New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make rlimits configurable by adding three variables: RLimitFiles, RLimitProcesses and RLimitStack #5373

Merged
merged 1 commit into from Jun 23, 2017

Conversation

Projects
None yet
5 participants
@gunnarbeutner
Member

gunnarbeutner commented Jun 22, 2017

No description provided.

Show outdated Hide outdated lib/base/application.cpp
@lazyfrosch

This comment has been minimized.

Show comment
Hide comment
@lazyfrosch

lazyfrosch Jun 22, 2017

Member

This issue is in addition to RedHat's kernel fixes an option to set limits in the configuration of Icinga, see #5367

Member

lazyfrosch commented Jun 22, 2017

This issue is in addition to RedHat's kernel fixes an option to set limits in the configuration of Icinga, see #5367

@gunnarbeutner

This comment has been minimized.

Show comment
Hide comment
@gunnarbeutner

gunnarbeutner Jun 22, 2017

Member

The new patch has lower limits for the RLimit* configuration options. Also, users can bypass setrlimit() entirely by setting the RLimit* global variables to 0. I still need to update the documentation though, assuming this is the behavior we want. :)

Member

gunnarbeutner commented Jun 22, 2017

The new patch has lower limits for the RLimit* configuration options. Also, users can bypass setrlimit() entirely by setting the RLimit* global variables to 0. I still need to update the documentation though, assuming this is the behavior we want. :)

@lazyfrosch

This comment has been minimized.

Show comment
Hide comment
@lazyfrosch

lazyfrosch Jun 22, 2017

Member

LGTM, what would you change/add in docs?

I wouldn't document how to disable now, we could add it when it makes sense to use it later.

Member

lazyfrosch commented Jun 22, 2017

LGTM, what would you change/add in docs?

I wouldn't document how to disable now, we could add it when it makes sense to use it later.

@dnsmichi

This comment has been minimized.

Show comment
Hide comment
@dnsmichi

dnsmichi Jun 22, 2017

Member

The docs should be fairly low level, similar to UseVFork and Concurrency. If you know what you're doing, you can use the options.

I'm currently testing the patch on a CentOS 7 box, will approve soon.

Member

dnsmichi commented Jun 22, 2017

The docs should be fairly low level, similar to UseVFork and Concurrency. If you know what you're doing, you can use the options.

I'm currently testing the patch on a CentOS 7 box, will approve soon.

@dnsmichi

This comment has been minimized.

Show comment
Hide comment
@dnsmichi

dnsmichi Jun 23, 2017

Member

My tests are running fine, I've also taken the chance to again test a RedHat test build for the kernel in a fresh box.

[root@icinga2-dev ~]# uname -a
Linux icinga2-dev 3.10.0-514.21.2.el7.x86_64 #1 SMP Tue Jun 20 12:24:47 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 variable get RLimitStack
4210688
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 daemon -C
information/cli: Icinga application loader (version: v2.6.3-387-g01d29a4; debug)
information/cli: Loading configuration file(s).
information/ConfigItem: Committing config item(s).
warning/ApplyRule: Apply rule 'satellite-host' (in /usr/local/icinga2/etc/icinga2/conf.d/satellite.conf: 29:1-29:41) for type 'Dependency' does not match anywhere!
information/ConfigItem: Instantiated 3 Zones.
information/ConfigItem: Instantiated 1 FileLogger.
information/ConfigItem: Instantiated 1 Endpoint.
information/ConfigItem: Instantiated 2 NotificationCommands.
information/ConfigItem: Instantiated 12 Notifications.
information/ConfigItem: Instantiated 207 CheckCommands.
information/ConfigItem: Instantiated 2 Downtimes.
information/ConfigItem: Instantiated 2 HostGroups.
information/ConfigItem: Instantiated 1 IcingaApplication.
information/ConfigItem: Instantiated 1 Host.
information/ConfigItem: Instantiated 1 UserGroup.
information/ConfigItem: Instantiated 1 User.
information/ConfigItem: Instantiated 3 TimePeriods.
information/ConfigItem: Instantiated 11 Services.
information/ConfigItem: Instantiated 3 ServiceGroups.
information/ConfigItem: Instantiated 1 ScheduledDowntime.
information/ConfigItem: Instantiated 1 CheckerComponent.
information/ConfigItem: Instantiated 1 NotificationComponent.
information/ScriptGlobal: Dumping variables to file '/usr/local/icinga2/var/cache/icinga2/icinga2.vars'
information/cli: Finished validating the configuration file(s).
[root@icinga2-dev ~]# echo $?
0

