Make rlimits configurable by adding three variables: RLimitFiles, RLimitProcesses and RLimitStack

[gunnarbeutner]

No description provided.

[lazyfrosch]

We should allow a user to set to values to NULL, and then not set limits at all.

For all 3 limits...

[dnsmichi]

There's still --no-stack-rlimit available to entirely disable the limits.

[lazyfrosch]

No, this disables only setting of a stack limit, and it does not disable setting the limit. It sets the limit to MAX.

if (set_stack_rlimit)

[dnsmichi]

Ah ok. Is there a sensible limit for these three options if the user puts in garbage, or like 10 files?

[lazyfrosch]

I would set the current values as minimal. Everything lower would fail, only setting to 0 or NULL should be valid.

Then it's the users problem.

[dnsmichi]

The patch sets the lower limits already for Linux, and allows the user to override this with their own values in the future. I wouldn't change this behaviour to make it "full user controllable", then the benefit of default values is entirely gone and users might run into issues again.
Keep in mind that init.conf is a configuration file, and we cannot override this for 2.7.

[lazyfrosch]

This issue is in addition to RedHat's kernel fixes an option to set limits in the configuration of Icinga, see #5367

[gunnarbeutner]

The new patch has lower limits for the RLimit* configuration options. Also, users can bypass setrlimit() entirely by setting the RLimit* global variables to 0. I still need to update the documentation though, assuming this is the behavior we want. :)

[lazyfrosch]

LGTM, what would you change/add in docs?

I wouldn't document how to disable now, we could add it when it makes sense to use it later.

[dnsmichi]

The docs should be fairly low level, similar to UseVFork and Concurrency. If you know what you're doing, you can use the options.

I'm currently testing the patch on a CentOS 7 box, will approve soon.

[dnsmichi]

My tests are running fine, I've also taken the chance to again test a RedHat test build for the kernel in a fresh box.

[root@icinga2-dev ~]# uname -a
Linux icinga2-dev 3.10.0-514.21.2.el7.x86_64 #1 SMP Tue Jun 20 12:24:47 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 variable get RLimitStack
4210688
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 daemon -C
information/cli: Icinga application loader (version: v2.6.3-387-g01d29a4; debug)
information/cli: Loading configuration file(s).
information/ConfigItem: Committing config item(s).
warning/ApplyRule: Apply rule 'satellite-host' (in /usr/local/icinga2/etc/icinga2/conf.d/satellite.conf: 29:1-29:41) for type 'Dependency' does not match anywhere!
information/ConfigItem: Instantiated 3 Zones.
information/ConfigItem: Instantiated 1 FileLogger.
information/ConfigItem: Instantiated 1 Endpoint.
information/ConfigItem: Instantiated 2 NotificationCommands.
information/ConfigItem: Instantiated 12 Notifications.
information/ConfigItem: Instantiated 207 CheckCommands.
information/ConfigItem: Instantiated 2 Downtimes.
information/ConfigItem: Instantiated 2 HostGroups.
information/ConfigItem: Instantiated 1 IcingaApplication.
information/ConfigItem: Instantiated 1 Host.
information/ConfigItem: Instantiated 1 UserGroup.
information/ConfigItem: Instantiated 1 User.
information/ConfigItem: Instantiated 3 TimePeriods.
information/ConfigItem: Instantiated 11 Services.
information/ConfigItem: Instantiated 3 ServiceGroups.
information/ConfigItem: Instantiated 1 ScheduledDowntime.
information/ConfigItem: Instantiated 1 CheckerComponent.
information/ConfigItem: Instantiated 1 NotificationComponent.
information/ScriptGlobal: Dumping variables to file '/usr/local/icinga2/var/cache/icinga2/icinga2.vars'
information/cli: Finished validating the configuration file(s).
[root@icinga2-dev ~]# echo $?
0

Fixed kernel and default values

[root@icinga2-dev ~]# uname -a
Linux icinga2-dev 3.10.0-514.el7.CVE7.3.z.x86_64 #1 SMP Wed Jun 21 20:13:13 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 variable get RLimitStack
262144
[root@icinga2-dev ~]# /usr/local/icinga2/sbin/icinga2 daemon -C
information/cli: Icinga application loader (version: v2.6.3-387-g01d29a4; debug)
information/cli: Loading configuration file(s).
information/ConfigItem: Committing config item(s).
warning/ApplyRule: Apply rule 'satellite-host' (in /usr/local/icinga2/etc/icinga2/conf.d/satellite.conf: 29:1-29:41) for type 'Dependency' does not match anywhere!
information/ConfigItem: Instantiated 3 Zones.
information/ConfigItem: Instantiated 1 FileLogger.
information/ConfigItem: Instantiated 1 Endpoint.
information/ConfigItem: Instantiated 2 NotificationCommands.
information/ConfigItem: Instantiated 12 Notifications.
information/ConfigItem: Instantiated 207 CheckCommands.
information/ConfigItem: Instantiated 2 Downtimes.
information/ConfigItem: Instantiated 2 HostGroups.
information/ConfigItem: Instantiated 1 IcingaApplication.
information/ConfigItem: Instantiated 1 Host.
information/ConfigItem: Instantiated 1 UserGroup.
information/ConfigItem: Instantiated 1 User.
information/ConfigItem: Instantiated 3 TimePeriods.
information/ConfigItem: Instantiated 11 Services.
information/ConfigItem: Instantiated 3 ServiceGroups.
information/ConfigItem: Instantiated 1 ScheduledDowntime.
information/ConfigItem: Instantiated 1 CheckerComponent.
information/ConfigItem: Instantiated 1 NotificationComponent.
information/ScriptGlobal: Dumping variables to file '/usr/local/icinga2/var/cache/icinga2/icinga2.vars'
information/cli: Finished validating the configuration file(s).
[root@icinga2-dev ~]# echo $?
0

Disabling the settings works fine too, no extra test case here.

I've slightly updated the documentation, and will merge soon.

[tclh123]

Hello @dnsmichi @lazyfrosch
Is this condition wrong?
When setrlimit(RLIMIT_STACK, &rl) succeeded, why we call execvp with --no-stack-rlimit next?
I think the else if (set_stack_rlimit) should be deleted.

[IkeEichenberger]

Fails with trying to set limits and you don't have permissions to set limits

[tclh123]

@IkeEichenberger Which part are you trying to answer? the setrlimit may fail - it's ok, when it fails, then we should execvp with --no-stack-rlimit - the original logic it's opposite and wrong.

[IkeEichenberger]

When setrlimit returns permission denied, the logging command sends output that fills variable with the error message, as the code then continues, messing up followon code. Perhaps just change logging, send warning to file? I just committed our all the code with setrlimit to fix it for me quick, but ...

…

On Tue, May 8, 2018, 11:18 PM Harry Lee ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In lib/base/application.cpp <#5373 (comment)>: > - if (!new_argv[1]) { - perror("strdup"); - exit(1); - } + if (setrlimit(RLIMIT_STACK, &rl) < 0) + Log(LogNotice, "Application", "Could not adjust resource limit for stack size (RLIMIT_STACK)"); + else if (set_stack_rlimit) { @IkeEichenberger <https://github.com/IkeEichenberger> Which part are you trying to answer? the setrlimit may fail - it's ok, when it fails, then we should execvp with --no-stack-rlimit - the original logic it's opposite and wrong. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5373 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AH4t4An4SCMV0L4uZm_HOV1e9dAUuV8sks5twl_vgaJpZM4OB_N9> .

[dnsmichi]

Can you please move the discussion to either a new issue or a new PR? This one has been merged and reverted later on, and won't be tracked any further.