chef-cookbooks icon indicating copy to clipboard operation
chef-cookbooks copied to clipboard

Published 20 hours ago verified publisher icon rcbops

Manage user process limits

Open rpawlik opened this issue 10 years ago • 4 comments

On all of our hypervisors, the file /etc/security/limits.d/90-nproc.conf has been created/modified to resolve the issues in the referenced ticket.

Question - has this change been pushed to a cookbook in upstream? If not, I'm requesting this be done. We want to ensure all issues are handled via cookbooks. This prevents manual fixes from being missed in future deployments.

From referenced ticket: We resolved this issue by apply the recommended fix of adding file /etc/security/limits.d/80-nproc.conf with the following:

[root@sffe08srv11 limits.d]# pwd
/etc/security/limits.d
[root@sffe08srv11 limits.d]# cat 90-nproc.conf
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.

*          soft    nproc     1024
root       soft    nproc     unlimited

We have not experienced this issue since then.

rpawlik avatar Mar 05 '14 02:03 rpawlik

"# See rhbz #432903 for reasoning."

Please put the reasoning, issues, etc in this issue, so the next person months from now doesn't have to go on a spelunking safari expedition, only to close it with "not enough information". Fork bombs of what? What user? What process? Why?

claco avatar Mar 05 '14 04:03 claco

@claco https://bugzilla.redhat.com/show_bug.cgi?id=432903

@rpawlik What issue caused this remediation step?

breu avatar Mar 05 '14 04:03 breu

https://rax.io/10516

rpawlik avatar Mar 05 '14 04:03 rpawlik

since the world doesn't have access to core I'll sanitize the ticket. Customer ran into the following in libvirtd.log

pthread_create failed: Resource temporarily unavailable

Some qemu-kvm processes were getting created with a limit of 1024 processes. Setting a ulimit rule for nproc solved this. Another solution may be to look at max_processes in qemu.conf which is targeted at solving this exact problem.

from https://bugzilla.redhat.com/show_bug.cgi?id=1000319

# If max_processes is set to a positive integer, libvirt will use
# it to set the maximum number of processes that can be run by qemu
# user. This can be used to override default value set by host OS.
# The same applies to max_files which sets the limit on the maximum
# number of opened files.

So setting max_processes to some large positive integer can possibly define nproc ulimit for all kvm/qemu generated processes.

Another option may be to just set a nproc setting. need to make sure this translates across both operating systems.

breu avatar Mar 05 '14 04:03 breu