Fixed kernel and default values

[root@icinga2-dev ~]# uname -a
Linux icinga2-dev 3.10.0-514.el7.CVE7.3.z.x86_64 #1 SMP Wed Jun 21 20:13:13 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 variable get RLimitStack
262144
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 daemon -C
information/cli: Icinga application loader (version: v2.6.3-387-g01d29a4; debug)
information/cli: Loading configuration file(s).
information/ConfigItem: Committing config item(s).
warning/ApplyRule: Apply rule 'satellite-host' (in /usr/local/icinga2/etc/icinga2/conf.d/satellite.conf: 29:1-29:41) for type 'Dependency' does not match anywhere!
information/ConfigItem: Instantiated 3 Zones.
information/ConfigItem: Instantiated 1 FileLogger.
information/ConfigItem: Instantiated 1 Endpoint.
information/ConfigItem: Instantiated 2 NotificationCommands.
information/ConfigItem: Instantiated 12 Notifications.
information/ConfigItem: Instantiated 207 CheckCommands.
information/ConfigItem: Instantiated 2 Downtimes.
information/ConfigItem: Instantiated 2 HostGroups.
information/ConfigItem: Instantiated 1 IcingaApplication.
information/ConfigItem: Instantiated 1 Host.
information/ConfigItem: Instantiated 1 UserGroup.
information/ConfigItem: Instantiated 1 User.
information/ConfigItem: Instantiated 3 TimePeriods.
information/ConfigItem: Instantiated 11 Services.
information/ConfigItem: Instantiated 3 ServiceGroups.
information/ConfigItem: Instantiated 1 ScheduledDowntime.
information/ConfigItem: Instantiated 1 CheckerComponent.
information/ConfigItem: Instantiated 1 NotificationComponent.
information/ScriptGlobal: Dumping variables to file '/usr/local/icinga2/var/cache/icinga2/icinga2.vars'
information/cli: Finished validating the configuration file(s).
[root@icinga2-dev ~]# echo $?
0

Disabling the settings works fine too, no extra test case here.

I've slightly updated the documentation, and will merge soon.

Member

dnsmichi commented Jun 23, 2017

My tests are running fine, I've also taken the chance to again test a RedHat test build for the kernel in a fresh box.

[root@icinga2-dev ~]# uname -a
Linux icinga2-dev 3.10.0-514.21.2.el7.x86_64 #1 SMP Tue Jun 20 12:24:47 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 variable get RLimitStack
4210688
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 daemon -C
information/cli: Icinga application loader (version: v2.6.3-387-g01d29a4; debug)
information/cli: Loading configuration file(s).
information/ConfigItem: Committing config item(s).
warning/ApplyRule: Apply rule 'satellite-host' (in /usr/local/icinga2/etc/icinga2/conf.d/satellite.conf: 29:1-29:41) for type 'Dependency' does not match anywhere!
information/ConfigItem: Instantiated 3 Zones.
information/ConfigItem: Instantiated 1 FileLogger.
information/ConfigItem: Instantiated 1 Endpoint.
information/ConfigItem: Instantiated 2 NotificationCommands.
information/ConfigItem: Instantiated 12 Notifications.
information/ConfigItem: Instantiated 207 CheckCommands.
information/ConfigItem: Instantiated 2 Downtimes.
information/ConfigItem: Instantiated 2 HostGroups.
information/ConfigItem: Instantiated 1 IcingaApplication.
information/ConfigItem: Instantiated 1 Host.
information/ConfigItem: Instantiated 1 UserGroup.
information/ConfigItem: Instantiated 1 User.
information/ConfigItem: Instantiated 3 TimePeriods.
information/ConfigItem: Instantiated 11 Services.
information/ConfigItem: Instantiated 3 ServiceGroups.
information/ConfigItem: Instantiated 1 ScheduledDowntime.
information/ConfigItem: Instantiated 1 CheckerComponent.
information/ConfigItem: Instantiated 1 NotificationComponent.
information/ScriptGlobal: Dumping variables to file '/usr/local/icinga2/var/cache/icinga2/icinga2.vars'
information/cli: Finished validating the configuration file(s).
[root@icinga2-dev ~]# echo $?
0

