Uploaded image for project: 'Commons Daemon'
  1. Commons Daemon
  2. DAEMON-192

Make jsvc enforce /etc/security/limits.conf , or add a parameter for setting limits

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.0.6
    • Component/s: Jsvc
    • Labels:
      None
    • Environment:

      Linux, maybe all Unixes

      Description

      When launched with -user parameter, jsvc downgrades user via setuid() system call, but the operating system limits (max number of open files, for example) remains the same.
      This is not convenient for running daemons (like Tomcat) which very often need a customization of such limits.

        Activity

        Hide
        mturk@apache.org Mladen Turk added a comment -

        This is not portable solution
        Think we could add a special -rlimit configuration with param that would set soft/hard limit for
        the -user.
        E.g -rlimit [S|H]n=1000 -rilimit T=unlimited
        Where 'n' stands for open file descriptors and 'T' for maximum number of threads
        using the bash ulimit params.

        Show
        mturk@apache.org Mladen Turk added a comment - This is not portable solution Think we could add a special -rlimit configuration with param that would set soft/hard limit for the -user. E.g -rlimit [S|H] n=1000 -rilimit T=unlimited Where 'n' stands for open file descriptors and 'T' for maximum number of threads using the bash ulimit params.
        Hide
        resolir Roberto Resoli added a comment -

        I agree. In the meantime, I found that setting limits it's only matter to run ulimit ( in order to set max number of open files, for example: "ulimit -n <max number of open files>" ) just before of launching jsvc.
        The limits are retained even when jsvc running user is downgraded.

        Show
        resolir Roberto Resoli added a comment - I agree. In the meantime, I found that setting limits it's only matter to run ulimit ( in order to set max number of open files, for example: "ulimit -n <max number of open files>" ) just before of launching jsvc. The limits are retained even when jsvc running user is downgraded.
        Hide
        mturk@apache.org Mladen Turk added a comment -

        Hmm, since it's hardly that jsvc will be invoked outside the shell think that setting ulimit directly will
        be much better solution then playing with setrlimit system calls within jsvc.
        Giving a notice and an example in documentation would be much better then
        breaking compatibility by introducing a new cmdline option.

        Think I'll resolve this case by updating the documentation and couple of example scripts.

        Show
        mturk@apache.org Mladen Turk added a comment - Hmm, since it's hardly that jsvc will be invoked outside the shell think that setting ulimit directly will be much better solution then playing with setrlimit system calls within jsvc. Giving a notice and an example in documentation would be much better then breaking compatibility by introducing a new cmdline option. Think I'll resolve this case by updating the documentation and couple of example scripts.
        Hide
        resolir Roberto Resoli added a comment -

        I definitely agree! Examples would be really useful, since many hints on the web about this subject suggest that setting ulimits is only matter to modify /etc/security/limits.conf .
        Unfortunately this is absolutely not true, since that configuration file is enforced only at login time.

        Show
        resolir Roberto Resoli added a comment - I definitely agree! Examples would be really useful, since many hints on the web about this subject suggest that setting ulimits is only matter to modify /etc/security/limits.conf . Unfortunately this is absolutely not true, since that configuration file is enforced only at login time.
        Hide
        mturk@apache.org Mladen Turk added a comment -

        Resolving by updated Tomcat7.sh in samples directory.
        It has an example of how to set the maximum fd's before
        running the daemon.
        One can use and customize a give recipe.

        Show
        mturk@apache.org Mladen Turk added a comment - Resolving by updated Tomcat7.sh in samples directory. It has an example of how to set the maximum fd's before running the daemon. One can use and customize a give recipe.

          People

          • Assignee:
            Unassigned
            Reporter:
            resolir Roberto Resoli
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development