From owner-svn-src-all@freebsd.org Thu Sep 10 22:11:40 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 015AEA02E3E; Thu, 10 Sep 2015 22:11:40 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BBD2A1EAE; Thu, 10 Sep 2015 22:11:39 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: by igcrk20 with SMTP id rk20so28145610igc.1; Thu, 10 Sep 2015 15:11:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=fLFZtDspTOOAAR/s/e7lsvqUUj9LF9+kTS5U+zyz4Yg=; b=N2Jea8nNd7B3/1kP6dv26Pnswjlh74aKHUeXBe6NIpBt7P6D0+me9/rdwMt09ikDTs d2EwvSuyvPZaPm1Er+DHNV8aMbhg0VTFyhtNP47EvCxPxQNW/HMLLwRyhIxS4ZUL2h1S 5MOBK9LrtNAtmSArmDyl7osErFC2EZtriAcIdD/t2r6fpm2omqKIM1AdcpVd6OMnvJVv OQJQDVBYx4Dj9Ey0b9ktoTNPrKzO0o/m/a4hUd/MoS7Bq+s7T3sGGcVkaQHP3g5jXtqI uNb1Kt9sqrH/cAZsILbtsG0gKQsJk5qHooAX0f20Xy7tiRfgyv+IgeJ1kB4F+IGmtIrL IvvQ== MIME-Version: 1.0 X-Received: by 10.50.1.44 with SMTP id 12mr9960472igj.61.1441923099142; Thu, 10 Sep 2015 15:11:39 -0700 (PDT) Sender: adrian.chadd@gmail.com Received: by 10.36.28.208 with HTTP; Thu, 10 Sep 2015 15:11:39 -0700 (PDT) In-Reply-To: References: <201509100405.t8A45xrJ070199@repo.freebsd.org> <20150910175324.GW33167@funkthat.com> <55F1E06F.7000008@FreeBSD.org> <20150910211417.GY33167@funkthat.com> Date: Thu, 10 Sep 2015 15:11:39 -0700 X-Google-Sender-Auth: oANXy7Lc_hfJIYaNqJAaUD2BCZw Message-ID: Subject: Re: svn commit: r287606 - head/sys/kern From: Adrian Chadd To: John-Mark Gurney Cc: Eric van Gyzen , Warner Losh , Ed Maste , "src-committers@freebsd.org" , "svn-src-all@freebsd.org" , "svn-src-head@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2015 22:11:40 -0000 Hi, Fixed a couple of bugs, and: https://reviews.freebsd.org/D3630 -adrian On 10 September 2015 at 15:02, Adrian Chadd wrote: > I'd love for rc.subr to grow the ability to set per-daemon cpuset, > class, environment, etc. We have some of that in the rc script > already. > > What I have so far for local hacking is this, which at least gets the > default login class bits and runs things as user daemon. > Yes, there are issues with inheriting the environment and other things > from the callee - I think that's a separate issue to solve. > > Thanks, > > > -a > > adrian@hulk:~/work/freebsd/head/src % svn diff etc > > Index: etc/login.conf > =================================================================== > --- etc/login.conf (revision 28758) > +++ etc/login.conf (working copy) > @@ -36,7 +36,8 @@ > :memoryuse=unlimited:\ > :filesize=unlimited:\ > :coredumpsize=unlimited:\ > - :openfiles=unlimited:\ > + :openfiles-cur=4096:\ > + :openfiles-max=65536:\ > :maxproc=unlimited:\ > :sbsize=unlimited:\ > :vmemoryuse=unlimited:\ > @@ -61,6 +62,8 @@ > :tc=default: > daemon:\ > :memorylocked=128M:\ > + :openfiles-cur=32768:\ > + :openfiles-max=65536:\ > :tc=default: > news:\ > :tc=default: > Index: etc/rc.subr > =================================================================== > --- etc/rc.subr (revision 287580) > +++ etc/rc.subr (working copy) > @@ -768,6 +768,8 @@ > # > # ${name}_prepend n Command added before ${command}. > # > +# ${name}_login_class n Login class to use, else "daemon". > +# > # ${rc_arg}_cmd n If set, use this as the method when invoked; > # Otherwise, use default command (see below) > # > > @@ -942,8 +944,13 @@ > _nice=\$${name}_nice _user=\$${name}_user \ > _group=\$${name}_group _groups=\$${name}_groups \ > _fib=\$${name}_fib _env=\$${name}_env \ > - _prepend=\$${name}_prepend > + _prepend=\$${name}_prepend _login_class=\$${name}_login_class > > + # Default to 'daemon' if no login class is provided > + if [ -n "$_login_class" ]; then > + _login_class="daemon" > + fi > + > if [ -n "$_user" ]; then # unset $_user if running as that