RH: system hangs, network connects work, service don't

[genlee]

On gentoo, there is a /etc/security/limits.conf that can limit resources to any user on the box. I am sure redhat has the same since its apart of pam.

[genlee]

Code:

blingbling genlee $ ulimit -aS
core file size        (blocks, -c) 0
data seg size         (kbytes, -d) unlimited
file size             (blocks, -f) unlimited
max locked memory     (kbytes, -l) unlimited
max memory size       (kbytes, -m) unlimited
open files                    (-n) 1024
pipe size          (512 bytes, -p) 8
stack size            (kbytes, -s) 8192
cpu time             (seconds, -t) unlimited
max user processes            (-u) 2047
virtual memory        (kbytes, -v) unlimited

Those are the limits I use but if this were say a shell sever I would have more restrictive memory limits.

[peterchen]

again to this topic please:

a) how about users without shell? can they also be limited?
b) how about programs which switch user-rights and then execute a "fork-bomb"? will they also be limited? with the rights of the "new" user?

[genlee]

Any user with or without a shell can have their resources limited. If they exist in /etc/passwd, you can limit anything to them. If you switch to another uid, you will be limited by the new uid you just switched to.

[Dolda2000]

Limits are inherited from the parent process when it forks, and are (of course) carried over execs. They can only be decreased further by a normal user; only the superuser is able to increase limits. If a program is suid root, it will of course be able to change its limits, but those programs usually don't do that (since that would be stupid). And, yes, RedHat does have /etc/security/limits.conf. Like genlee said, it would be strange otherwise since it's part of PAM. At least now you know that the path is the same in both distros. I don't know how to limit daemons like apache and mysql, though, since they don't go through the PAM chain. The easiest is probably to embed their startup in a shell script that calls ulimit before execing the daemon itself.

Anyway, to get back to the original problem:
I know that it's strange with the console not responding. Normally I would take that as an indication that the system was hung completely. That is effectively contradicted by the fact that the DNS daemon responds, though. Just try the program and see what fails and what does not. That's probably the easiest way to find out.
It's too bad about it taking so long, though. However, since I don't even know why it crashes, I can't write a program which makes it crash prematurely. If I could do that, I would just fix it directly, right? =)

[peterchen]

And is there any way to see if these limits are reached? I mean, would it be possible to get a syslog-entry if a certain user allocated more than lets say 1000 PIDs or so? This way it would be possible to track down some problems in that area which are maybe caused by scripts running amok.

[Dolda2000]

Many daemons will report errors about being unable to fork to the syslog. However, the kernel doesn't report anything normally. If you want it to, you'll have to add a printk yourself. The code is in kernel/fork.c in your kernel tree. The function is called do_fork, and in it, just search for rlim[RLIMIT_PROC]. In my kernel version (2.4.20), it is on line 612. As you can see if you look at it, you can just add a printk before the goto that takes control out of the function. Useful stuff to print would be current->pid and current->user->uid.

Did you know, by the way, that amok is really an indonesian word? It's about the same as running berserk, and was also originally used for warriors.