. The drop-in config to override or extend the default unit file is located at /etc/systemd/system/open-xchange.service.d/limits.conf. Systemd.exec shows a whole lot of options that can be used by admins to adapt the default service to their specific needs.

Verify limits

System V

 $ read pid < /var/run/open-xchange.pid
 $ cat /proc/$pid/limits
 Limit                     Soft Limit           Hard Limit           Units
 Max cpu time              unlimited            unlimited            seconds
 Max file size             unlimited            unlimited            bytes
 Max data size             unlimited            unlimited            bytes
 Max stack size            8388608              unlimited            bytes
 Max core file size        0                    unlimited            bytes
 Max resident set          unlimited            unlimited            bytes
 Max processes             65536                65536                processes
 Max open files            65536                65536                files
 Max locked memory         65536                65536                bytes
 Max address space         unlimited            unlimited            bytes
 Max file locks            unlimited            unlimited            locks
 Max pending signals       24254                24254                signals
 Max msgqueue size         819200               819200               bytes
 Max nice priority         0                    0
 Max realtime priority     0                    0
 Max realtime timeout      unlimited            unlimited            us

Systemd

 $ systemctl show open-xchange | grep Limit
 StartLimitInterval=10000000
 StartLimitBurst=5
 StartLimitAction=none
 MemoryLimit=18446744073709551615
 LimitCPU=18446744073709551615
 LimitFSIZE=18446744073709551615
 LimitDATA=18446744073709551615
 LimitSTACK=18446744073709551615
 LimitCORE=18446744073709551615
 LimitRSS=18446744073709551615
 LimitNOFILE=65536
 LimitAS=18446744073709551615
 LimitNPROC=65536
 LimitMEMLOCK=65536
 LimitLOCKS=18446744073709551615
 LimitSIGPENDING=19827
 LimitMSGQUEUE=819200
 LimitNICE=0
 LimitRTPRIO=0
 LimitRTTIME=18446744073709551615