|
Re: lug-bg: Memory limit
- Subject: Re: lug-bg: Memory limit
- From: gf@xxxxxxxxxxx (Georgi Chorbadzhiyski)
- Date: Tue, 18 Feb 2003 04:36:23 +0200
bugtraq wrote:
> Èñêàì äà ïîïèòàì âè ïîïèòàì çà íà÷èí äà íàëîæà total memory limit íà äàäåí
> ïðîöåñ
> (â ñëó÷àÿ daemon) ïîä Linux. limits.conf è ulimit íå âúðøàò ðàáîòà çàùîòîòî
> ñå îãðàíè÷åíèÿòà
> âëèçàò â äåéñòâèå ñëåä êàòî user-à ñå ëîãíå íî íå è êîãàòî ñå ïóñíå êàòî
> root è ñè äðîïíå ïðèâèëåãèèòå. Ïðîáâàõ äà ñòàðòèðàì daemon-à ñúñ softlimit
> íà DJB íî ïàê íå å ðåøåíèå îãðàíè÷åíèÿòà ñà çà max memory per process à íå
> çà total memory êîÿòî ìîæå äà ñå èçïîëçâà îò parent ïðîöåñà. Â îáùè ëèíèè
> åäíà fork() è malloc() áîìáà ìîãàò äà çàáèÿò ñúðâúðà. Âúâ freebsd íàïðèìåð
> òîçè ïðîáëåì å ðåøåí åëåãàíòíî â /etc/login.conf ñå çàäàâà îãðàíè÷åíèå
> vmemoryuse íà daemon login class-a è òîâà âàæè çà âñè÷êî êîåòî ñå ñòàðòèðà
> îò rc. Ïàê çà ïðèìåð àêî ñúñ ñîôòëèìèò çàäàäåìå ëèìèò îò 150 ïðîöåñà ñ
> ìàêñèìóì 10MB ïàìåò è ñòàðòèðàìå òàêà apache (íîðìàëåí ëèìèò çà àpache ñ
> mod_perl & mod_php) ëåñíî ìîæå äà ñå íàïèøå íåùî êàòî òîâà êîåòî ìîæå äà ñå
> èçïúëíè ïðåç web è äà çàáèå ñúðâúðà:
>
> while (1)
> {
> fork();
> malloc(512);
> }
>
> Àêî ìîæå íÿêîé äà ñïîäåëè îïèò ùå ñúì ìó áëàãîäàðåí. 10x
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.12
http://www.dfdtech.net/linux/security/userlimits/
===
Resource Limits
Linux enforces various kinds of resource limits that might interfere with the
operation of your PostgreSQL server. Of importance are especially the limits on
the number of processes per user, the number of open files per process, and the
amount of memory available to a process. Each of these have a "hard" and a
"soft" limit. The soft limit is what actually counts but it can be changed by
the user up to the hard limit. The hard limit can only be changed by the root
user. The system call setrlimit is responsible for setting these parameters.
The shell's built-in command ulimit (Bourne shells) or limit (csh) is used to
control the resource limits from the command line.
===
===
There are some limitations with the current implementation of user resource
limits. The largest is that you can only apply resource limits per session.
There is no way at the moment to place a quota on the number of resources a
certain user may use globally on the system.
At the moment, there is also no way to limit what is called from crontab
(and possibly the same problem exists for at as well). Crontab enables a
user to launch a program at a specific time. There is no way to apply
resource limits to these launched programs in crontab's present form.
CGI scripts also pose a problem. I mentioned before that even if you
disallow shell access but still allow users to run CGI scripts, there
is the same risk involved that a user could use too many system resources.
The best way to limit this is to run all cgi scripts through a program called
cgiwrap (http://cgiwrap.unixtools.org/). You should specifically compile
cgiwrap with the --with-rlimit- settings to impose resource limits on all
CGI scripts. There does not appear to be a way to impose different limits
on different user's CGI scripts, however. The configuration of cgiwrap
is beyond the scope of this document, but it is highly recommended that
you look into using it.
===
--
Georgi Chorbadzhiyski
http://georgi.unixsol.org/
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|
|
|