RESPONDERS: Make the fd_limit setting configurable

This code will now attempt first to see if it has privilege to set the value as specified, and if not it will fall back to the previous behavior. So on systems with the CAP_SYS_RESOURCE capability granted to SSSD, it will be able to ignore the limits.conf hard limit. https://fedorahosted.org/sssd/ticket/1197 Conflicts: src/config/SSSDConfig.py src/config/SSSDConfigTest.py src/config/etc/sssd.api.conf
author: Stephen Gallagher <sgallagh@redhat.com> 2012-02-17 12:14:39 -0500
committer: Stephen Gallagher <sgallagh@redhat.com> 2012-06-22 15:37:42 -0400
commit: dd60af1ca6f5887f12ff50532e2fde5f16c9d55b (patch)
tree: db6a93b5abc53dad733174eaf188ada0cbc010d2
parent: 41fbb0ef19bc4e6d336585a7d6ade968700ebd04 (diff)
download: sssd-dd60af1ca6f5887f12ff50532e2fde5f16c9d55b.tar.gz
sssd-dd60af1ca6f5887f12ff50532e2fde5f16c9d55b.tar.xz
sssd-dd60af1ca6f5887f12ff50532e2fde5f16c9d55b.zip
8 files changed, 64 insertions, 4 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 985ffe06b..6c1745aad 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -54,6 +54,7 @@
 #define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files"
 #define CONFDB_SERVICE_TIMEOUT "timeout"
 #define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries"
+#define CONFDB_SERVICE_FD_LIMIT "fd_limit"
 
 /* Monitor */
 #define CONFDB_MONITOR_CONF_ENTRY "config/sssd"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index df22d16d0..a20ac972d 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -43,6 +43,7 @@ option_strings = {
     'command' : _('Command to start service'),
     'reconnection_retries' : _('Number of times to attempt connection to Data Providers'),
     'client_idle_timeout' : _('Idle time before automatic disconnection of a client'),
+    'fd_limit' : _('The number of file descriptors that may be opened by this responder'),
 
     # [sssd]
     'services' : _('SSSD Services to start'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 71397409b..54012b712 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -272,7 +272,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
             'debug_to_files',
             'command',
             'reconnection_retries',
-            'client_idle_timeout']
+            'client_idle_timeout',
+            'fd_limit']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index f952673a7..f4b0bbaf0 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -9,6 +9,7 @@ debug_to_files = bool, None, false
 command = str, None, false
 reconnection_retries = int, None, false
 client_idle_timeout = int, None, false
+fd_limit = int, None, false
 
 [sssd]
 # Monitor service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 3d470d709..648dc7ff3 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -264,6 +264,23 @@
                     </listitem>
                 </varlistentry>
                 <varlistentry>
+                    <term>fd_limit</term>
+                    <listitem>
+                        <para>
+                            This option specifies the maximum number of file
+                            descriptors that may be opened at one time by this
+                            SSSD process. On systems where SSSD is granted the
+                            CAP_SYS_RESOURCE capability, this will be an
+                            absolute setting. On systems without this
+                            capability, the resulting value will be the lower
+                            value of this or the limits.conf "hard" limit.
+                        </para>
+                        <para>
+                            Default: 8192 (or limits.conf "hard" limit)
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
                     <term>command (string)</term>
                     <listitem>
                         <para>
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 31c2cedc0..bc6f02ae1 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -791,7 +791,24 @@ void responder_set_fd_limit(rlim_t fd_limit)
     struct rlimit current_limit, new_limit;
     int limret;
 
-    /* First determine the maximum hard limit */
+    /* First, let's see if we have permission to just set
+     * the value as-is.
+     */
+    new_limit.rlim_cur = fd_limit;
+    new_limit.rlim_max = fd_limit;
+    limret = setrlimit(RLIMIT_NOFILE, &new_limit);
+    if (limret == 0) {
+        DEBUG(4,
+              ("Maximum file descriptors set to [%d]\n",
+               new_limit.rlim_cur));
+        return;
+    }
+
+    /* We couldn't set the soft and hard limits to this
+     * value. Let's see how high we CAN set it.
+     */
+
+    /* Determine the maximum hard limit */
     limret = getrlimit(RLIMIT_NOFILE, &current_limit);
     if (limret == 0) {
         DEBUG(7,
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index cfc6c588f..fafd64edd 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -259,6 +259,7 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
     struct nss_ctx *nctx;
     int ret, max_retries;
     int hret;
+    int fd_limit;
 
     nctx = talloc_zero(mem_ctx, struct nss_ctx);
     if (!nctx) {
@@ -317,7 +318,17 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
     }
 
     /* Set up file descriptor limits */
-    responder_set_fd_limit(DEFAULT_NSS_FD_LIMIT);
+    ret = confdb_get_int(nctx->rctx->cdb, nctx->rctx,
+                         CONFDB_NSS_CONF_ENTRY,
+                         CONFDB_SERVICE_FD_LIMIT,
+                         DEFAULT_NSS_FD_LIMIT,
+                         &fd_limit);
+    if (ret != EOK) {
+        DEBUG(0,
+              ("Failed to set up file descriptor limit\n"));
+        return ret;
+    }
+    responder_set_fd_limit(fd_limit);
 
     DEBUG(1, ("NSS Initialization complete\n"));
 
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 1bed212ed..9f02e8f0f 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -111,6 +111,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
     struct pam_ctx *pctx;
     int ret, max_retries;
     int id_timeout;
+    int fd_limit;
 
     pctx = talloc_zero(mem_ctx, struct pam_ctx);
     if (!pctx) {
@@ -177,7 +178,17 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
     }
 
     /* Set up file descriptor limits */
-    responder_set_fd_limit(DEFAULT_PAM_FD_LIMIT);
+    ret = confdb_get_int(pctx->rctx->cdb, pctx->rctx,
+                         CONFDB_PAM_CONF_ENTRY,
+                         CONFDB_SERVICE_FD_LIMIT,
+                         DEFAULT_PAM_FD_LIMIT,
+                         &fd_limit);
+    if (ret != EOK) {
+        DEBUG(0,
+              ("Failed to set up file descriptor limit\n"));
+        return ret;
+    }
+    responder_set_fd_limit(fd_limit);
 
     ret = EOK;
author	Stephen Gallagher <sgallagh@redhat.com>	2012-02-17 12:14:39 -0500
committer	Stephen Gallagher <sgallagh@redhat.com>	2012-06-22 15:37:42 -0400
commit	dd60af1ca6f5887f12ff50532e2fde5f16c9d55b (patch)
tree	db6a93b5abc53dad733174eaf188ada0cbc010d2
parent	41fbb0ef19bc4e6d336585a7d6ade968700ebd04 (diff)
download	sssd-dd60af1ca6f5887f12ff50532e2fde5f16c9d55b.tar.gz sssd-dd60af1ca6f5887f12ff50532e2fde5f16c9d55b.tar.xz sssd-dd60af1ca6f5887f12ff50532e2fde5f16c9d55b.zip