RESPONDERS: Make the fd_limit setting configurablesssd-1.5.1-54.elf sssd-1.5.1-54.el5

This code will now attempt first to see if it has privilege to set the value as specified, and if not it will fall back to the previous behavior. So on systems with the CAP_SYS_RESOURCE capability granted to SSSD, it will be able to ignore the limits.conf hard limit. https://fedorahosted.org/sssd/ticket/1197
author: Stephen Gallagher <sgallagh@redhat.com> 2012-02-17 12:14:39 -0500
committer: Stephen Gallagher <sgallagh@redhat.com> 2012-06-22 11:34:18 -0400
commit: 4d90a42f5c3aa2956393d0bf21c22416ba01e03e (patch)
tree: 814f7435cd5a0df32dbc377fba633e5c57bb2ca4
parent: 28ad2dd0b12e695cb5bd47a9d87db550ffff1067 (diff)
download: sssd-1.5.1-54.elf.tar.gz
sssd-1.5.1-54.elf.tar.xz
sssd-1.5.1-54.elf.zip
8 files changed, 64 insertions, 4 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 4d6157612..06d4074ac 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -54,6 +54,7 @@
 #define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files"
 #define CONFDB_SERVICE_TIMEOUT "timeout"
 #define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries"
+#define CONFDB_SERVICE_FD_LIMIT "fd_limit"
 
 /* Monitor */
 #define CONFDB_MONITOR_CONF_ENTRY "config/sssd"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 3a5f0ee36..b78d8e766 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -42,6 +42,7 @@ option_strings = {
     'timeout' : _('Ping timeout before restarting service'),
     'command' : _('Command to start service'),
     'reconnection_retries' : _('Number of times to attempt connection to Data Providers'),
+    'fd_limit' : _('The number of file descriptors that may be opened by this responder'),
 
     # [sssd]
     'services' : _('SSSD Services to start'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index ebfd372e5..dede347fa 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -271,7 +271,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
             'debug_timestamps',
             'debug_to_files',
             'command',
-            'reconnection_retries']
+            'reconnection_retries',
+            'fd_limit']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index a080ae12c..50c0a926e 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -8,6 +8,7 @@ debug_timestamps = bool, None, false
 debug_to_files = bool, None, false
 command = str, None, false
 reconnection_retries = int, None, false
+fd_limit = int, None, false
 
 [sssd]
 # Monitor service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index f5119433b..f112888e1 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -264,6 +264,23 @@
                     </listitem>
                 </varlistentry>
                 <varlistentry>
+                    <term>fd_limit</term>
+                    <listitem>
+                        <para>
+                            This option specifies the maximum number of file
+                            descriptors that may be opened at one time by this
+                            SSSD process. On systems where SSSD is granted the
+                            CAP_SYS_RESOURCE capability, this will be an
+                            absolute setting. On systems without this
+                            capability, the resulting value will be the lower
+                            value of this or the limits.conf "hard" limit.
+                        </para>
+                        <para>
+                            Default: 8192 (or limits.conf "hard" limit)
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
                     <term>command (string)</term>
                     <listitem>
                         <para>
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 488e22a5a..e9c812975 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -727,7 +727,24 @@ void responder_set_fd_limit(rlim_t fd_limit)
     struct rlimit current_limit, new_limit;
     int limret;
 
-    /* First determine the maximum hard limit */
+    /* First, let's see if we have permission to just set
+     * the value as-is.
+     */
+    new_limit.rlim_cur = fd_limit;
+    new_limit.rlim_max = fd_limit;
+    limret = setrlimit(RLIMIT_NOFILE, &new_limit);
+    if (limret == 0) {
+        DEBUG(4,
+              ("Maximum file descriptors set to [%d]\n",
+               new_limit.rlim_cur));
+        return;
+    }
+
+    /* We couldn't set the soft and hard limits to this
+     * value. Let's see how high we CAN set it.
+     */
+
+    /* Determine the maximum hard limit */
     limret = getrlimit(RLIMIT_NOFILE, &current_limit);
     if (limret == 0) {
         DEBUG(7,
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index cfc6c588f..fafd64edd 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -259,6 +259,7 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
     struct nss_ctx *nctx;
     int ret, max_retries;
     int hret;
+    int fd_limit;
 
     nctx = talloc_zero(mem_ctx, struct nss_ctx);
     if (!nctx) {
@@ -317,7 +318,17 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
     }
 
     /* Set up file descriptor limits */
-    responder_set_fd_limit(DEFAULT_NSS_FD_LIMIT);
+    ret = confdb_get_int(nctx->rctx->cdb, nctx->rctx,
+                         CONFDB_NSS_CONF_ENTRY,
+                         CONFDB_SERVICE_FD_LIMIT,
+                         DEFAULT_NSS_FD_LIMIT,
+                         &fd_limit);
+    if (ret != EOK) {
+        DEBUG(0,
+              ("Failed to set up file descriptor limit\n"));
+        return ret;
+    }
+    responder_set_fd_limit(fd_limit);
 
     DEBUG(1, ("NSS Initialization complete\n"));
 
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 1bed212ed..9f02e8f0f 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -111,6 +111,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
     struct pam_ctx *pctx;
     int ret, max_retries;
     int id_timeout;
+    int fd_limit;
 
     pctx = talloc_zero(mem_ctx, struct pam_ctx);
     if (!pctx) {
@@ -177,7 +178,17 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
     }
 
     /* Set up file descriptor limits */
-    responder_set_fd_limit(DEFAULT_PAM_FD_LIMIT);
+    ret = confdb_get_int(pctx->rctx->cdb, pctx->rctx,
+                         CONFDB_PAM_CONF_ENTRY,
+                         CONFDB_SERVICE_FD_LIMIT,
+                         DEFAULT_PAM_FD_LIMIT,
+                         &fd_limit);
+    if (ret != EOK) {
+        DEBUG(0,
+              ("Failed to set up file descriptor limit\n"));
+        return ret;
+    }
+    responder_set_fd_limit(fd_limit);
 
     ret = EOK;
author	Stephen Gallagher <sgallagh@redhat.com>	2012-02-17 12:14:39 -0500
committer	Stephen Gallagher <sgallagh@redhat.com>	2012-06-22 11:34:18 -0400
commit	4d90a42f5c3aa2956393d0bf21c22416ba01e03e (patch)
tree	814f7435cd5a0df32dbc377fba633e5c57bb2ca4
parent	28ad2dd0b12e695cb5bd47a9d87db550ffff1067 (diff)
download	sssd-1.5.1-54.elf.tar.gz sssd-1.5.1-54.elf.tar.xz sssd-1.5.1-54.elf.zip