From owner-svn-src-all@freebsd.org Thu Sep 10 22:02:47 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 99E5EA02A76; Thu, 10 Sep 2015 22:02:47 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6BAD914EF; Thu, 10 Sep 2015 22:02:47 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: by igbni9 with SMTP id ni9so26370275igb.0; Thu, 10 Sep 2015 15:02:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=leeGlz1KgTj5ZKHNGypchLs9EYOPH3DtAV9xY1q2O8o=; b=L/FjgyYgUG7bGKm1OvbXygC9YR7YEqprL9Ujgiux71hsiaEmSWImMOGMqvUgYFUFjy lTi2A78CTuZ0iZdUh4pFILl43Q5Knl0F9G7cp37kII295WMUJi3ACM/ubEjCEeSy8EPY IS98ktu449ZlItQrccKgDIB090kBrECPi26299s+khyxM2Dk0doN7oxCzv4RhVVQC/Xd YDaRUuRmBPS37MpfXPLrGQgBX/erZFa6ebtfL3DXLiLnW49zY3Zo8frFuYvUliJqKgq+ rRo5k+714jEOz/euM379IegLs804CX5XN7zftXvk/jvAdVj5jmB5P5M3DIsBTQlV0+8a Ck8A== MIME-Version: 1.0 X-Received: by 10.51.17.37 with SMTP id gb5mr541643igd.37.1441922566227; Thu, 10 Sep 2015 15:02:46 -0700 (PDT) Sender: adrian.chadd@gmail.com Received: by 10.36.28.208 with HTTP; Thu, 10 Sep 2015 15:02:46 -0700 (PDT) In-Reply-To: <20150910211417.GY33167@funkthat.com> References: <201509100405.t8A45xrJ070199@repo.freebsd.org> <20150910175324.GW33167@funkthat.com> <55F1E06F.7000008@FreeBSD.org> <20150910211417.GY33167@funkthat.com> Date: Thu, 10 Sep 2015 15:02:46 -0700 X-Google-Sender-Auth: uH5QCqxTFErRcOBfpimIB2HqwJI Message-ID: Subject: Re: svn commit: r287606 - head/sys/kern From: Adrian Chadd To: John-Mark Gurney Cc: Eric van Gyzen , Warner Losh , Ed Maste , "src-committers@freebsd.org" , "svn-src-all@freebsd.org" , "svn-src-head@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2015 22:02:47 -0000 I'd love for rc.subr to grow the ability to set per-daemon cpuset, class, environment, etc. We have some of that in the rc script already. What I have so far for local hacking is this, which at least gets the default login class bits and runs things as user daemon. Yes, there are issues with inheriting the environment and other things from the callee - I think that's a separate issue to solve. Thanks, -a adrian@hulk:~/work/freebsd/head/src % svn diff etc Index: etc/login.conf =================================================================== --- etc/login.conf (revision 28758) +++ etc/login.conf (working copy) @@ -36,7 +36,8 @@ :memoryuse=unlimited:\ :filesize=unlimited:\ :coredumpsize=unlimited:\ - :openfiles=unlimited:\ + :openfiles-cur=4096:\ + :openfiles-max=65536:\ :maxproc=unlimited:\ :sbsize=unlimited:\ :vmemoryuse=unlimited:\ @@ -61,6 +62,8 @@ :tc=default: daemon:\ :memorylocked=128M:\ + :openfiles-cur=32768:\ + :openfiles-max=65536:\ :tc=default: news:\ :tc=default: Index: etc/rc.subr =================================================================== --- etc/rc.subr (revision 287580) +++ etc/rc.subr (working copy) @@ -768,6 +768,8 @@ # # ${name}_prepend n Command added before ${command}. # +# ${name}_login_class n Login class to use, else "daemon". +# # ${rc_arg}_cmd n If set, use this as the method when invoked; # Otherwise, use default command (see below) # @@ -942,8 +944,13 @@ _nice=\$${name}_nice _user=\$${name}_user \ _group=\$${name}_group _groups=\$${name}_groups \ _fib=\$${name}_fib _env=\$${name}_env \ - _prepend=\$${name}_prepend + _prepend=\$${name}_prepend _login_class=\$${name}_login_class + # Default to 'daemon' if no login class is provided + if [ -n "$_login_class" ]; then + _login_class="daemon" + fi + if [ -n "$_user" ]; then # unset $_user if running as that user if [ "$_user" = "$(eval $IDCMD)" ]; then unset _user @@ -1050,6 +1057,9 @@ fi fi + # Prepend default limits + _doit="limits -C $_login_class $_doit" + # run the full command # if ! _run_rc_doit "$_doit"; then On 10 September 2015 at 14:14, John-Mark Gurney wrote: > Eric van Gyzen wrote this message on Thu, Sep 10, 2015 at 14:56 -0500: >> On 09/10/2015 12:53, John-Mark Gurney wrote: >> > Adrian Chadd wrote this message on Thu, Sep 10, 2015 at 09:18 -0700: >> >> On 10 September 2015 at 09:04, Warner Losh wrote: >> >>> >> >>> >> >>> On Thu, Sep 10, 2015 at 9:53 AM, Ed Maste wrote: >> >>>> >> >>>> On 10 September 2015 at 04:05, Adrian Chadd wrote: >> >>>>> Author: adrian >> >>>>> Date: Thu Sep 10 04:05:58 2015 >> >>>>> New Revision: 287606 >> >>>>> URL: https://svnweb.freebsd.org/changeset/base/287606 >> >>>>> >> >>>>> Log: >> >>>>> Also make kern.maxfilesperproc a boot time tunable. >> >>>>> ... >> >>>>> TODO: >> >>>> >> >>>> Also "we" should >> >>>> * Submit patches upstream or to the ports tree to use closefrom >> >>> >> >>> >> >>> I thought the consensus was that we'd fix things to have fewer FDs >> >>> by default, but instead allow individual processes to raise it via the >> >>> usual methods. >> >> We could--and should--do both, because they're both good ideas. >> >> >> I'm looking at how to do this in a somewhat sensible fashion. Right >> >> now we just have openfiles=unlimited; in /etc/login.conf which seems a >> >> little odd. I don't know yet if that affects the default set that >> >> services started via /etc/rc get - init gets the whole default >> >> maxfilesperproc and stuff seems to inherit from that unless told >> >> otherwise. >> >> >> >> I think the more sensible default would be: >> >> >> >> * set /etc/login.conf to some much lower values - say, 4k soft, 64k hard; >> >> * root can always override its settings up to kern.maxfilesperproc; >> >> * modify /etc/rc to set some default rlimits as appropriate; >> > >> > We should probably just use the daemon class from login.conf... Do we >> > have a program that will set the current limits to a specified class? >> >> See limits(1). The apache rc.d script uses it, along with some related >> rc.conf variables. > > So, one issue w/ limits is that it only does the limits side of > things, not environment or cpusets... see: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=161401 > > limits doesn't address PATH and other environment variables... > > We should have rc.subr setup the environment completely when executing > the daemon/scripts instead of depending upon any of this.. > > It turns out that init doesn't setup the environment vars provided by > login.config either... > >> >> * introduce configuration options ({daemon_rlimit_XXX}?) in >> >> /etc/rc.conf that lets someone override what the default rlimits >> >> should be for a given process,, as (and I'm not making this up) if you >> >> run 'service XXX restart' from a root login you get the rlimits from >> >> the shell, which may differ from the system startup. >> > >> > Why not daemon_login_class w/ the above? >> > >> >> That way we can setup various services to have higher openfile limits >> >> via /etc/rc.conf entries for those services rather than having to hack >> >> each startup script. It also means that no matter what is running >> >> 'service XXX YYY' as root, you'll get the 'correct'(er) rlimits. >> > >> > Then service would just use the above program to get sane defaults... > > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not."