user > if [ "$_user" = "$(eval $IDCMD)" ]; then > unset _user > @@ -1050,6 +1057,9 @@ > fi > fi > > + # Prepend default limits > + _doit="limits -C $_login_class $_doit" > + > # run the full command > # > if ! _run_rc_doit "$_doit"; then > > On 10 September 2015 at 14:14, John-Mark Gurney wrote: >> Eric van Gyzen wrote this message on Thu, Sep 10, 2015 at 14:56 -0500: >>> On 09/10/2015 12:53, John-Mark Gurney wrote: >>> > Adrian Chadd wrote this message on Thu, Sep 10, 2015 at 09:18 -0700: >>> >> On 10 September 2015 at 09:04, Warner Losh wrote: >>> >>> >>> >>> >>> >>> On Thu, Sep 10, 2015 at 9:53 AM, Ed Maste wrote: >>> >>>> >>> >>>> On 10 September 2015 at 04:05, Adrian Chadd wrote: >>> >>>>> Author: adrian >>> >>>>> Date: Thu Sep 10 04:05:58 2015 >>> >>>>> New Revision: 287606 >>> >>>>> URL: https://svnweb.freebsd.org/changeset/base/287606 >>> >>>>> >>> >>>>> Log: >>> >>>>> Also make kern.maxfilesperproc a boot time tunable. >>> >>>>> ... >>> >>>>> TODO: >>> >>>> >>> >>>> Also "we" should >>> >>>> * Submit patches upstream or to the ports tree to use closefrom >>> >>> >>> >>> >>> >>> I thought the consensus was that we'd fix things to have fewer FDs >>> >>> by default, but instead allow individual processes to raise it via the >>> >>> usual methods. >>> >>> We could--and should--do both, because they're both good ideas. >>> >>> >> I'm looking at how to do this in a somewhat sensible fashion. Right >>> >> now we just have openfiles=unlimited; in /etc/login.conf which seems a >>> >> little odd. I don't know yet if that affects the default set that >>> >> services started via /etc/rc get - init gets the whole default >>> >> maxfilesperproc and stuff seems to inherit from that unless told >>> >> otherwise. >>> >> >>> >> I think the more sensible default would be: >>> >> >>> >> * set /etc/login.conf to some much lower values - say, 4k soft, 64k hard; >>> >> * root can always override its settings up to kern.maxfilesperproc; >>> >> * modify /etc/rc to set some default rlimits as appropriate; >>> > >>> > We should probably just use the daemon class from login.conf... Do we >>> > have a program that will set the current limits to a specified class? >>> >>> See limits(1). The apache rc.d script uses it, along with some related >>> rc.conf variables. >> >> So, one issue w/ limits is that it only does the limits side of >> things, not environment or cpusets... see: >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=161401 >> >> limits doesn't address PATH and other environment variables... >> >> We should have rc.subr setup the environment completely when executing >> the daemon/scripts instead of depending upon any of this.. >> >> It turns out that init doesn't setup the environment vars provided by >> login.config either... >> >>> >> * introduce configuration options ({daemon_rlimit_XXX}?) in >>> >> /etc/rc.conf that lets someone override what the default rlimits >>> >> should be for a given process,, as (and I'm not making this up) if you >>> >> run 'service XXX restart' from a root login you get the rlimits from >>> >> the shell, which may differ from the system startup. >>> > >>> > Why not daemon_login_class w/ the above? >>> > >>> >> That way we can setup various services to have higher openfile limits >>> >> via /etc/rc.conf entries for those services rather than having to hack >>> >> each startup script. It also means that no matter what is running >>> >> 'service XXX YYY' as root, you'll get the 'correct'(er) rlimits. >>> > >>> > Then service would just use the above program to get sane defaults... >> >> -- >> John-Mark Gurney Voice: +1 415 225 5579 >> >> "All that I will do, has been done, All that I have, has not."