From 457927f4210a0c41289521d55617b6d6bb6a46e0 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Feb 17 2012 19:27:32 +0000 Subject: RESPONDERS: Make the fd_limit setting configurable This code will now attempt first to see if it has privilege to set the value as specified, and if not it will fall back to the previous behavior. So on systems with the CAP_SYS_RESOURCE capability granted to SSSD, it will be able to ignore the limits.conf hard limit. https://fedorahosted.org/sssd/ticket/1197 --- diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index a545800..0ff5a6c 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -43,6 +43,7 @@ option_strings = { 'timeout' : _('Ping timeout before restarting service'), 'command' : _('Command to start service'), 'reconnection_retries' : _('Number of times to attempt connection to Data Providers'), + 'fd_limit' : _('The number of file descriptors that may be opened by this responder'), # [sssd] 'services' : _('SSSD Services to start'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index a64a736..7e024ca 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -272,7 +272,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase): 'debug_microseconds', 'debug_to_files', 'command', - 'reconnection_retries'] + 'reconnection_retries', + 'fd_limit'] self.assertTrue(type(options) == dict, "Options should be a dictionary") diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 9343463..155b8ef 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -9,6 +9,7 @@ debug_microseconds = bool, None, false debug_to_files = bool, None, false command = str, None, false reconnection_retries = int, None, false +fd_limit = int, None, false [sssd] # Monitor service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index abebf84..63e396a 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -267,6 +267,23 @@ + fd_limit + + + This option specifies the maximum number of file + descriptors that may be opened at one time by this + SSSD process. On systems where SSSD is granted the + CAP_SYS_RESOURCE capability, this will be an + absolute setting. On systems without this + capability, the resulting value will be the lower + value of this or the limits.conf "hard" limit. + + + Default: 8192 (or limits.conf "hard" limit) + + + + command (string) diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index 94a9fdb..a9b5d56 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -654,7 +654,24 @@ void responder_set_fd_limit(rlim_t fd_limit) struct rlimit current_limit, new_limit; int limret; - /* First determine the maximum hard limit */ + /* First, let's see if we have permission to just set + * the value as-is. + */ + new_limit.rlim_cur = fd_limit; + new_limit.rlim_max = fd_limit; + limret = setrlimit(RLIMIT_NOFILE, &new_limit); + if (limret == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, + ("Maximum file descriptors set to [%d]\n", + new_limit.rlim_cur)); + return; + } + + /* We couldn't set the soft and hard limits to this + * value. Let's see how high we CAN set it. + */ + + /* Determine the maximum hard limit */ limret = getrlimit(RLIMIT_NOFILE, ¤t_limit); if (limret == 0) { DEBUG(SSSDBG_TRACE_INTERNAL, diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index 3c23f1b..ef66b22 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -251,6 +251,7 @@ int nss_process_init(TALLOC_CTX *mem_ctx, struct nss_ctx *nctx; int ret, max_retries; int hret; + int fd_limit; nctx = talloc_zero(mem_ctx, struct nss_ctx); if (!nctx) { @@ -309,7 +310,17 @@ int nss_process_init(TALLOC_CTX *mem_ctx, } /* Set up file descriptor limits */ - responder_set_fd_limit(DEFAULT_NSS_FD_LIMIT); + ret = confdb_get_int(nctx->rctx->cdb, nctx->rctx, + CONFDB_NSS_CONF_ENTRY, + CONFDB_SERVICE_FD_LIMIT, + DEFAULT_NSS_FD_LIMIT, + &fd_limit); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + ("Failed to set up file descriptor limit\n")); + return ret; + } + responder_set_fd_limit(fd_limit); DEBUG(1, ("NSS Initialization complete\n")); diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 2786fe4..6cb564a 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -111,6 +111,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, struct pam_ctx *pctx; int ret, max_retries; int id_timeout; + int fd_limit; pctx = talloc_zero(mem_ctx, struct pam_ctx); if (!pctx) { @@ -186,7 +187,17 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, } /* Set up file descriptor limits */ - responder_set_fd_limit(DEFAULT_PAM_FD_LIMIT); + ret = confdb_get_int(pctx->rctx->cdb, pctx->rctx, + CONFDB_PAM_CONF_ENTRY, + CONFDB_SERVICE_FD_LIMIT, + DEFAULT_PAM_FD_LIMIT, + &fd_limit); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + ("Failed to set up file descriptor limit\n")); + return ret; + } + responder_set_fd_limit(fd_limit); ret = EOK;