Fixed kernel and default values

[root@icinga2-dev ~]# uname -a
Linux icinga2-dev 3.10.0-514.el7.CVE7.3.z.x86_64 #1 SMP Wed Jun 21 20:13:13 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 variable get RLimitStack
262144
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 daemon -C
information/cli: Icinga application loader (version: v2.6.3-387-g01d29a4; debug)
information/cli: Loading configuration file(s).
information/ConfigItem: Committing config item(s).
warning/ApplyRule: Apply rule 'satellite-host' (in /usr/local/icinga2/etc/icinga2/conf.d/satellite.conf: 29:1-29:41) for type 'Dependency' does not match anywhere!
information/ConfigItem: Instantiated 3 Zones.
information/ConfigItem: Instantiated 1 FileLogger.
information/ConfigItem: Instantiated 1 Endpoint.
information/ConfigItem: Instantiated 2 NotificationCommands.
information/ConfigItem: Instantiated 12 Notifications.
information/ConfigItem: Instantiated 207 CheckCommands.
information/ConfigItem: Instantiated 2 Downtimes.
information/ConfigItem: Instantiated 2 HostGroups.
information/ConfigItem: Instantiated 1 IcingaApplication.
information/ConfigItem: Instantiated 1 Host.
information/ConfigItem: Instantiated 1 UserGroup.
information/ConfigItem: Instantiated 1 User.
information/ConfigItem: Instantiated 3 TimePeriods.
information/ConfigItem: Instantiated 11 Services.
information/ConfigItem: Instantiated 3 ServiceGroups.
information/ConfigItem: Instantiated 1 ScheduledDowntime.
information/ConfigItem: Instantiated 1 CheckerComponent.
information/ConfigItem: Instantiated 1 NotificationComponent.
information/ScriptGlobal: Dumping variables to file '/usr/local/icinga2/var/cache/icinga2/icinga2.vars'
information/cli: Finished validating the configuration file(s).
[root@icinga2-dev ~]# echo $?
0

Disabling the settings works fine too, no extra test case here.

I've slightly updated the documentation, and will merge soon.

@dnsmichi dnsmichi merged commit 0e423df into master Jun 23, 2017

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@lazyfrosch lazyfrosch deleted the feature/rlimit-options branch Jun 23, 2017

}
if (setrlimit(RLIMIT_STACK, &rl) < 0)
Log(LogNotice, "Application", "Could not adjust resource limit for stack size (RLIMIT_STACK)");
else if (set_stack_rlimit) {

This comment has been minimized.

@tclh123

tclh123 Feb 11, 2018

Contributor

Hello @dnsmichi @lazyfrosch
Is this condition wrong?
When setrlimit(RLIMIT_STACK, &rl) succeeded, why we call execvp with --no-stack-rlimit next?
I think the else if (set_stack_rlimit) should be deleted.

@tclh123

tclh123 Feb 11, 2018

Contributor

Hello @dnsmichi @lazyfrosch
Is this condition wrong?
When setrlimit(RLIMIT_STACK, &rl) succeeded, why we call execvp with --no-stack-rlimit next?
I think the else if (set_stack_rlimit) should be deleted.

This comment has been minimized.

@IkeEichenberger

IkeEichenberger May 8, 2018

Fails with trying to set limits and you don't have permissions to set limits

@IkeEichenberger

IkeEichenberger May 8, 2018

Fails with trying to set limits and you don't have permissions to set limits

This comment has been minimized.

@tclh123

tclh123 May 9, 2018

Contributor

@IkeEichenberger Which part are you trying to answer? the setrlimit may fail - it's ok, when it fails, then we should execvp with --no-stack-rlimit - the original logic it's opposite and wrong.

@tclh123

tclh123 May 9, 2018

Contributor

@IkeEichenberger Which part are you trying to answer? the setrlimit may fail - it's ok, when it fails, then we should execvp with --no-stack-rlimit - the original logic it's opposite and wrong.

@IkeEichenberger

This comment has been minimized.

Show comment
Hide comment
@IkeEichenberger

IkeEichenberger May 9, 2018

IkeEichenberger commented May 9, 2018

@dnsmichi

This comment has been minimized.

Show comment
Hide comment
@dnsmichi

dnsmichi May 9, 2018

Member

Can you please move the discussion to either a new issue or a new PR? This one has been merged and reverted later on, and won't be tracked any further.

Member

dnsmichi commented May 9, 2018

Can you please move the discussion to either a new issue or a new PR? This one has been merged and reverted later on, and won't be tracked any further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment