kern/157554: Apache RLimitNPROC does not work as intended because
Kernel counts process differently
Patrick Proniewski
patpro at patpro.net
Fri Jun 3 09:10:10 UTC 2011
>Number: 157554
>Category: kern
>Synopsis: Apache RLimitNPROC does not work as intended because Kernel counts process differently
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jun 03 09:10:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Patrick Proniewski
>Release: 8.2-RELEASE
>Organization:
>Environment:
FreeBSD hostname 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
Apache directive RLimitNPROC allows for process limiting. According to documentation (http://httpd.apache.org/docs/current/mod/core.html#rlimitnproc ), it's supposed to limit the number of processes forked by Apache children: "This applies to processes forked off from Apache children servicing requests, not the Apache children themselves".
On FreeBSD, Apache Children are taken into account by the kernel when enforcing RLimitNPROC. So, for example, it's impossible to run a single CGI that fork the uname command if RLimitNPROC is set to 10 and if you have 9 or more httpd processes.
It yields to error logs in messages:
kernel: maxproc limit exceeded by uid 80, please see tuning(7) and login.conf(5).
And it renders the whole concept of RLimitNPROC useless (for Apache)
>How-To-Repeat:
- install Apache 2.2 on FreeBSD 8.2
- setup Apache with following values:
StartServers 5
RLimitNPROC 5
- create a simple CGI script that queries a system command (uname, ls...)
- make a GET request to that CGI
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list