|
Re: lug-bg: Memory limit
- Subject: Re: lug-bg: Memory limit
- From: gf@xxxxxxxxxxx (Georgi Chobadzhiyski)
- Date: Wed, 19 Feb 2003 07:30:43 +0200
Georgi Chorbadzhiyski wrote:
> bugtraq wrote:
>> Èñêàì äà ïîïèòàì âè ïîïèòàì çà íà÷èí äà íàëîæà total memory limit íà äàäåí
>> ïðîöåñ
>> (â ñëó÷àÿ daemon) ïîä Linux. limits.conf è ulimit íå âúðøàò ðàáîòà çàùîòîòî
>> ñå îãðàíè÷åíèÿòà
>> âëèçàò â äåéñòâèå ñëåä êàòî user-à ñå ëîãíå íî íå è êîãàòî ñå ïóñíå êàòî
>> root è ñè äðîïíå ïðèâèëåãèèòå. Ïðîáâàõ äà ñòàðòèðàì daemon-à ñúñ softlimit
>> íà DJB íî ïàê íå å ðåøåíèå îãðàíè÷åíèÿòà ñà çà max memory per process à íå
>> çà total memory êîÿòî ìîæå äà ñå èçïîëçâà îò parent ïðîöåñà. Â îáùè ëèíèè
>> åäíà fork() è malloc() áîìáà ìîãàò äà çàáèÿò ñúðâúðà. Âúâ freebsd íàïðèìåð
>> òîçè ïðîáëåì å ðåøåí åëåãàíòíî â /etc/login.conf ñå çàäàâà îãðàíè÷åíèå
>> vmemoryuse íà daemon login class-a è òîâà âàæè çà âñè÷êî êîåòî ñå ñòàðòèðà
>> îò rc. Ïàê çà ïðèìåð àêî ñúñ ñîôòëèìèò çàäàäåìå ëèìèò îò 150 ïðîöåñà ñ
>> ìàêñèìóì 10MB ïàìåò è ñòàðòèðàìå òàêà apache (íîðìàëåí ëèìèò çà àpache ñ
>> mod_perl & mod_php) ëåñíî ìîæå äà ñå íàïèøå íåùî êàòî òîâà êîåòî ìîæå äà ñå
>> èçïúëíè ïðåç web è äà çàáèå ñúðâúðà:
>>
>> while (1)
>> {
>> fork();
>> malloc(512);
>> }
>>
>> Àêî ìîæå íÿêîé äà ñïîäåëè îïèò ùå ñúì ìó áëàãîäàðåí. 10x
>
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.12
> http://www.dfdtech.net/linux/security/userlimits/
>
> ===
> Resource Limits
> Linux enforces various kinds of resource limits that might interfere with the
> operation of your PostgreSQL server. Of importance are especially the limits on
> the number of processes per user, the number of open files per process, and the
> amount of memory available to a process. Each of these have a "hard" and a
> "soft" limit. The soft limit is what actually counts but it can be changed by
> the user up to the hard limit. The hard limit can only be changed by the root
> user. The system call setrlimit is responsible for setting these parameters.
> The shell's built-in command ulimit (Bourne shells) or limit (csh) is used to
> control the resource limits from the command line.
> ===
>
> ===
> There are some limitations with the current implementation of user resource
> limits. The largest is that you can only apply resource limits per session.
> There is no way at the moment to place a quota on the number of resources a
> certain user may use globally on the system.
>
> At the moment, there is also no way to limit what is called from crontab
> (and possibly the same problem exists for at as well). Crontab enables a
> user to launch a program at a specific time. There is no way to apply
> resource limits to these launched programs in crontab's present form.
>
> CGI scripts also pose a problem. I mentioned before that even if you
> disallow shell access but still allow users to run CGI scripts, there
> is the same risk involved that a user could use too many system resources.
> The best way to limit this is to run all cgi scripts through a program called
> cgiwrap (http://cgiwrap.unixtools.org/). You should specifically compile
> cgiwrap with the --with-rlimit- settings to impose resource limits on all
> CGI scripts. There does not appear to be a way to impose different limits
> on different user's CGI scripts, however. The configuration of cgiwrap
> is beyond the scope of this document, but it is highly recommended that
> you look into using it.
> ===
>
>
Ìðàçÿ äà ñè îòãîâàðÿì ñàì, íî çàáðàâèõ åäèí âàæåí ëèíê.
http://www.tldp.org/HOWTO/mini/Process-Accounting/
Îñòàâèë ñúì öåëèÿ öèòàò çà ïî-ëåñíî òúðñåíå â àðõèâà.
--
Georgi Chorbadzhiyski
http://georgi.unixsol.org/
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|
|
|