diff options
| -rw-r--r-- | src/confdb/confdb.h | 1 | ||||
| -rw-r--r-- | src/config/SSSDConfig.py | 1 | ||||
| -rwxr-xr-x | src/config/SSSDConfigTest.py | 3 | ||||
| -rw-r--r-- | src/config/etc/sssd.api.conf | 1 | ||||
| -rw-r--r-- | src/man/sssd.conf.5.xml | 17 | ||||
| -rw-r--r-- | src/responder/common/responder_common.c | 19 | ||||
| -rw-r--r-- | src/responder/nss/nsssrv.c | 13 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv.c | 13 |
8 files changed, 64 insertions, 4 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 4d6157612..06d4074ac 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -54,6 +54,7 @@ #define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files" #define CONFDB_SERVICE_TIMEOUT "timeout" #define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries" +#define CONFDB_SERVICE_FD_LIMIT "fd_limit" /* Monitor */ #define CONFDB_MONITOR_CONF_ENTRY "config/sssd" diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 3a5f0ee36..b78d8e766 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -42,6 +42,7 @@ option_strings = { 'timeout' : _('Ping timeout before restarting service'), 'command' : _('Command to start service'), 'reconnection_retries' : _('Number of times to attempt connection to Data Providers'), + 'fd_limit' : _('The number of file descriptors that may be opened by this responder'), # [sssd] 'services' : _('SSSD Services to start'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index ebfd372e5..dede347fa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -271,7 +271,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase): 'debug_timestamps', 'debug_to_files', 'command', - 'reconnection_retries'] + 'reconnection_retries', + 'fd_limit'] self.assertTrue(type(options) == dict, "Options should be a dictionary") diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index a080ae12c..50c0a926e 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -8,6 +8,7 @@ debug_timestamps = bool, None, false debug_to_files = bool, None, false command = str, None, false reconnection_retries = int, None, false +fd_limit = int, None, false [sssd] # Monitor service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index f5119433b..f112888e1 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -264,6 +264,23 @@ </listitem> </varlistentry> <varlistentry> + <term>fd_limit</term> + <listitem> + <para> + This option specifies the maximum number of file + descriptors that may be opened at one time by this + SSSD process. On systems where SSSD is granted the + CAP_SYS_RESOURCE capability, this will be an + absolute setting. On systems without this + capability, the resulting value will be the lower + value of this or the limits.conf "hard" limit. + </para> + <para> + Default: 8192 (or limits.conf "hard" limit) + </para> + </listitem> + </varlistentry> + <varlistentry> <term>command (string)</term> <listitem> <para> diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index 488e22a5a..e9c812975 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -727,7 +727,24 @@ void responder_set_fd_limit(rlim_t fd_limit) struct rlimit current_limit, new_limit; int limret; - /* First determine the maximum hard limit */ + /* First, let's see if we have permission to just set + * the value as-is. + */ + new_limit.rlim_cur = fd_limit; + new_limit.rlim_max = fd_limit; + limret = setrlimit(RLIMIT_NOFILE, &new_limit); + if (limret == 0) { + DEBUG(4, + ("Maximum file descriptors set to [%d]\n", + new_limit.rlim_cur)); + return; + } + + /* We couldn't set the soft and hard limits to this + * value. Let's see how high we CAN set it. + */ + + /* Determine the maximum hard limit */ limret = getrlimit(RLIMIT_NOFILE, ¤t_limit); if (limret == 0) { DEBUG(7, diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index cfc6c588f..fafd64edd 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -259,6 +259,7 @@ int nss_process_init(TALLOC_CTX *mem_ctx, struct nss_ctx *nctx; int ret, max_retries; int hret; + int fd_limit; nctx = talloc_zero(mem_ctx, struct nss_ctx); if (!nctx) { @@ -317,7 +318,17 @@ int nss_process_init(TALLOC_CTX *mem_ctx, } /* Set up file descriptor limits */ - responder_set_fd_limit(DEFAULT_NSS_FD_LIMIT); + ret = confdb_get_int(nctx->rctx->cdb, nctx->rctx, + CONFDB_NSS_CONF_ENTRY, + CONFDB_SERVICE_FD_LIMIT, + DEFAULT_NSS_FD_LIMIT, + &fd_limit); + if (ret != EOK) { + DEBUG(0, + ("Failed to set up file descriptor limit\n")); + return ret; + } + responder_set_fd_limit(fd_limit); DEBUG(1, ("NSS Initialization complete\n")); diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 1bed212ed..9f02e8f0f 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -111,6 +111,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, struct pam_ctx *pctx; int ret, max_retries; int id_timeout; + int fd_limit; pctx = talloc_zero(mem_ctx, struct pam_ctx); if (!pctx) { @@ -177,7 +178,17 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, } /* Set up file descriptor limits */ - responder_set_fd_limit(DEFAULT_PAM_FD_LIMIT); + ret = confdb_get_int(pctx->rctx->cdb, pctx->rctx, + CONFDB_PAM_CONF_ENTRY, + CONFDB_SERVICE_FD_LIMIT, + DEFAULT_PAM_FD_LIMIT, + &fd_limit); + if (ret != EOK) { + DEBUG(0, + ("Failed to set up file descriptor limit\n")); + return ret; + } + responder_set_fd_limit(fd_limit); ret = EOK; |