Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

setrlimit(): Operation not permitted [core/uwsgi.c line 2157] #203

Closed
77cc33 opened this Issue Mar 28, 2013 · 7 comments

Comments

Projects
None yet
2 participants

77cc33 commented Mar 28, 2013

ubuntu 12.04 lts 64 bit

I have /etc/security/limits.conf set as 135K

www-data hard nofile 133333
www-data soft nofile 133333
root hard nofile 133333
root soft nofile 133333

  • I enabled pam_security module, so when I log in as root or www-data - I have:
    ulimit -n
    133333

but when I start uwsgi, it shows me:
detected max file descriptor number: 1024

I tried to set fd-max, and got this:
setrlimit(): Operation not permitted [core/uwsgi.c line 2157]
detected max file descriptor number: 1024

I start uwsgi as root with help of emperor and later set uid to www-data

is there some workaround to fix it ASAP?

Owner

unbit commented Mar 29, 2013

every application wanting to use pam, must explicitely support it. You have to load the "pam" plugin and use --pam or --pam-user (based on your need). The pam plugin is not builtin by default but its only dependancies are the pam development headers.

Owner

unbit commented Mar 29, 2013

in addition to this, remember you can set the max-fd in the emperor, and this limit will be inherited by vassal (without bothering with pam)

77cc33 commented Mar 29, 2013

I tried emperor, and it didn't work. it's my ubuntu upstart init script

Emperor uWSGI script

description "uWSGI Emperor";
start on runlevel [2345]
stop on runlevel [06]

exec uwsgi
--master
--die-on-term
--emperor /etc/uwsgi
--logto /var/log/uwsgi/emperor.log
--logdate
--auto-procname
--no-orphans
--need-app
--max-fd 30000

and it's what I have in my emperor log
Fri Mar 29 07:48:48 2013 - detected max file descriptor number: 30000

and it what I have in application log
setrlimit(): Operation not permitted [core/uwsgi.c line 2157]
detected max file descriptor number: 1024

Owner

unbit commented Mar 29, 2013

you are right, setrlimit is called too late, while it should be called before privileges drop, will be fixed in the next few minutes

Owner

unbit commented Mar 29, 2013

hmm should be managed in another way, as it could be a security problem allowing the user to increase its max-fd before privileges drop. Will leave this open, i will post the solution as soon as possible

Owner

unbit commented Apr 1, 2013

you can try with latest code from github and adding --max-fd to the emperor. The vassals wil inherit the limit.

From now on this is the blessed way

@unbit unbit closed this Apr 9, 2013

77cc33 commented Apr 17, 2013

thank you!

just wanted to aprove that it works now!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment